Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SGn3RtDC8Y.exe

Overview

General Information

Sample name:SGn3RtDC8Y.exe
Analysis ID:1488266
MD5:3ca2945c2c97310afef97e0c889cb8ec
SHA1:8c966c390528be4c4212106e9a7e235bf628f269
SHA256:4f14009eb3fcc7dae430cce6bb1a0a830adda753d234d3621cee0014d686321e
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SGn3RtDC8Y.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\SGn3RtDC8Y.exe" MD5: 3CA2945C2C97310AFEF97E0C889CB8EC)
    • cmd.exe (PID: 7560 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jlxopxf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7616 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\jlxopxf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7672 cmdline: "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7732 cmdline: "C:\Windows\System32\sc.exe" description jlxopxf "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7788 cmdline: "C:\Windows\System32\sc.exe" start jlxopxf MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7864 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 1200 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • ubezyssm.exe (PID: 7844 cmdline: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d"C:\Users\user\Desktop\SGn3RtDC8Y.exe" MD5: 32F0C83846CE2CC1E5F9549AE158AD56)
    • svchost.exe (PID: 8000 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 8036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 540 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7872 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7936 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7444 -ip 7444 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8008 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7844 -ip 7844 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7264 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

Malware Configuration

Threatname: Tofsee

{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.1461743704.0000000002942000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x515a:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
    • 0xed10:$s2: loader_id
    • 0xed40:$s3: start_srv
    • 0xed70:$s4: lid_file_upd
    • 0xed64:$s5: localcfg
    • 0xf494:$s6: Incorrect respons
    • 0xf574:$s7: mx connect error
    • 0xf4f0:$s8: Error sending command (sent = %d/%d)
    • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.3.ubezyssm.exe.2910000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      12.3.ubezyssm.exe.2910000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspect Svchost Activity
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d"C:\Users\user\Desktop\SGn3RtDC8Y.exe", ParentImage: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe, ParentProcessId: 7844, ParentProcessName: ubezyssm.exe, ProcessCommandLine: svchost.exe, ProcessId: 8000, ProcessName: svchost.exe
        Sigma detected: Suspicious New Service Creation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\SGn3RtDC8Y.exe", ParentImage: C:\Users\user\Desktop\SGn3RtDC8Y.exe, ParentProcessId: 7444, ParentProcessName: SGn3RtDC8Y.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7672, ProcessName: sc.exe
        Sigma detected: Suspicious Outbound SMTP Connections
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 8000, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d"C:\Users\user\Desktop\SGn3RtDC8Y.exe", ParentImage: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe, ParentProcessId: 7844, ParentProcessName: ubezyssm.exe, ProcessCommandLine: svchost.exe, ProcessId: 8000, ProcessName: svchost.exe
        Sigma detected: Windows Defender Exclusions Added - Registry
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 8000, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\jlxopxf
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\SGn3RtDC8Y.exe", ParentImage: C:\Users\user\Desktop\SGn3RtDC8Y.exe, ParentProcessId: 7444, ParentProcessName: SGn3RtDC8Y.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7672, ProcessName: sc.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7872, ProcessName: svchost.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Found malware configuration
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\ubezyssm.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: SGn3RtDC8Y.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeUnpacked PE file: 0.2.SGn3RtDC8Y.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeUnpacked PE file: 12.2.ubezyssm.exe.400000.0.unpack
        Source: SGn3RtDC8Y.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Adds extensions / path to Windows Defender exclusion list (Registry)
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\jlxopxfJump to behavior

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.106 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
        Source: Joe Sandbox ViewIP Address: 67.195.228.106 67.195.228.106
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
        Source: Joe Sandbox ViewASN Name: RETN-ASEU RETN-ASEU
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.8:49706 -> 52.101.11.0:25
        Source: global trafficTCP traffic: 192.168.2.8:49710 -> 67.195.228.106:25
        Source: global trafficTCP traffic: 192.168.2.8:57233 -> 142.251.168.26:25
        Source: global trafficTCP traffic: 192.168.2.8:57237 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57236
        Source: unknownNetwork traffic detected: HTTP traffic on port 57238 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57238
        Source: unknownNetwork traffic detected: HTTP traffic on port 57236 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.2910000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.ubezyssm.exe.2910000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.28f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.2910000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SGn3RtDC8Y.exe PID: 7444, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ubezyssm.exe PID: 7844, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8000, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 12.3.ubezyssm.exe.2910000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.ubezyssm.exe.2910000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.ubezyssm.exe.2910000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.ubezyssm.exe.2910000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.ubezyssm.exe.2910000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.ubezyssm.exe.2910000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.ubezyssm.exe.28f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.ubezyssm.exe.28f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.ubezyssm.exe.28f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.ubezyssm.exe.28f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.ubezyssm.exe.2910000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.ubezyssm.exe.2910000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 18.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 18.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.SGn3RtDC8Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.SGn3RtDC8Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.SGn3RtDC8Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.SGn3RtDC8Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 18.2.svchost.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 18.2.svchost.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.1461743704.0000000002942000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1443238821.0000000002BF9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jlxopxf\Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_0047C91318_2_0047C913
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: String function: 029B27AB appears 35 times
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7444 -ip 7444
        Source: SGn3RtDC8Y.exe, 00000000.00000000.1384351438.000000000282C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesOdilesigo: vs SGn3RtDC8Y.exe
        Source: SGn3RtDC8Y.exe, 00000000.00000002.1443278454.0000000002CAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesc.exej% vs SGn3RtDC8Y.exe
        Source: SGn3RtDC8Y.exe, 00000000.00000002.1443278454.0000000002C5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOdilesigo: vs SGn3RtDC8Y.exe
        Source: SGn3RtDC8Y.exeBinary or memory string: OriginalFilenamesOdilesigo: vs SGn3RtDC8Y.exe
        Source: SGn3RtDC8Y.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 12.3.ubezyssm.exe.2910000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.ubezyssm.exe.2910000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.ubezyssm.exe.2910000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.ubezyssm.exe.2910000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.ubezyssm.exe.2910000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.ubezyssm.exe.2910000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.SGn3RtDC8Y.exe.29e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.ubezyssm.exe.28f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.ubezyssm.exe.28f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.ubezyssm.exe.28f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.ubezyssm.exe.28f0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.ubezyssm.exe.2910000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.ubezyssm.exe.2910000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 18.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 18.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.SGn3RtDC8Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.SGn3RtDC8Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.SGn3RtDC8Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.SGn3RtDC8Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 18.2.svchost.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 18.2.svchost.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.1461743704.0000000002942000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1443238821.0000000002BF9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: SGn3RtDC8Y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@32/3@9/5
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_02BFDFA0 CreateToolhelp32Snapshot,Module32First,0_2_02BFDFA0
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_00479A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,18_2_00479A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:8008:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7936:64:WilError_03
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeFile created: C:\Users\user\AppData\Local\Temp\ubezyssm.exeJump to behavior
        Source: SGn3RtDC8Y.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeFile read: C:\Users\user\Desktop\SGn3RtDC8Y.exeJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-14492
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14320
        Source: unknownProcess created: C:\Users\user\Desktop\SGn3RtDC8Y.exe "C:\Users\user\Desktop\SGn3RtDC8Y.exe"
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jlxopxf\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\jlxopxf\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jlxopxf "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jlxopxf
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d"C:\Users\user\Desktop\SGn3RtDC8Y.exe"
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7444 -ip 7444
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 1200
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7844 -ip 7844
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 540
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jlxopxf\Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\jlxopxf\Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jlxopxf "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jlxopxfJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7444 -ip 7444Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 1200Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7844 -ip 7844Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 540Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: SGn3RtDC8Y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeUnpacked PE file: 0.2.SGn3RtDC8Y.exe.400000.0.unpack .text:ER;.data:W;.xevaj:R;.zac:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeUnpacked PE file: 12.2.ubezyssm.exe.400000.0.unpack .text:ER;.data:W;.xevaj:R;.zac:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeUnpacked PE file: 0.2.SGn3RtDC8Y.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeUnpacked PE file: 12.2.ubezyssm.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: SGn3RtDC8Y.exeStatic PE information: section name: .xevaj
        Source: SGn3RtDC8Y.exeStatic PE information: section name: .zac
        Source: SGn3RtDC8Y.exeStatic PE information: section name: .text entropy: 7.252737791491828

        Persistence and Installation Behavior

        barindex
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeFile created: C:\Users\user\AppData\Local\Temp\ubezyssm.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jlxopxfJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\sgn3rtdc8y.exeJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,18_2_0047199C
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-14753
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_18-7518
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-14916
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_18-6061
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-14760
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-14873
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_18-6345
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-14560
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-14507
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_18-7336
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-14509
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14337
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeAPI coverage: 5.6 %
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeAPI coverage: 4.1 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8044Thread sleep count: 36 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 8044Thread sleep time: -36000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000012.00000002.2648229643.0000000000800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeAPI call chain: ExitProcess graph end nodegraph_0-14764
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeAPI call chain: ExitProcess graph end nodegraph_12-14877

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_18-7580
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_029B0D90 mov eax, dword ptr fs:[00000030h]0_2_029B0D90
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_029B092B mov eax, dword ptr fs:[00000030h]0_2_029B092B
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_02BFD87D push dword ptr fs:[00000030h]0_2_02BFD87D
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeCode function: 12_2_028F0D90 mov eax, dword ptr fs:[00000030h]12_2_028F0D90
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeCode function: 12_2_028F092B mov eax, dword ptr fs:[00000030h]12_2_028F092B
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeCode function: 12_2_02946A65 push dword ptr fs:[00000030h]12_2_02946A65
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_00479A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,18_2_00479A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.106 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 470000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 470000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 470000Jump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EF008Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jlxopxf\Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\jlxopxf\Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jlxopxf "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jlxopxfJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7444 -ip 7444Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 1200Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7844 -ip 7844Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 540Jump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.2910000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.ubezyssm.exe.2910000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.28f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.2910000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SGn3RtDC8Y.exe PID: 7444, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ubezyssm.exe PID: 7844, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8000, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.3.SGn3RtDC8Y.exe.29e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.2910000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.ubezyssm.exe.2910000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.28f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.2910000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.470000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.ubezyssm.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SGn3RtDC8Y.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.svchost.exe.470000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SGn3RtDC8Y.exe PID: 7444, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ubezyssm.exe PID: 7844, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 8000, type: MEMORYSTR
        Source: C:\Users\user\Desktop\SGn3RtDC8Y.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_004788B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,18_2_004788B0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts        		41
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		3
        Disable or Modify Tools        		OS Credential Dumping2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution        		14
        Windows Service        		1
        Access Token Manipulation        		2
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service        		22
        Software Packing        		NTDS15
        System Information Discovery        		Distributed Component Object ModelInput Capture112
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets111
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion        		Cached Domain Credentials11
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading        		DCSync1
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts        		Proc Filesystem1
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow1
        System Network Configuration Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488266 Sample: SGn3RtDC8Y.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 53 yahoo.com 2->53 55 vanaheim.cn 2->55 57 6 other IPs or domains 2->57 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 8 other signatures 2->71 8 ubezyssm.exe 2->8         started        11 SGn3RtDC8Y.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 81 Detected unpacking (changes PE section rights) 8->81 83 Detected unpacking (overwrites its own PE header) 8->83 85 Writes to foreign memory regions 8->85 91 2 other signatures 8->91 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        51 C:\Users\user\AppData\Local\...\ubezyssm.exe, PE32 11->51 dropped 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        35 4 other processes 11->35 31 WerFault.exe 2 14->31         started        33 WerFault.exe 2 14->33         started        signatures6 process7 dnsIp8 59 mta6.am0.yahoodns.net 67.195.228.106, 25 YAHOO-GQ1US United States 18->59 61 vanaheim.cn 213.226.112.95, 443, 49707, 57236 RETN-ASEU Russian Federation 18->61 63 3 other IPs or domains 18->63 73 System process connects to network (likely due to code injection or exploit) 18->73 75 Found API chain indicative of debugger detection 18->75 77 Deletes itself after installation 18->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 18->79 49 C:\Windows\SysWOW64\...\ubezyssm.exe (copy), PE32 24->49 dropped 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SGn3RtDC8Y.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\ubezyssm.exe100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:443100%Avira URL Cloudphishing

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        		67.195.228.106
        		truetrue
          		unknown
          mxs.mail.ru
          		217.69.139.150
          		truetrue
            		unknown
            microsoft-com.mail.protection.outlook.com
            		52.101.11.0
            		truetrue
              		unknown
              vanaheim.cn
              		213.226.112.95
              		truetrue
                		unknown
                smtp.google.com
                		142.251.168.26
                		truefalse
                  		unknown
                  google.com
                  		unknown
                  		unknowntrue
                    		unknown
                    yahoo.com
                    		unknown
                    		unknowntrue
                      		unknown
                      mail.ru
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        		unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        52.101.11.0
                        		microsoft-com.mail.protection.outlook.comUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        67.195.228.106
                        		mta6.am0.yahoodns.netUnited States
                        		36647YAHOO-GQ1UStrue
                        213.226.112.95
                        		vanaheim.cnRussian Federation
                        		9002RETN-ASEUtrue
                        142.251.168.26
                        		smtp.google.comUnited States
                        		15169GOOGLEUSfalse
                        217.69.139.150
                        		mxs.mail.ruRussian Federation
                        		47764MAILRU-ASMailRuRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1488266
                        Start date and time:2024-08-05 19:37:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 11s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:28
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SGn3RtDC8Y.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@32/3@9/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 63
                        • Number of non-executed functions: 262
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 20.76.201.171, 20.70.246.20, 20.231.239.246, 20.112.250.133, 20.236.44.162
                        • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: SGn3RtDC8Y.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:38:49API Interceptor9x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        52.101.11.0vyrcclmm.exeGet hashmaliciousTofseeBrowse
                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                            DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                              kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                  L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                    file.exeGet hashmaliciousTofseeBrowse
                                      sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                        U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                          bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                            67.195.228.106file.exeGet hashmaliciousPhorpiexBrowse
                                              newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                  l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                    Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                                      Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                        DWVByMCYL8.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee XmrigBrowse
                                                          HsWJJz7nq4.exeGet hashmaliciousTofsee XmrigBrowse
                                                            ac492e6a204784df07ef3841b3ae1f8a68b349db90a34.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee XmrigBrowse
                                                              body.elm.exeGet hashmaliciousUnknownBrowse
                                                                213.226.112.95Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                  ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                    rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                      217.69.139.150Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                        ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                          SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                            vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                              AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                  lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                      rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                        OgcktrbHkI.exeGet hashmaliciousTofseeBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          microsoft-com.mail.protection.outlook.com .exeGet hashmaliciousUnknownBrowse
                                                                                          • 52.101.40.26
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.54.36
                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          mta6.am0.yahoodns.net .exeGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.96.76
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.73
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.74
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.75
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.94
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.204.72
                                                                                          RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.228.109
                                                                                          vanaheim.cnSm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 185.218.0.41
                                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 62.76.228.127
                                                                                          mxs.mail.ruSm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                                                          • 94.100.180.31
                                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          RETN-ASEUSm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          http://baghoorg.xyzGet hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.153
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 139.45.197.236
                                                                                          LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 139.45.197.236
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          https://ky.codzika.xyz/pubg/Get hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.250
                                                                                          https://plcr.com.ng/atm.php?user=21003&ref=21003Get hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.237
                                                                                          http://becast.onionlive.workers.devGet hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.236
                                                                                          http://thampolsi.comGet hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.244
                                                                                          MAILRU-ASMailRuRUSm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          SecuriteInfo.com.Trojan.Crypt.28917.30010.exeGet hashmaliciousUnknownBrowse
                                                                                          • 5.61.236.163
                                                                                          IISz6QDXkY.elfGet hashmaliciousMiraiBrowse
                                                                                          • 5.61.23.77
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          7Y18r(123).exeGet hashmaliciousUnknownBrowse
                                                                                          • 94.100.180.106
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          SecuriteInfo.com.W32.Kryptik.CI.tr.21358.1519.exeGet hashmaliciousUnknownBrowse
                                                                                          • 5.61.236.163
                                                                                          botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                          • 79.137.247.12
                                                                                          SIP.03746.XSLSX.exeGet hashmaliciousUnknownBrowse
                                                                                          • 217.69.139.160
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSBWISE Solution #24-2000091.pdfGet hashmaliciousUnknownBrowse
                                                                                          • 52.146.76.30
                                                                                          https://www.templatent.com/eur/53d926b2-0373-4a76-8641-e3f5488f632d/768e4d81-78b7-4fd9-a857-c5bae5c87179/8806a07c-707c-445d-b36c-c08aabe89fc9/login?id=eHZ4eG45M1NGWG40b2QvVmpHbE5UdUJZSWtJNTkrbE9YcjlKZERpV1VUZ3Zlbk5sM3MwTWYzMjJ0ZWpYb2VpekdKaCtMclNhd3hFRDdtd2VKSi9HM3M2bDFHRkdDd0YrdW1DNWlqTFQwc1BRd0Y5Q0lDZ0tLdys2RHVCZ2NXemVQUDdZa0laUFJlbFJsTnlkdWZsUHR4SnVUV2pZN3QyNkJXaDJSeEdWN3JJT2hHaUYwd2xqMmJ4Y05kSSsxU0ppVkc5QURXSkJKUlMxNEgvT0FIWUQvWGZFZHBvbFdhcVBXRzQxWnJ3M0RwMElNQkpsaWtXWGRMV3Y1ZHNmREVCMkxVa05HeW1qb1BSRkMrSmxpNS80Z2FWaGtJZWthYXZ6WWtaeGNIWjU5VitKZ1Vzd1pHN0VyOTJqTDFvZUYvTURlWUdvRysxd0dZZjgySXduSXM2enIwWDlmWWsxcTk2L1BvV1dGZERCcUxHazluS0kwRU9oK3lKKzJPeFU1NDRVN2N2ZVhPRHRDb3k2c1ZyTkdlR2YyUT09Get hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          https://grace-barr.filemail.com/t/Fc9Dus5dGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 52.98.241.162
                                                                                          001original.emlGet hashmaliciousUnknownBrowse
                                                                                          • 104.208.16.91
                                                                                          Saic Benefits_Enrollment.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.246.60
                                                                                          FW Quote.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 52.109.76.243
                                                                                          https://thehackernews.com/2024/08/new-android-trojan-blankbot-targets.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          Tax_List1.accdeGet hashmaliciousUnknownBrowse
                                                                                          • 104.208.16.88
                                                                                          2v5GEWkdGs.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 13.107.246.60
                                                                                          RoeyfVUJc5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 13.107.253.72
                                                                                          YAHOO-GQ1US .exeGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.228.84
                                                                                          botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.137.77.194
                                                                                          qD7cj0t7Ag.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 98.137.186.234
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.94
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          https://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                                          • 98.137.11.164
                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.94
                                                                                          GK9sEyIS4f.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.136.201.234
                                                                                          n6UMcur8v3.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.137.238.181
                                                                                          zGP5DlrwgZ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                          • 98.137.103.190

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Temp\ubezyssm.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\SGn3RtDC8Y.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12340224
                                                                                          Entropy (8bit):4.718126448713269
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:ZIbasG14OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOv:ZItG1
                                                                                          MD5:32F0C83846CE2CC1E5F9549AE158AD56
                                                                                          SHA1:3C147F1AF0077F1AB901F2B0875C36CF034ECE52
                                                                                          SHA-256:9FF2FE5E4C2CFCC0871FB897E5D315732B8E25CEABC60D14644E59D734D033EB
                                                                                          SHA-512:62ABF9946C131B9921791CAA39070193C0B24363738A4E08C8232F70EA958B880B13275112B887513B0CE67403AE5B67F0A18FC4A04E5E53C226A5750E2C261F
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d......................A......[............@..........................`C.....Ta.........................................P.....B.............................................................A..@............................................text...0........................... ..`.data...T.?......|..................@....xevaj........B......0..............@..@.zac..........B......4..............@....rsrc........B......8..............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe (copy)

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):12340224
                                                                                          Entropy (8bit):4.718126448713269
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:ZIbasG14OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOv:ZItG1
                                                                                          MD5:32F0C83846CE2CC1E5F9549AE158AD56
                                                                                          SHA1:3C147F1AF0077F1AB901F2B0875C36CF034ECE52
                                                                                          SHA-256:9FF2FE5E4C2CFCC0871FB897E5D315732B8E25CEABC60D14644E59D734D033EB
                                                                                          SHA-512:62ABF9946C131B9921791CAA39070193C0B24363738A4E08C8232F70EA958B880B13275112B887513B0CE67403AE5B67F0A18FC4A04E5E53C226A5750E2C261F
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d......................A......[............@..........................`C.....Ta.........................................P.....B.............................................................A..@............................................text...0........................... ..`.data...T.?......|..................@....xevaj........B......0..............@..@.zac..........B......4..............@....rsrc........B......8..............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                          \Device\ConDrv

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3773
                                                                                          Entropy (8bit):4.7109073551842435
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                          MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                          Malicious:false
                                                                                          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):5.264917271787961
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:SGn3RtDC8Y.exe
                                                                                          File size:315'904 bytes
                                                                                          MD5:3ca2945c2c97310afef97e0c889cb8ec
                                                                                          SHA1:8c966c390528be4c4212106e9a7e235bf628f269
                                                                                          SHA256:4f14009eb3fcc7dae430cce6bb1a0a830adda753d234d3621cee0014d686321e
                                                                                          SHA512:1ddae2b47e39ed822e063bd749e6d51c4a815239bf3fbe222a4cccdfd681d419427bf28ad19c26efec3bc72b840f92de05663848b7dd7ec77bc817ee2220655c
                                                                                          SSDEEP:3072:450fnzC44jWJ5jj0GpS9bfyZ2RG0xacKyPssuQXF5aM5S1FjVQq2T0:jPzjR5X0G4bf62VxUHsuQCMg1FJQq2T
                                                                                          TLSH:9D64BF2172A0C071D5A717344874D7BE6A7EB863B774808B37986B7F6E303812AB175E
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d...................

                                                                                          File Icon

                                                                                          Icon Hash:cd4d3d2e4e054d07

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x405b8d
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x641022E1 [Tue Mar 14 07:31:45 2023 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:1
                                                                                          File Version Major:5
                                                                                          File Version Minor:1
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:1
                                                                                          Import Hash:b06a0c09a322281148d5729ca5d14149

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          call 00007F149940C03Fh
                                                                                          jmp 00007F14994075AEh
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          call 00007F149940775Ch
                                                                                          xchg cl, ch
                                                                                          jmp 00007F1499407744h
                                                                                          call 00007F1499407753h
                                                                                          fxch st(0), st(1)
                                                                                          jmp 00007F149940773Bh
                                                                                          fabs
                                                                                          fld1
                                                                                          mov ch, cl
                                                                                          xor cl, cl
                                                                                          jmp 00007F1499407731h
                                                                                          mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                                                          fabs
                                                                                          fxch st(0), st(1)
                                                                                          fabs
                                                                                          fxch st(0), st(1)
                                                                                          fpatan
                                                                                          or cl, cl
                                                                                          je 00007F1499407726h
                                                                                          fldpi
                                                                                          fsubrp st(1), st(0)
                                                                                          or ch, ch
                                                                                          je 00007F1499407724h
                                                                                          fchs
                                                                                          ret
                                                                                          fabs
                                                                                          fld st(0), st(0)
                                                                                          fld st(0), st(0)
                                                                                          fld1
                                                                                          fsubrp st(1), st(0)
                                                                                          fxch st(0), st(1)
                                                                                          fld1
                                                                                          faddp st(1), st(0)
                                                                                          fmulp st(1), st(0)
                                                                                          ftst
                                                                                          wait
                                                                                          fstsw word ptr [ebp-000000A0h]
                                                                                          wait
                                                                                          test byte ptr [ebp-0000009Fh], 00000001h
                                                                                          jne 00007F1499407727h
                                                                                          xor ch, ch
                                                                                          fsqrt
                                                                                          ret
                                                                                          pop eax
                                                                                          jmp 00007F149940813Fh
                                                                                          fstp st(0)
                                                                                          fld tbyte ptr [00401C6Ah]
                                                                                          ret
                                                                                          fstp st(0)
                                                                                          or cl, cl
                                                                                          je 00007F149940772Dh
                                                                                          fstp st(0)
                                                                                          fldpi
                                                                                          or ch, ch
                                                                                          je 00007F1499407724h
                                                                                          fchs
                                                                                          ret
                                                                                          fstp st(0)
                                                                                          fldz
                                                                                          or ch, ch
                                                                                          je 00007F1499407719h
                                                                                          fchs
                                                                                          ret
                                                                                          fstp st(0)
                                                                                          jmp 00007F1499408115h
                                                                                          fstp st(0)
                                                                                          mov cl, ch
                                                                                          jmp 00007F1499407722h
                                                                                          call 00007F14994076EEh
                                                                                          jmp 00007F1499408120h
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          int3
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          add esp, 00000000h

                                                                                          Rich Headers

                                                                                          Programming Language:
                                                                                          • [C++] VS2010 build 30319
                                                                                          • [ASM] VS2010 build 30319
                                                                                          • [ C ] VS2010 build 30319
                                                                                          • [IMP] VS2008 SP1 build 30729
                                                                                          • [RES] VS2010 build 30319
                                                                                          • [LNK] VS2010 build 30319

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2b4c80x50.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x242c0000x98e8.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x2b5180x1c.text
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x41e80x40.text
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x2af300x2b000207b2dcd8ee9c04e6e9ebd7b8e1dca7aFalse0.731956304505814data7.252737791491828IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .data0x2c0000x23fd7540x17c004ed0a0848cf99f853787caf138c78996unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .xevaj0x242a0000x2d30x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .zac0x242b0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x242c0000x98e80x9a008616ee7d72974b73d186ce4629b49ff0False0.4296875data4.694510365723179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_CURSOR0x2432c980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                                                          RT_CURSOR0x2433b400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                                                          RT_CURSOR0x24343e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                                                          RT_ICON0x242c4200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.4728144989339019
                                                                                          RT_ICON0x242c4200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.4728144989339019
                                                                                          RT_ICON0x242d2c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5870938628158845
                                                                                          RT_ICON0x242d2c80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5870938628158845
                                                                                          RT_ICON0x242db700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.6486175115207373
                                                                                          RT_ICON0x242db700x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.6486175115207373
                                                                                          RT_ICON0x242e2380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.7001445086705202
                                                                                          RT_ICON0x242e2380x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.7001445086705202
                                                                                          RT_ICON0x242e7a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.37022821576763487
                                                                                          RT_ICON0x242e7a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.37022821576763487
                                                                                          RT_ICON0x2430d480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilIndia0.46364915572232646
                                                                                          RT_ICON0x2430d480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilSri Lanka0.46364915572232646
                                                                                          RT_ICON0x2431df00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilIndia0.5413934426229509
                                                                                          RT_ICON0x2431df00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilSri Lanka0.5413934426229509
                                                                                          RT_ICON0x24327780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.6356382978723404
                                                                                          RT_ICON0x24327780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.6356382978723404
                                                                                          RT_STRING0x2434bb80x446dataTamilIndia0.45429616087751373
                                                                                          RT_STRING0x2434bb80x446dataTamilSri Lanka0.45429616087751373
                                                                                          RT_STRING0x24350000x28edataTamilIndia0.481651376146789
                                                                                          RT_STRING0x24350000x28edataTamilSri Lanka0.481651376146789
                                                                                          RT_STRING0x24352900x658dataTamilIndia0.42980295566502463
                                                                                          RT_STRING0x24352900x658dataTamilSri Lanka0.42980295566502463
                                                                                          RT_ACCELERATOR0x2432c580x40dataTamilIndia0.875
                                                                                          RT_ACCELERATOR0x2432c580x40dataTamilSri Lanka0.875
                                                                                          RT_GROUP_CURSOR0x24349500x30data0.9375
                                                                                          RT_GROUP_ICON0x2432be00x76dataTamilIndia0.6610169491525424
                                                                                          RT_GROUP_ICON0x2432be00x76dataTamilSri Lanka0.6610169491525424
                                                                                          RT_VERSION0x24349800x234data0.526595744680851

                                                                                          Imports

                                                                                          DLLImport
                                                                                          KERNEL32.dllCreateNamedPipeW, GetConsoleAliasesA, GetNumberFormatA, EnumTimeFormatsA, GetConsoleCP, GlobalAlloc, SetFileShortNameW, LoadLibraryW, FatalAppExitW, CreateEventA, GetConsoleAliasW, HeapValidate, ReplaceFileW, GetModuleFileNameW, GetSystemDirectoryA, GlobalUnlock, CreateJobObjectA, LCMapStringA, GetLastError, SetLastError, GetProcAddress, IsBadHugeWritePtr, CreateJobSet, LoadLibraryA, GetTickCount, SetConsoleCtrlHandler, AddAtomW, QueryDosDeviceW, HeapWalk, SetEnvironmentVariableA, GetOEMCP, GetModuleHandleA, GetProcessShutdownParameters, EnumResourceNamesA, RequestWakeupLatency, EnumDateFormatsW, PeekConsoleInputA, GetDiskFreeSpaceExA, GetCurrentProcessId, GetProcessHeap, SetEndOfFile, GetStringTypeW, LCMapStringW, MultiByteToWideChar, WriteConsoleW, GetModuleHandleW, GetConsoleAliasesLengthW, CreateFileA, CreateFileMappingA, EnumResourceNamesW, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, TerminateProcess, GetCurrentProcess, HeapAlloc, HeapFree, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, RtlUnwind, SetFilePointer, HeapCreate, CloseHandle, RaiseException, ExitProcess, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetSystemTimeAsFileTime, Sleep, GetConsoleMode, GetCPInfo, GetACP, IsValidCodePage, ReadFile, SetStdHandle, FlushFileBuffers, HeapSize, CreateFileW
                                                                                          USER32.dllChangeMenuA, GetDC, DrawStateA, CharUpperBuffA, GetMenuState, GetCaretPos, GetSysColorBrush, GetComboBoxInfo, SetCaretPos
                                                                                          GDI32.dllGetCharWidthI, CreateDCA, CreateDCW, GetCharWidthW

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          TamilIndia
                                                                                          TamilSri Lanka

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Aug 5, 2024 19:38:07.798782110 CEST4970625192.168.2.852.101.11.0
                                                                                          Aug 5, 2024 19:38:08.808866024 CEST4970625192.168.2.852.101.11.0
                                                                                          Aug 5, 2024 19:38:10.709433079 CEST49707443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:38:10.709475994 CEST44349707213.226.112.95192.168.2.8
                                                                                          Aug 5, 2024 19:38:10.709569931 CEST49707443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:38:10.808978081 CEST4970625192.168.2.852.101.11.0
                                                                                          Aug 5, 2024 19:38:14.808959007 CEST4970625192.168.2.852.101.11.0
                                                                                          Aug 5, 2024 19:38:22.824601889 CEST4970625192.168.2.852.101.11.0
                                                                                          Aug 5, 2024 19:38:27.812928915 CEST4971025192.168.2.867.195.228.106
                                                                                          Aug 5, 2024 19:38:28.824659109 CEST4971025192.168.2.867.195.228.106
                                                                                          Aug 5, 2024 19:38:30.824568987 CEST4971025192.168.2.867.195.228.106
                                                                                          Aug 5, 2024 19:38:34.824673891 CEST4971025192.168.2.867.195.228.106
                                                                                          Aug 5, 2024 19:38:42.824698925 CEST4971025192.168.2.867.195.228.106
                                                                                          Aug 5, 2024 19:38:47.845360994 CEST5723325192.168.2.8142.251.168.26
                                                                                          Aug 5, 2024 19:38:48.855887890 CEST5723325192.168.2.8142.251.168.26
                                                                                          Aug 5, 2024 19:38:50.700011015 CEST49707443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:38:50.700084925 CEST44349707213.226.112.95192.168.2.8
                                                                                          Aug 5, 2024 19:38:50.700149059 CEST49707443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:38:50.812700033 CEST57236443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:38:50.812738895 CEST44357236213.226.112.95192.168.2.8
                                                                                          Aug 5, 2024 19:38:50.812803030 CEST57236443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:38:50.871539116 CEST5723325192.168.2.8142.251.168.26
                                                                                          Aug 5, 2024 19:38:54.871682882 CEST5723325192.168.2.8142.251.168.26
                                                                                          Aug 5, 2024 19:39:02.890944004 CEST5723325192.168.2.8142.251.168.26
                                                                                          Aug 5, 2024 19:39:07.875880003 CEST5723725192.168.2.8217.69.139.150
                                                                                          Aug 5, 2024 19:39:08.887248039 CEST5723725192.168.2.8217.69.139.150
                                                                                          Aug 5, 2024 19:39:10.902874947 CEST5723725192.168.2.8217.69.139.150
                                                                                          Aug 5, 2024 19:39:14.918591976 CEST5723725192.168.2.8217.69.139.150
                                                                                          Aug 5, 2024 19:39:22.918617964 CEST5723725192.168.2.8217.69.139.150
                                                                                          Aug 5, 2024 19:39:30.825325966 CEST57236443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:39:30.825402021 CEST44357236213.226.112.95192.168.2.8
                                                                                          Aug 5, 2024 19:39:30.825458050 CEST57236443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:39:30.935359955 CEST57238443192.168.2.8213.226.112.95
                                                                                          Aug 5, 2024 19:39:30.935401917 CEST44357238213.226.112.95192.168.2.8
                                                                                          Aug 5, 2024 19:39:30.935488939 CEST57238443192.168.2.8213.226.112.95

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Aug 5, 2024 19:38:07.537410021 CEST6430053192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:38:07.797939062 CEST53643001.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:38:10.512768984 CEST6057853192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:38:10.708720922 CEST53605781.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:38:27.794228077 CEST6313853192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:38:27.801183939 CEST53631381.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:38:27.801959991 CEST5276653192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST53527661.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:38:47.504132986 CEST5362373162.159.36.2192.168.2.8
                                                                                          Aug 5, 2024 19:38:47.825210094 CEST5899553192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:38:47.834175110 CEST53589951.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:38:47.834889889 CEST5094753192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:38:47.844665051 CEST53509471.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:38:48.017450094 CEST53593941.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:39:07.856681108 CEST5731653192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:39:07.866209984 CEST53573161.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:39:07.867010117 CEST5783853192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:39:07.875178099 CEST53578381.1.1.1192.168.2.8
                                                                                          Aug 5, 2024 19:40:06.855220079 CEST6186153192.168.2.81.1.1.1
                                                                                          Aug 5, 2024 19:40:06.893662930 CEST53618611.1.1.1192.168.2.8

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Aug 5, 2024 19:38:07.537410021 CEST192.168.2.81.1.1.10x17cStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:10.512768984 CEST192.168.2.81.1.1.10x47f8Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.794228077 CEST192.168.2.81.1.1.10xe0fdStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.801959991 CEST192.168.2.81.1.1.10xd782Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:47.825210094 CEST192.168.2.81.1.1.10x2534Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:47.834889889 CEST192.168.2.81.1.1.10xc10dStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:39:07.856681108 CEST192.168.2.81.1.1.10xbf98Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:39:07.867010117 CEST192.168.2.81.1.1.10xaa51Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:40:06.855220079 CEST192.168.2.81.1.1.10x8abaStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Aug 5, 2024 19:38:07.797939062 CEST1.1.1.1192.168.2.80x17cNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:07.797939062 CEST1.1.1.1192.168.2.80x17cNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:07.797939062 CEST1.1.1.1192.168.2.80x17cNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:07.797939062 CEST1.1.1.1192.168.2.80x17cNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:10.708720922 CEST1.1.1.1192.168.2.80x47f8No error (0)vanaheim.cn213.226.112.95A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.801183939 CEST1.1.1.1192.168.2.80xe0fdNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.801183939 CEST1.1.1.1192.168.2.80xe0fdNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.801183939 CEST1.1.1.1192.168.2.80xe0fdNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST1.1.1.1192.168.2.80xd782No error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST1.1.1.1192.168.2.80xd782No error (0)mta6.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST1.1.1.1192.168.2.80xd782No error (0)mta6.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST1.1.1.1192.168.2.80xd782No error (0)mta6.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST1.1.1.1192.168.2.80xd782No error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST1.1.1.1192.168.2.80xd782No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST1.1.1.1192.168.2.80xd782No error (0)mta6.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:27.812226057 CEST1.1.1.1192.168.2.80xd782No error (0)mta6.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:47.834175110 CEST1.1.1.1192.168.2.80x2534No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:47.844665051 CEST1.1.1.1192.168.2.80xc10dNo error (0)smtp.google.com142.251.168.26A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:47.844665051 CEST1.1.1.1192.168.2.80xc10dNo error (0)smtp.google.com66.102.1.27A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:47.844665051 CEST1.1.1.1192.168.2.80xc10dNo error (0)smtp.google.com142.250.110.26A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:47.844665051 CEST1.1.1.1192.168.2.80xc10dNo error (0)smtp.google.com142.250.110.27A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:38:47.844665051 CEST1.1.1.1192.168.2.80xc10dNo error (0)smtp.google.com142.251.168.27A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:39:07.866209984 CEST1.1.1.1192.168.2.80xbf98No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:39:07.875178099 CEST1.1.1.1192.168.2.80xaa51No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:39:07.875178099 CEST1.1.1.1192.168.2.80xaa51No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:40:06.893662930 CEST1.1.1.1192.168.2.80x8abaNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:40:06.893662930 CEST1.1.1.1192.168.2.80x8abaNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:40:06.893662930 CEST1.1.1.1192.168.2.80x8abaNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:40:06.893662930 CEST1.1.1.1192.168.2.80x8abaNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:13:37:58
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Users\user\Desktop\SGn3RtDC8Y.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\SGn3RtDC8Y.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:315'904 bytes
                                                                                          MD5 hash:3CA2945C2C97310AFEF97E0C889CB8EC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1443238821.0000000002BF9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1408457761.00000000029E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:13:38:01
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jlxopxf\
                                                                                          Imagebase:0xa40000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:13:38:01
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6ee680000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:13:38:01
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ubezyssm.exe" C:\Windows\SysWOW64\jlxopxf\
                                                                                          Imagebase:0xa40000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:13:38:01
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6ee680000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:13:38:02
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" create jlxopxf binPath= "C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d\"C:\Users\user\Desktop\SGn3RtDC8Y.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                          Imagebase:0xc90000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:13:38:02
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6ee680000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:13:38:02
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" description jlxopxf "wifi internet conection"
                                                                                          Imagebase:0xc90000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:13:38:02
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6ee680000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:13:38:03
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" start jlxopxf
                                                                                          Imagebase:0xc90000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:13:38:03
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6ee680000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:13:38:03
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe /d"C:\Users\user\Desktop\SGn3RtDC8Y.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:12'340'224 bytes
                                                                                          MD5 hash:32F0C83846CE2CC1E5F9549AE158AD56
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.1461743704.0000000002942000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.1458167400.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.1461696537.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:13:38:03
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                          Imagebase:0x15c0000
                                                                                          File size:82'432 bytes
                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:13:38:03
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                          Imagebase:0x7ff67e6d0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:13:38:03
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6ee680000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:16
                                                                                          Start time:13:38:04
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7444 -ip 7444
                                                                                          Imagebase:0xb00000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:17
                                                                                          Start time:13:38:04
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7444 -s 1200
                                                                                          Imagebase:0xb00000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:18
                                                                                          Start time:13:38:05
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:svchost.exe
                                                                                          Imagebase:0xac0000
                                                                                          File size:46'504 bytes
                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:19
                                                                                          Start time:13:38:05
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7844 -ip 7844
                                                                                          Imagebase:0xb00000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:20
                                                                                          Start time:13:38:06
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7844 -s 540
                                                                                          Imagebase:0xb00000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:24
                                                                                          Start time:13:38:45
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                          Imagebase:0x7ff67e6d0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.8%
                                                                                            Dynamic/Decrypted Code Coverage:31.1%
                                                                                            Signature Coverage:25.3%
                                                                                            Total number of Nodes:1555
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 14305 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14423 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14305->14423 14307 409a95 14308 409aa3 GetModuleHandleA GetModuleFileNameA 14307->14308 14313 40a3c7 14307->14313 14322 409ac4 14308->14322 14309 40a41c CreateThread WSAStartup 14592 40e52e 14309->14592 15466 40405e CreateEventA 14309->15466 14311 409afd GetCommandLineA 14320 409b22 14311->14320 14312 40a406 DeleteFileA 14312->14313 14314 40a40d 14312->14314 14313->14309 14313->14312 14313->14314 14317 40a3ed GetLastError 14313->14317 14314->14309 14315 40a445 14611 40eaaf 14315->14611 14317->14314 14319 40a3f8 Sleep 14317->14319 14318 40a44d 14615 401d96 14318->14615 14319->14312 14325 409c0c 14320->14325 14331 409b47 14320->14331 14322->14311 14323 40a457 14663 4080c9 14323->14663 14424 4096aa 14325->14424 14336 409b96 lstrlenA 14331->14336 14341 409b58 14331->14341 14332 40a1d2 14342 40a1e3 GetCommandLineA 14332->14342 14333 409c39 14337 40a167 GetModuleHandleA GetModuleFileNameA 14333->14337 14430 404280 CreateEventA 14333->14430 14336->14341 14339 409c05 ExitProcess 14337->14339 14340 40a189 14337->14340 14340->14339 14349 40a1b2 GetDriveTypeA 14340->14349 14341->14339 14347 40675c 21 API calls 14341->14347 14368 40a205 14342->14368 14350 409be3 14347->14350 14349->14339 14351 40a1c5 14349->14351 14350->14339 14529 406a60 CreateFileA 14350->14529 14573 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14351->14573 14357 40a491 14358 40a49f GetTickCount 14357->14358 14360 40a4be Sleep 14357->14360 14367 40a4b7 GetTickCount 14357->14367 14709 40c913 14357->14709 14358->14357 14358->14360 14360->14357 14362 409ca0 GetTempPathA 14363 409e3e 14362->14363 14364 409cba 14362->14364 14371 409e6b GetEnvironmentVariableA 14363->14371 14373 409e04 14363->14373 14485 4099d2 lstrcpyA 14364->14485 14367->14360 14372 40a285 lstrlenA 14368->14372 14380 40a239 14368->14380 14371->14373 14374 409e7d 14371->14374 14372->14380 14568 40ec2e 14373->14568 14375 4099d2 16 API calls 14374->14375 14377 409e9d 14375->14377 14377->14373 14382 409eb0 lstrcpyA lstrlenA 14377->14382 14378 409d5f 14548 406cc9 14378->14548 14581 406ec3 14380->14581 14381 40a3c2 14585 4098f2 14381->14585 14383 409ef4 14382->14383 14386 406dc2 6 API calls 14383->14386 14390 409f03 14383->14390 14386->14390 14387 40a39d StartServiceCtrlDispatcherA 14387->14381 14389 40a35f 14389->14381 14389->14389 14393 40a37b 14389->14393 14392 409f32 RegOpenKeyExA 14390->14392 14391 409cf6 14492 409326 14391->14492 14394 409f48 RegSetValueExA RegCloseKey 14392->14394 14397 409f70 14392->14397 14393->14387 14394->14397 14403 409f9d GetModuleHandleA GetModuleFileNameA 14397->14403 14398 409e0c DeleteFileA 14398->14363 14399 409dde GetFileAttributesExA 14399->14398 14401 409df7 14399->14401 14401->14373 14402 409dff 14401->14402 14558 4096ff 14402->14558 14405 409fc2 14403->14405 14406 40a093 14403->14406 14405->14406 14412 409ff1 GetDriveTypeA 14405->14412 14407 40a103 CreateProcessA 14406->14407 14408 40a0a4 wsprintfA 14406->14408 14409 40a13a 14407->14409 14410 40a12a DeleteFileA 14407->14410 14564 402544 14408->14564 14409->14373 14416 4096ff 3 API calls 14409->14416 14410->14409 14412->14406 14414 40a00d 14412->14414 14418 40a02d lstrcatA 14414->14418 14416->14373 14419 40a046 14418->14419 14420 40a052 lstrcatA 14419->14420 14421 40a064 lstrcatA 14419->14421 14420->14421 14421->14406 14422 40a081 lstrcatA 14421->14422 14422->14406 14423->14307 14425 4096b9 14424->14425 14810 4073ff 14425->14810 14427 4096e2 14428 4096f7 14427->14428 14830 40704c 14427->14830 14428->14332 14428->14333 14431 4042a5 14430->14431 14437 40429d 14430->14437 14855 403ecd 14431->14855 14433 4042b0 14859 404000 14433->14859 14436 4043c1 CloseHandle 14436->14437 14437->14337 14457 40675c 14437->14457 14438 4042ce 14865 403f18 WriteFile 14438->14865 14443 4043ba CloseHandle 14443->14436 14444 404318 14445 403f18 4 API calls 14444->14445 14446 404331 14445->14446 14447 403f18 4 API calls 14446->14447 14448 40434a 14447->14448 14873 40ebcc GetProcessHeap RtlAllocateHeap 14448->14873 14451 403f18 4 API calls 14452 404389 14451->14452 14453 40ec2e codecvt 4 API calls 14452->14453 14454 40438f 14453->14454 14455 403f8c 4 API calls 14454->14455 14456 40439f CloseHandle CloseHandle 14455->14456 14456->14437 14458 406784 CreateFileA 14457->14458 14459 40677a SetFileAttributesA 14457->14459 14460 4067a4 CreateFileA 14458->14460 14461 4067b5 14458->14461 14459->14458 14460->14461 14462 4067c5 14461->14462 14463 4067ba SetFileAttributesA 14461->14463 14464 406977 14462->14464 14465 4067cf GetFileSize 14462->14465 14463->14462 14464->14337 14464->14362 14464->14363 14466 4067e5 14465->14466 14484 406965 14465->14484 14467 4067ed ReadFile 14466->14467 14466->14484 14469 406811 SetFilePointer 14467->14469 14467->14484 14468 40696e FindCloseChangeNotification 14468->14464 14470 40682a ReadFile 14469->14470 14469->14484 14471 406848 SetFilePointer 14470->14471 14470->14484 14472 406867 14471->14472 14471->14484 14473 4068d5 14472->14473 14474 406878 ReadFile 14472->14474 14473->14468 14476 40ebcc 4 API calls 14473->14476 14475 4068d0 14474->14475 14478 406891 14474->14478 14475->14473 14477 4068f8 14476->14477 14479 406900 SetFilePointer 14477->14479 14477->14484 14478->14474 14478->14475 14480 40695a 14479->14480 14481 40690d ReadFile 14479->14481 14483 40ec2e codecvt 4 API calls 14480->14483 14481->14480 14482 406922 14481->14482 14482->14468 14483->14484 14484->14468 14486 4099eb 14485->14486 14487 409a2f lstrcatA 14486->14487 14488 40ee2a 14487->14488 14489 409a4b lstrcatA 14488->14489 14490 406a60 13 API calls 14489->14490 14491 409a60 14490->14491 14491->14363 14491->14391 14542 406dc2 14491->14542 14879 401910 14492->14879 14495 40934a GetModuleHandleA GetModuleFileNameA 14497 40937f 14495->14497 14498 4093a4 14497->14498 14499 4093d9 14497->14499 14500 4093c3 wsprintfA 14498->14500 14501 409401 wsprintfA 14499->14501 14502 409415 14500->14502 14501->14502 14505 406cc9 5 API calls 14502->14505 14525 4094a0 14502->14525 14504 4094ac 14506 40962f 14504->14506 14507 4094e8 RegOpenKeyExA 14504->14507 14511 409439 14505->14511 14513 409646 14506->14513 14909 401820 14506->14909 14509 409502 14507->14509 14510 4094fb 14507->14510 14514 40951f RegQueryValueExA 14509->14514 14510->14506 14516 40958a 14510->14516 14894 40ef1e lstrlenA 14511->14894 14522 4095d6 14513->14522 14889 4091eb 14513->14889 14517 409530 14514->14517 14518 409539 14514->14518 14516->14513 14520 409593 14516->14520 14521 40956e RegCloseKey 14517->14521 14523 409556 RegQueryValueExA 14518->14523 14519 409462 14524 40947e wsprintfA 14519->14524 14520->14522 14896 40f0e4 14520->14896 14521->14510 14522->14398 14522->14399 14523->14517 14523->14521 14524->14525 14881 406edd 14525->14881 14527 4095bb 14527->14522 14903 4018e0 14527->14903 14530 406b8c GetLastError 14529->14530 14531 406a8f GetDiskFreeSpaceA 14529->14531 14533 406b86 14530->14533 14532 406ac5 14531->14532 14541 406ad7 14531->14541 14957 40eb0e 14532->14957 14533->14339 14537 406b56 FindCloseChangeNotification 14537->14533 14540 406b65 GetLastError CloseHandle 14537->14540 14538 406b36 GetLastError CloseHandle 14539 406b7f DeleteFileA 14538->14539 14539->14533 14540->14539 14951 406987 14541->14951 14543 406e24 14542->14543 14544 406dd7 14542->14544 14543->14378 14545 406cc9 5 API calls 14544->14545 14546 406ddc 14545->14546 14546->14543 14546->14546 14547 406e02 GetVolumeInformationA 14546->14547 14547->14543 14549 406cdc GetModuleHandleA GetProcAddress 14548->14549 14550 406dbe lstrcpyA lstrcatA lstrcatA 14548->14550 14551 406d12 GetSystemDirectoryA 14549->14551 14552 406cfd 14549->14552 14550->14391 14553 406d27 GetWindowsDirectoryA 14551->14553 14554 406d1e 14551->14554 14552->14551 14556 406d8b 14552->14556 14555 406d42 14553->14555 14554->14553 14554->14556 14557 40ef1e lstrlenA 14555->14557 14556->14550 14557->14556 14559 402544 14558->14559 14560 40972d RegOpenKeyExA 14559->14560 14561 409740 14560->14561 14562 409765 14560->14562 14563 40974f RegDeleteValueA RegCloseKey 14561->14563 14562->14373 14563->14562 14565 402554 lstrcatA 14564->14565 14566 40ee2a 14565->14566 14567 40a0ec lstrcatA 14566->14567 14567->14407 14569 40ec37 14568->14569 14570 40a15d 14568->14570 14965 40eba0 14569->14965 14570->14337 14570->14339 14574 402544 14573->14574 14575 40919e wsprintfA 14574->14575 14576 4091bb 14575->14576 14968 409064 GetTempPathA 14576->14968 14579 4091d5 ShellExecuteA 14580 4091e7 14579->14580 14580->14339 14582 406ed5 14581->14582 14583 406ecc 14581->14583 14582->14389 14584 406e36 2 API calls 14583->14584 14584->14582 14586 4098f6 14585->14586 14587 404280 30 API calls 14586->14587 14588 409904 Sleep 14586->14588 14589 409915 14586->14589 14587->14586 14588->14586 14588->14589 14591 409947 14589->14591 14975 40977c 14589->14975 14591->14313 14997 40dd05 GetTickCount 14592->14997 14594 40e538 15004 40dbcf 14594->15004 14596 40e544 14597 40e555 GetFileSize 14596->14597 14602 40e5b8 14596->14602 14598 40e5b1 CloseHandle 14597->14598 14599 40e566 14597->14599 14598->14602 15014 40db2e 14599->15014 15023 40e3ca RegOpenKeyExA 14602->15023 14603 40e576 ReadFile 14603->14598 14604 40e58d 14603->14604 15018 40e332 14604->15018 14607 40e5f2 14609 40e3ca 19 API calls 14607->14609 14610 40e629 14607->14610 14609->14610 14610->14315 14612 40eabe 14611->14612 14614 40eaba 14611->14614 14613 40dd05 6 API calls 14612->14613 14612->14614 14613->14614 14614->14318 14616 40ee2a 14615->14616 14617 401db4 GetVersionExA 14616->14617 14618 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14617->14618 14620 401e24 14618->14620 14621 401e16 GetCurrentProcess 14618->14621 15076 40e819 14620->15076 14621->14620 14623 401e3d 14624 40e819 11 API calls 14623->14624 14625 401e4e 14624->14625 14626 401e77 14625->14626 15083 40df70 14625->15083 15092 40ea84 14626->15092 14629 401e6c 14631 40df70 12 API calls 14629->14631 14631->14626 14632 40e819 11 API calls 14633 401e93 14632->14633 15096 40199c 14633->15096 14636 40e819 11 API calls 14638 401eb9 14636->14638 14637 401ed8 14640 40e819 11 API calls 14637->14640 14638->14637 14639 40f04e 4 API calls 14638->14639 14641 401ec9 14639->14641 14642 401eee 14640->14642 14643 40ea84 30 API calls 14641->14643 14644 401f0a 14642->14644 15110 401b71 14642->15110 14643->14637 14645 40e819 11 API calls 14644->14645 14647 401f23 14645->14647 14649 401f3f 14647->14649 15114 401bdf 14647->15114 14648 401efd 14650 40ea84 30 API calls 14648->14650 14652 40e819 11 API calls 14649->14652 14650->14644 14654 401f5e 14652->14654 14656 401f77 14654->14656 14657 40ea84 30 API calls 14654->14657 14655 40ea84 30 API calls 14655->14649 15121 4030b5 14656->15121 14657->14656 14660 406ec3 2 API calls 14662 401f8e GetTickCount 14660->14662 14662->14323 14664 406ec3 2 API calls 14663->14664 14665 4080eb 14664->14665 14666 4080f9 14665->14666 14667 4080ef 14665->14667 14669 40704c 16 API calls 14666->14669 15169 407ee6 14667->15169 14671 408110 14669->14671 14670 408269 CreateThread 14688 405e6c 14670->14688 15495 40877e 14670->15495 14673 408156 RegOpenKeyExA 14671->14673 14674 4080f4 14671->14674 14672 40675c 21 API calls 14678 408244 14672->14678 14673->14674 14675 40816d RegQueryValueExA 14673->14675 14674->14670 14674->14672 14676 4081f7 14675->14676 14677 40818d 14675->14677 14679 40820d RegCloseKey 14676->14679 14681 40ec2e codecvt 4 API calls 14676->14681 14677->14676 14682 40ebcc 4 API calls 14677->14682 14678->14670 14680 40ec2e codecvt 4 API calls 14678->14680 14679->14674 14680->14670 14687 4081dd 14681->14687 14683 4081a0 14682->14683 14683->14679 14684 4081aa RegQueryValueExA 14683->14684 14684->14676 14685 4081c4 14684->14685 14686 40ebcc 4 API calls 14685->14686 14686->14687 14687->14679 15237 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14688->15237 14690 405e71 15238 40e654 14690->15238 14692 405ec1 14693 403132 14692->14693 14694 40df70 12 API calls 14693->14694 14695 40313b 14694->14695 14696 40c125 14695->14696 15249 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14696->15249 14698 40c12d 14699 40e654 13 API calls 14698->14699 14700 40c2bd 14699->14700 14701 40e654 13 API calls 14700->14701 14702 40c2c9 14701->14702 14703 40e654 13 API calls 14702->14703 14704 40a47a 14703->14704 14705 408db1 14704->14705 14706 408dbc 14705->14706 14707 40e654 13 API calls 14706->14707 14708 408dec Sleep 14707->14708 14708->14357 14710 40c92f 14709->14710 14711 40c93c 14710->14711 15250 40c517 14710->15250 14713 40ca2b 14711->14713 14714 40e819 11 API calls 14711->14714 14713->14357 14715 40c96a 14714->14715 14716 40e819 11 API calls 14715->14716 14717 40c97d 14716->14717 14718 40e819 11 API calls 14717->14718 14719 40c990 14718->14719 14720 40c9aa 14719->14720 14721 40ebcc 4 API calls 14719->14721 14720->14713 15267 402684 14720->15267 14721->14720 14726 40ca26 15274 40c8aa 14726->15274 14729 40ca44 14729->14726 14730 40ca83 14729->14730 14731 40ea84 30 API calls 14730->14731 14732 40caac 14731->14732 14733 40f04e 4 API calls 14732->14733 14734 40cab2 14733->14734 14735 40ea84 30 API calls 14734->14735 14736 40caca 14735->14736 14737 40ea84 30 API calls 14736->14737 14738 40cad9 14737->14738 15282 40c65c 14738->15282 14741 40dad2 14742 40e318 23 API calls 14741->14742 14742->14713 14743 40df4c 20 API calls 14753 40cb59 14743->14753 14749 40e654 13 API calls 14749->14753 14753->14713 14753->14741 14753->14743 14753->14749 14755 40ea84 30 API calls 14753->14755 14756 40d569 Sleep 14753->14756 14757 40d815 wsprintfA 14753->14757 14758 40cc1c GetTempPathA 14753->14758 14759 40c517 23 API calls 14753->14759 14760 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 14753->14760 14761 40e8a1 30 API calls 14753->14761 14765 40cfe3 GetSystemDirectoryA 14753->14765 14766 40cfad GetEnvironmentVariableA 14753->14766 14767 40d027 GetSystemDirectoryA 14753->14767 14768 40675c 21 API calls 14753->14768 14769 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 14753->14769 14770 40d105 lstrcatA 14753->14770 14771 40ef1e lstrlenA 14753->14771 14772 40cc9f CreateFileA 14753->14772 14773 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 14753->14773 14775 40d15b CreateFileA 14753->14775 14780 40d149 SetFileAttributesA 14753->14780 14781 40d36e GetEnvironmentVariableA 14753->14781 14782 40d1bf SetFileAttributesA 14753->14782 14783 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 14753->14783 14785 40d22d GetEnvironmentVariableA 14753->14785 14786 407ead 6 API calls 14753->14786 14788 40d3af lstrcatA 14753->14788 14789 40d3f2 CreateFileA 14753->14789 14791 407fcf 64 API calls 14753->14791 14797 40d3e0 SetFileAttributesA 14753->14797 14798 40d26e lstrcatA 14753->14798 14800 40d4b1 CreateProcessA 14753->14800 14801 40d2b1 CreateFileA 14753->14801 14803 40d452 SetFileAttributesA 14753->14803 14805 407ee6 64 API calls 14753->14805 14806 40d29f SetFileAttributesA 14753->14806 14809 40d31d SetFileAttributesA 14753->14809 15290 40c75d 14753->15290 15302 407e2f 14753->15302 15324 407ead 14753->15324 15334 4031d0 14753->15334 15351 403c09 14753->15351 15361 403a00 14753->15361 15365 40e7b4 14753->15365 15368 40c06c 14753->15368 15374 406f5f GetUserNameA 14753->15374 15385 40e854 14753->15385 15395 407dd6 14753->15395 14755->14753 15329 40e318 14756->15329 14757->14753 14758->14753 14759->14753 14760->14753 14761->14753 14764 40d582 ExitProcess 14765->14753 14766->14753 14767->14753 14768->14753 14769->14753 14770->14753 14771->14753 14772->14753 14774 40ccc6 WriteFile 14772->14774 14773->14753 14776 40cdcc CloseHandle 14774->14776 14777 40cced CloseHandle 14774->14777 14775->14753 14778 40d182 WriteFile CloseHandle 14775->14778 14776->14753 14784 40cd2f 14777->14784 14778->14753 14779 40cd16 wsprintfA 14779->14784 14780->14775 14781->14753 14782->14753 14783->14753 14784->14779 15311 407fcf 14784->15311 14785->14753 14786->14753 14788->14753 14788->14789 14789->14753 14792 40d415 WriteFile CloseHandle 14789->14792 14791->14753 14792->14753 14793 40cd81 WaitForSingleObject CloseHandle CloseHandle 14795 40f04e 4 API calls 14793->14795 14794 40cda5 14796 407ee6 64 API calls 14794->14796 14795->14794 14799 40cdbd DeleteFileA 14796->14799 14797->14789 14798->14753 14798->14801 14799->14753 14800->14753 14802 40d4e8 CloseHandle CloseHandle 14800->14802 14801->14753 14804 40d2d8 WriteFile CloseHandle 14801->14804 14802->14753 14803->14753 14804->14753 14805->14753 14806->14801 14809->14753 14811 40741b 14810->14811 14812 406dc2 6 API calls 14811->14812 14813 40743f 14812->14813 14814 407469 RegOpenKeyExA 14813->14814 14816 4077f9 14814->14816 14826 407487 ___ascii_stricmp 14814->14826 14815 407703 RegEnumKeyA 14817 407714 RegCloseKey 14815->14817 14815->14826 14816->14427 14817->14816 14818 40f1a5 lstrlenA 14818->14826 14819 4074d2 RegOpenKeyExA 14819->14826 14820 40772c 14822 407742 RegCloseKey 14820->14822 14823 40774b 14820->14823 14821 407521 RegQueryValueExA 14821->14826 14822->14823 14825 4077ec RegCloseKey 14823->14825 14824 4076e4 RegCloseKey 14824->14826 14825->14816 14826->14815 14826->14818 14826->14819 14826->14820 14826->14821 14826->14824 14828 40777e GetFileAttributesExA 14826->14828 14829 407769 14826->14829 14827 4077e3 RegCloseKey 14827->14825 14828->14829 14829->14827 14831 407073 14830->14831 14832 4070b9 RegOpenKeyExA 14831->14832 14833 4070d0 14832->14833 14847 4071b8 14832->14847 14834 406dc2 6 API calls 14833->14834 14837 4070d5 14834->14837 14835 40719b RegEnumValueA 14836 4071af RegCloseKey 14835->14836 14835->14837 14836->14847 14837->14835 14839 4071d0 14837->14839 14853 40f1a5 lstrlenA 14837->14853 14840 407205 RegCloseKey 14839->14840 14841 407227 14839->14841 14840->14847 14842 4072b8 ___ascii_stricmp 14841->14842 14843 40728e RegCloseKey 14841->14843 14844 4072cd RegCloseKey 14842->14844 14845 4072dd 14842->14845 14843->14847 14844->14847 14846 407311 RegCloseKey 14845->14846 14849 407335 14845->14849 14846->14847 14847->14428 14848 4073d5 RegCloseKey 14850 4073e4 14848->14850 14849->14848 14851 40737e GetFileAttributesExA 14849->14851 14852 407397 14849->14852 14851->14852 14852->14848 14854 40f1c3 14853->14854 14854->14837 14856 403ee2 14855->14856 14857 403edc 14855->14857 14856->14433 14858 406dc2 6 API calls 14857->14858 14858->14856 14860 40400b CreateFileA 14859->14860 14861 40402c GetLastError 14860->14861 14862 404052 14860->14862 14861->14862 14863 404037 14861->14863 14862->14436 14862->14437 14862->14438 14863->14862 14864 404041 Sleep 14863->14864 14864->14860 14864->14862 14866 403f7c 14865->14866 14867 403f4e GetLastError 14865->14867 14869 403f8c ReadFile 14866->14869 14867->14866 14868 403f5b WaitForSingleObject GetOverlappedResult 14867->14868 14868->14866 14870 403ff0 14869->14870 14871 403fc2 GetLastError 14869->14871 14870->14443 14870->14444 14871->14870 14872 403fcf WaitForSingleObject GetOverlappedResult 14871->14872 14872->14870 14876 40eb74 14873->14876 14877 40eb7b GetProcessHeap HeapSize 14876->14877 14878 404350 14876->14878 14877->14878 14878->14451 14880 401924 GetVersionExA 14879->14880 14880->14495 14882 406f55 14881->14882 14883 406eef AllocateAndInitializeSid 14881->14883 14882->14504 14884 406f44 14883->14884 14885 406f1c CheckTokenMembership 14883->14885 14884->14882 14915 406e36 GetUserNameW 14884->14915 14886 406f3b FreeSid 14885->14886 14887 406f2e 14885->14887 14886->14884 14887->14886 14891 40920e 14889->14891 14893 409308 14889->14893 14890 4092f1 Sleep 14890->14891 14891->14890 14892 4092bf ShellExecuteA 14891->14892 14891->14893 14892->14891 14892->14893 14893->14522 14895 40ef32 14894->14895 14895->14519 14897 40f0f1 14896->14897 14898 40f0ed 14896->14898 14899 40f119 14897->14899 14900 40f0fa lstrlenA SysAllocStringByteLen 14897->14900 14898->14527 14902 40f11c MultiByteToWideChar 14899->14902 14901 40f117 14900->14901 14900->14902 14901->14527 14902->14901 14904 401820 17 API calls 14903->14904 14905 4018f2 14904->14905 14906 4018f9 14905->14906 14918 401280 14905->14918 14906->14522 14908 401908 14908->14522 14930 401000 14909->14930 14911 401839 14912 401851 GetCurrentProcess 14911->14912 14913 40183d 14911->14913 14914 401864 14912->14914 14913->14513 14914->14513 14916 406e5f LookupAccountNameW 14915->14916 14917 406e97 14915->14917 14916->14917 14917->14882 14919 4012e1 14918->14919 14920 4016f9 GetLastError 14919->14920 14921 4013a8 14919->14921 14922 401699 14920->14922 14921->14922 14923 401570 lstrlenW 14921->14923 14924 4015be GetStartupInfoW 14921->14924 14925 4015ff CreateProcessWithLogonW 14921->14925 14929 401668 CloseHandle 14921->14929 14922->14908 14923->14921 14924->14921 14926 4016bf GetLastError 14925->14926 14927 40163f WaitForSingleObject 14925->14927 14926->14922 14927->14921 14928 401659 CloseHandle 14927->14928 14928->14921 14929->14921 14931 40100d LoadLibraryA 14930->14931 14933 401023 14930->14933 14932 401021 14931->14932 14931->14933 14932->14911 14934 4010b5 GetProcAddress 14933->14934 14950 4010ae 14933->14950 14935 4010d1 GetProcAddress 14934->14935 14936 40127b 14934->14936 14935->14936 14937 4010f0 GetProcAddress 14935->14937 14936->14911 14937->14936 14938 401110 GetProcAddress 14937->14938 14938->14936 14939 401130 GetProcAddress 14938->14939 14939->14936 14940 40114f GetProcAddress 14939->14940 14940->14936 14941 40116f GetProcAddress 14940->14941 14941->14936 14942 40118f GetProcAddress 14941->14942 14942->14936 14943 4011ae GetProcAddress 14942->14943 14943->14936 14944 4011ce GetProcAddress 14943->14944 14944->14936 14945 4011ee GetProcAddress 14944->14945 14945->14936 14946 401209 GetProcAddress 14945->14946 14946->14936 14947 401225 GetProcAddress 14946->14947 14947->14936 14948 401241 GetProcAddress 14947->14948 14948->14936 14949 40125c GetProcAddress 14948->14949 14949->14936 14950->14911 14954 4069b9 WriteFile 14951->14954 14953 4069ff 14955 406a3c 14953->14955 14956 406a10 WriteFile 14953->14956 14954->14953 14954->14955 14955->14537 14955->14538 14956->14953 14956->14955 14958 40eb17 14957->14958 14959 40eb21 14957->14959 14961 40eae4 14958->14961 14959->14541 14962 40eb02 GetProcAddress 14961->14962 14963 40eaed LoadLibraryA 14961->14963 14962->14959 14963->14962 14964 40eb01 14963->14964 14964->14959 14966 40eba7 GetProcessHeap HeapSize 14965->14966 14967 40ebbf GetProcessHeap HeapFree 14965->14967 14966->14967 14967->14570 14969 40908d 14968->14969 14970 4090e2 wsprintfA 14969->14970 14971 40ee2a 14970->14971 14972 4090fd CreateFileA 14971->14972 14973 40911a lstrlenA WriteFile CloseHandle 14972->14973 14974 40913f 14972->14974 14973->14974 14974->14579 14974->14580 14976 40ee2a 14975->14976 14977 409794 CreateProcessA 14976->14977 14978 4097bb 14977->14978 14979 4097c2 14977->14979 14978->14591 14980 4097d4 GetThreadContext 14979->14980 14981 409801 14980->14981 14982 4097f5 14980->14982 14989 40637c 14981->14989 14983 4097f6 TerminateProcess 14982->14983 14983->14978 14985 409816 14985->14983 14986 40981e WriteProcessMemory 14985->14986 14986->14982 14987 40983b SetThreadContext 14986->14987 14987->14982 14988 409858 ResumeThread 14987->14988 14988->14978 14990 406386 14989->14990 14991 40638a GetModuleHandleA VirtualAlloc 14989->14991 14990->14985 14992 4063f5 14991->14992 14993 4063b6 14991->14993 14992->14985 14994 4063be VirtualAllocEx 14993->14994 14994->14992 14995 4063d6 14994->14995 14996 4063df WriteProcessMemory 14995->14996 14996->14992 14998 40dd41 InterlockedExchange 14997->14998 14999 40dd20 GetCurrentThreadId 14998->14999 15003 40dd4a 14998->15003 15000 40dd53 GetCurrentThreadId 14999->15000 15001 40dd2e GetTickCount 14999->15001 15000->14594 15002 40dd39 Sleep 15001->15002 15001->15003 15002->14998 15003->15000 15005 40dbf0 15004->15005 15037 40db67 GetEnvironmentVariableA 15005->15037 15007 40dc19 15008 40dcda 15007->15008 15009 40db67 3 API calls 15007->15009 15008->14596 15010 40dc5c 15009->15010 15010->15008 15011 40db67 3 API calls 15010->15011 15012 40dc9b 15011->15012 15012->15008 15013 40db67 3 API calls 15012->15013 15013->15008 15015 40db3a 15014->15015 15017 40db55 15014->15017 15041 40ebed 15015->15041 15017->14598 15017->14603 15050 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15018->15050 15020 40e3be 15020->14598 15021 40e342 15021->15020 15053 40de24 15021->15053 15024 40e3f4 15023->15024 15025 40e528 15023->15025 15026 40e434 RegQueryValueExA 15024->15026 15025->14607 15027 40e458 15026->15027 15028 40e51d RegCloseKey 15026->15028 15029 40e46e RegQueryValueExA 15027->15029 15028->15025 15029->15027 15030 40e488 15029->15030 15030->15028 15031 40db2e 8 API calls 15030->15031 15032 40e499 15031->15032 15032->15028 15033 40e4b9 RegQueryValueExA 15032->15033 15034 40e4e8 15032->15034 15033->15032 15033->15034 15034->15028 15035 40e332 14 API calls 15034->15035 15036 40e513 15035->15036 15036->15028 15038 40dbca 15037->15038 15040 40db89 lstrcpyA CreateFileA 15037->15040 15038->15007 15040->15007 15042 40ec01 15041->15042 15043 40ebf6 15041->15043 15045 40eba0 codecvt 2 API calls 15042->15045 15044 40ebcc 4 API calls 15043->15044 15046 40ebfe 15044->15046 15047 40ec0a GetProcessHeap HeapReAlloc 15045->15047 15046->15017 15048 40eb74 2 API calls 15047->15048 15049 40ec28 15048->15049 15049->15017 15064 40eb41 15050->15064 15054 40de3a 15053->15054 15057 40de4e 15054->15057 15068 40dd84 15054->15068 15057->15021 15058 40de76 15072 40ddcf 15058->15072 15059 40ebed 8 API calls 15062 40def6 15059->15062 15060 40de9e 15060->15057 15060->15059 15062->15057 15063 40ddcf lstrcmpA 15062->15063 15063->15057 15065 40eb54 15064->15065 15066 40eb4a 15064->15066 15065->15021 15067 40eae4 2 API calls 15066->15067 15067->15065 15069 40ddc5 15068->15069 15070 40dd96 15068->15070 15069->15058 15069->15060 15070->15069 15071 40ddad lstrcmpiA 15070->15071 15071->15069 15071->15070 15073 40dddd 15072->15073 15075 40de20 15072->15075 15074 40ddfa lstrcmpA 15073->15074 15073->15075 15074->15073 15075->15057 15077 40dd05 6 API calls 15076->15077 15078 40e821 15077->15078 15079 40dd84 lstrcmpiA 15078->15079 15080 40e82c 15079->15080 15082 40e844 15080->15082 15125 402480 15080->15125 15082->14623 15084 40dd05 6 API calls 15083->15084 15085 40df7c 15084->15085 15086 40dd84 lstrcmpiA 15085->15086 15090 40df89 15086->15090 15087 40dfc4 15087->14629 15088 40ddcf lstrcmpA 15088->15090 15089 40ec2e codecvt 4 API calls 15089->15090 15090->15087 15090->15088 15090->15089 15091 40dd84 lstrcmpiA 15090->15091 15091->15090 15093 40ea98 15092->15093 15134 40e8a1 15093->15134 15095 401e84 15095->14632 15097 4019b7 LoadLibraryA 15096->15097 15098 4019d5 GetProcAddress GetProcAddress GetProcAddress 15097->15098 15101 4019ce 15097->15101 15099 401ab3 FreeLibrary 15098->15099 15100 401a04 15098->15100 15099->15101 15100->15099 15102 401a14 GetProcessHeap 15100->15102 15101->14636 15102->15101 15104 401a2e HeapAlloc 15102->15104 15104->15101 15105 401a42 15104->15105 15106 401a52 HeapReAlloc 15105->15106 15108 401a62 15105->15108 15106->15108 15107 401aa1 FreeLibrary 15107->15101 15108->15107 15109 401a96 HeapFree 15108->15109 15109->15107 15162 401ac3 LoadLibraryA 15110->15162 15113 401bcf 15113->14648 15115 401ac3 12 API calls 15114->15115 15116 401c09 15115->15116 15117 401c41 15116->15117 15118 401c0d GetComputerNameA 15116->15118 15117->14655 15119 401c45 GetVolumeInformationA 15118->15119 15120 401c1f 15118->15120 15119->15117 15120->15117 15120->15119 15122 40ee2a 15121->15122 15123 4030d0 gethostname gethostbyname 15122->15123 15124 401f82 15123->15124 15124->14660 15124->14662 15128 402419 lstrlenA 15125->15128 15127 402491 15127->15082 15129 40243d lstrlenA 15128->15129 15132 402474 15128->15132 15130 402464 lstrlenA 15129->15130 15131 40244e lstrcmpiA 15129->15131 15130->15129 15130->15132 15131->15130 15133 40245c 15131->15133 15132->15127 15133->15130 15133->15132 15135 40dd05 6 API calls 15134->15135 15136 40e8b4 15135->15136 15137 40dd84 lstrcmpiA 15136->15137 15138 40e8c0 15137->15138 15139 40e90a 15138->15139 15140 40e8c8 lstrcpynA 15138->15140 15141 402419 4 API calls 15139->15141 15150 40ea27 15139->15150 15142 40e8f5 15140->15142 15143 40e926 lstrlenA lstrlenA 15141->15143 15155 40df4c 15142->15155 15145 40e96a 15143->15145 15146 40e94c lstrlenA 15143->15146 15149 40ebcc 4 API calls 15145->15149 15145->15150 15146->15145 15147 40e901 15148 40dd84 lstrcmpiA 15147->15148 15148->15139 15151 40e98f 15149->15151 15150->15095 15151->15150 15152 40df4c 20 API calls 15151->15152 15153 40ea1e 15152->15153 15154 40ec2e codecvt 4 API calls 15153->15154 15154->15150 15156 40dd05 6 API calls 15155->15156 15157 40df51 15156->15157 15158 40f04e 4 API calls 15157->15158 15159 40df58 15158->15159 15160 40de24 10 API calls 15159->15160 15161 40df63 15160->15161 15161->15147 15163 401ae2 GetProcAddress 15162->15163 15164 401b68 GetComputerNameA GetVolumeInformationA 15162->15164 15163->15164 15165 401af5 15163->15165 15164->15113 15166 40ebed 8 API calls 15165->15166 15167 401b29 15165->15167 15166->15165 15167->15164 15167->15167 15168 40ec2e codecvt 4 API calls 15167->15168 15168->15164 15170 406ec3 2 API calls 15169->15170 15171 407ef4 15170->15171 15172 407fc9 15171->15172 15173 4073ff 17 API calls 15171->15173 15172->14674 15174 407f16 15173->15174 15174->15172 15182 407809 GetUserNameA 15174->15182 15176 407f63 15176->15172 15177 40ef1e lstrlenA 15176->15177 15178 407fa6 15177->15178 15179 40ef1e lstrlenA 15178->15179 15180 407fb7 15179->15180 15206 407a95 RegOpenKeyExA 15180->15206 15183 40783d LookupAccountNameA 15182->15183 15184 407a8d 15182->15184 15183->15184 15185 407874 GetLengthSid GetFileSecurityA 15183->15185 15184->15176 15185->15184 15186 4078a8 GetSecurityDescriptorOwner 15185->15186 15187 4078c5 EqualSid 15186->15187 15188 40791d GetSecurityDescriptorDacl 15186->15188 15187->15188 15189 4078dc LocalAlloc 15187->15189 15188->15184 15201 407941 15188->15201 15189->15188 15190 4078ef InitializeSecurityDescriptor 15189->15190 15191 407916 LocalFree 15190->15191 15192 4078fb SetSecurityDescriptorOwner 15190->15192 15191->15188 15192->15191 15194 40790b SetFileSecurityA 15192->15194 15193 40795b GetAce 15193->15201 15194->15191 15195 407980 EqualSid 15195->15201 15196 407a3d 15196->15184 15199 407a43 LocalAlloc 15196->15199 15197 4079be EqualSid 15197->15201 15198 40799d DeleteAce 15198->15201 15199->15184 15200 407a56 InitializeSecurityDescriptor 15199->15200 15202 407a62 SetSecurityDescriptorDacl 15200->15202 15203 407a86 LocalFree 15200->15203 15201->15184 15201->15193 15201->15195 15201->15196 15201->15197 15201->15198 15202->15203 15204 407a73 SetFileSecurityA 15202->15204 15203->15184 15204->15203 15205 407a83 15204->15205 15205->15203 15207 407ac4 15206->15207 15208 407acb GetUserNameA 15206->15208 15207->15172 15209 407da7 RegCloseKey 15208->15209 15210 407aed LookupAccountNameA 15208->15210 15209->15207 15210->15209 15211 407b24 RegGetKeySecurity 15210->15211 15211->15209 15212 407b49 GetSecurityDescriptorOwner 15211->15212 15213 407b63 EqualSid 15212->15213 15214 407bb8 GetSecurityDescriptorDacl 15212->15214 15213->15214 15215 407b74 LocalAlloc 15213->15215 15216 407da6 15214->15216 15217 407bdc 15214->15217 15215->15214 15218 407b8a InitializeSecurityDescriptor 15215->15218 15216->15209 15217->15216 15221 407bf8 GetAce 15217->15221 15223 407c1d EqualSid 15217->15223 15224 407c5f EqualSid 15217->15224 15225 407cd9 15217->15225 15226 407c3a DeleteAce 15217->15226 15219 407bb1 LocalFree 15218->15219 15220 407b96 SetSecurityDescriptorOwner 15218->15220 15219->15214 15220->15219 15222 407ba6 RegSetKeySecurity 15220->15222 15221->15217 15222->15219 15223->15217 15224->15217 15225->15216 15227 407d5a LocalAlloc 15225->15227 15229 407cf2 RegOpenKeyExA 15225->15229 15226->15217 15227->15216 15228 407d70 InitializeSecurityDescriptor 15227->15228 15230 407d7c SetSecurityDescriptorDacl 15228->15230 15231 407d9f LocalFree 15228->15231 15229->15227 15234 407d0f 15229->15234 15230->15231 15232 407d8c RegSetKeySecurity 15230->15232 15231->15216 15232->15231 15233 407d9c 15232->15233 15233->15231 15235 407d43 RegSetValueExA 15234->15235 15235->15227 15236 407d54 15235->15236 15236->15227 15237->14690 15239 40dd05 6 API calls 15238->15239 15242 40e65f 15239->15242 15240 40e6a5 15241 40ebcc 4 API calls 15240->15241 15246 40e6f5 15240->15246 15244 40e6b0 15241->15244 15242->15240 15243 40e68c lstrcmpA 15242->15243 15243->15242 15245 40e6e0 lstrcpynA 15244->15245 15244->15246 15248 40e6b7 15244->15248 15245->15246 15247 40e71d lstrcmpA 15246->15247 15246->15248 15247->15246 15248->14692 15249->14698 15251 40c525 15250->15251 15252 40c532 15250->15252 15251->15252 15254 40ec2e codecvt 4 API calls 15251->15254 15253 40c548 15252->15253 15402 40e7ff 15252->15402 15256 40e7ff lstrcmpiA 15253->15256 15263 40c54f 15253->15263 15254->15252 15257 40c615 15256->15257 15258 40ebcc 4 API calls 15257->15258 15257->15263 15258->15263 15259 40c5d1 15262 40ebcc 4 API calls 15259->15262 15261 40e819 11 API calls 15264 40c5b7 15261->15264 15262->15263 15263->14711 15265 40f04e 4 API calls 15264->15265 15266 40c5bf 15265->15266 15266->15253 15266->15259 15268 402692 15267->15268 15269 40268e 15267->15269 15268->15269 15270 40269e gethostbyname 15268->15270 15271 40f428 15269->15271 15270->15269 15405 40f315 15271->15405 15276 40c8d2 15274->15276 15275 40c907 15275->14713 15276->15275 15277 40c517 23 API calls 15276->15277 15277->15275 15278 40f43e 15279 40f473 recv 15278->15279 15280 40f458 15279->15280 15281 40f47c 15279->15281 15280->15279 15280->15281 15281->14729 15283 40c670 15282->15283 15285 40c67d 15282->15285 15284 40ebcc 4 API calls 15283->15284 15284->15285 15286 40ebcc 4 API calls 15285->15286 15288 40c699 15285->15288 15286->15288 15287 40c6f3 15287->14753 15288->15287 15289 40c73c send 15288->15289 15289->15287 15291 40c770 15290->15291 15292 40c77d 15290->15292 15293 40ebcc 4 API calls 15291->15293 15294 40c799 15292->15294 15295 40ebcc 4 API calls 15292->15295 15293->15292 15296 40c7b5 15294->15296 15297 40ebcc 4 API calls 15294->15297 15295->15294 15298 40f43e recv 15296->15298 15297->15296 15299 40c7cb 15298->15299 15300 40f43e recv 15299->15300 15301 40c7d3 15299->15301 15300->15301 15301->14753 15415 407db7 15302->15415 15305 407e96 15305->14753 15306 407e70 15306->15305 15308 40f04e 4 API calls 15306->15308 15307 40f04e 4 API calls 15309 407e4c 15307->15309 15308->15305 15309->15306 15310 40f04e 4 API calls 15309->15310 15310->15306 15312 406ec3 2 API calls 15311->15312 15313 407fdd 15312->15313 15314 4073ff 17 API calls 15313->15314 15323 4080c2 CreateProcessA 15313->15323 15315 407fff 15314->15315 15316 407809 21 API calls 15315->15316 15315->15323 15317 40804d 15316->15317 15318 40ef1e lstrlenA 15317->15318 15317->15323 15319 40809e 15318->15319 15320 40ef1e lstrlenA 15319->15320 15321 4080af 15320->15321 15322 407a95 24 API calls 15321->15322 15322->15323 15323->14793 15323->14794 15325 407db7 2 API calls 15324->15325 15326 407eb8 15325->15326 15327 40f04e 4 API calls 15326->15327 15328 407ece DeleteFileA 15327->15328 15328->14753 15330 40dd05 6 API calls 15329->15330 15331 40e31d 15330->15331 15419 40e177 15331->15419 15333 40e326 15333->14764 15335 4031f3 15334->15335 15345 4031ec 15334->15345 15336 40ebcc 4 API calls 15335->15336 15350 4031fc 15336->15350 15337 40344b 15338 403459 15337->15338 15339 40349d 15337->15339 15341 40f04e 4 API calls 15338->15341 15340 40ec2e codecvt 4 API calls 15339->15340 15340->15345 15342 40345f 15341->15342 15344 4030fa 4 API calls 15342->15344 15343 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15343->15350 15344->15345 15345->14753 15346 40344d 15347 40ec2e codecvt 4 API calls 15346->15347 15347->15337 15349 403141 lstrcmpiA 15349->15350 15350->15337 15350->15343 15350->15345 15350->15346 15350->15349 15445 4030fa GetTickCount 15350->15445 15352 4030fa 4 API calls 15351->15352 15353 403c1a 15352->15353 15354 403ce6 15353->15354 15450 403a72 15353->15450 15354->14753 15357 403a72 9 API calls 15359 403c5e 15357->15359 15358 403a72 9 API calls 15358->15359 15359->15354 15359->15358 15360 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15359->15360 15360->15359 15362 403a10 15361->15362 15363 4030fa 4 API calls 15362->15363 15364 403a1a 15363->15364 15364->14753 15366 40dd05 6 API calls 15365->15366 15367 40e7be 15366->15367 15367->14753 15369 40c105 15368->15369 15370 40c07e wsprintfA 15368->15370 15369->14753 15459 40bfce GetTickCount wsprintfA 15370->15459 15372 40c0ef 15460 40bfce GetTickCount wsprintfA 15372->15460 15375 407047 15374->15375 15376 406f88 LookupAccountNameA 15374->15376 15375->14753 15378 407025 15376->15378 15379 406fcb 15376->15379 15380 406edd 5 API calls 15378->15380 15381 406fdb ConvertSidToStringSidA 15379->15381 15382 40702a wsprintfA 15380->15382 15381->15378 15383 406ff1 15381->15383 15382->15375 15384 407013 LocalFree 15383->15384 15384->15378 15386 40dd05 6 API calls 15385->15386 15387 40e85c 15386->15387 15388 40dd84 lstrcmpiA 15387->15388 15389 40e867 15388->15389 15390 40e885 lstrcpyA 15389->15390 15461 4024a5 15389->15461 15464 40dd69 15390->15464 15396 407db7 2 API calls 15395->15396 15398 407de1 15396->15398 15397 407e16 15397->14753 15398->15397 15399 40f04e 4 API calls 15398->15399 15400 407df2 15399->15400 15400->15397 15401 40f04e 4 API calls 15400->15401 15401->15397 15403 40dd84 lstrcmpiA 15402->15403 15404 40c58e 15403->15404 15404->15253 15404->15259 15404->15261 15406 40ca1d 15405->15406 15407 40f33b 15405->15407 15406->14726 15406->15278 15408 40f347 htons socket 15407->15408 15408->15406 15409 40f382 ioctlsocket 15408->15409 15409->15406 15410 40f3aa connect select 15409->15410 15410->15406 15411 40f3f2 __WSAFDIsSet 15410->15411 15411->15406 15412 40f403 ioctlsocket 15411->15412 15414 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15412->15414 15414->15406 15416 407dc8 InterlockedExchange 15415->15416 15417 407dc0 Sleep 15416->15417 15418 407dd4 15416->15418 15417->15416 15418->15306 15418->15307 15420 40e184 15419->15420 15421 40e2e4 15420->15421 15422 40e223 15420->15422 15435 40dfe2 15420->15435 15421->15333 15422->15421 15424 40dfe2 8 API calls 15422->15424 15429 40e23c 15424->15429 15425 40e1be 15425->15422 15426 40dbcf 3 API calls 15425->15426 15428 40e1d6 15426->15428 15427 40e21a CloseHandle 15427->15422 15428->15422 15428->15427 15430 40e1f9 WriteFile 15428->15430 15429->15421 15439 40e095 RegCreateKeyExA 15429->15439 15430->15427 15432 40e213 15430->15432 15432->15427 15433 40e2a3 15433->15421 15434 40e095 4 API calls 15433->15434 15434->15421 15436 40dffc 15435->15436 15438 40e024 15435->15438 15437 40db2e 8 API calls 15436->15437 15436->15438 15437->15438 15438->15425 15440 40e172 15439->15440 15442 40e0c0 15439->15442 15440->15433 15441 40e13d 15443 40e14e RegDeleteValueA RegCloseKey 15441->15443 15442->15441 15444 40e115 RegSetValueExA 15442->15444 15443->15440 15444->15441 15444->15442 15446 403122 InterlockedExchange 15445->15446 15447 40312e 15446->15447 15448 40310f GetTickCount 15446->15448 15447->15350 15448->15447 15449 40311a Sleep 15448->15449 15449->15446 15451 40f04e 4 API calls 15450->15451 15458 403a83 15451->15458 15452 403ac1 15452->15354 15452->15357 15453 403be6 15454 40ec2e codecvt 4 API calls 15453->15454 15454->15452 15455 403bc0 15455->15453 15457 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15455->15457 15456 403b66 lstrlenA 15456->15452 15456->15458 15457->15455 15458->15452 15458->15455 15458->15456 15459->15372 15460->15369 15462 402419 4 API calls 15461->15462 15463 4024b6 15462->15463 15463->15390 15465 40dd79 lstrlenA 15464->15465 15465->14753 15467 404084 15466->15467 15468 40407d 15466->15468 15469 403ecd 6 API calls 15467->15469 15470 40408f 15469->15470 15471 404000 3 API calls 15470->15471 15472 404095 15471->15472 15473 404130 15472->15473 15478 403f18 4 API calls 15472->15478 15474 403ecd 6 API calls 15473->15474 15475 404159 CreateNamedPipeA 15474->15475 15476 404167 Sleep 15475->15476 15477 404188 ConnectNamedPipe 15475->15477 15476->15473 15479 404176 CloseHandle 15476->15479 15481 404195 GetLastError 15477->15481 15491 4041ab 15477->15491 15480 4040da 15478->15480 15479->15477 15482 403f8c 4 API calls 15480->15482 15483 40425e DisconnectNamedPipe 15481->15483 15481->15491 15484 4040ec 15482->15484 15483->15477 15485 404127 CloseHandle 15484->15485 15487 404101 15484->15487 15485->15473 15486 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15486->15491 15488 403f18 4 API calls 15487->15488 15489 40411c ExitProcess 15488->15489 15490 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15490->15491 15491->15477 15491->15483 15491->15486 15491->15490 15492 40426a CloseHandle CloseHandle 15491->15492 15493 40e318 23 API calls 15492->15493 15494 40427b 15493->15494 15494->15494 15496 408791 15495->15496 15497 40879f 15495->15497 15499 40f04e 4 API calls 15496->15499 15498 4087bc 15497->15498 15500 40f04e 4 API calls 15497->15500 15501 40e819 11 API calls 15498->15501 15499->15497 15500->15498 15502 4087d7 15501->15502 15515 408803 15502->15515 15517 4026b2 gethostbyaddr 15502->15517 15505 4087eb 15507 40e8a1 30 API calls 15505->15507 15505->15515 15507->15515 15510 40e819 11 API calls 15510->15515 15511 4088a0 Sleep 15511->15515 15512 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15512->15515 15514 4026b2 2 API calls 15514->15515 15515->15510 15515->15511 15515->15512 15515->15514 15516 40e8a1 30 API calls 15515->15516 15522 408cee 15515->15522 15530 40c4d6 15515->15530 15533 40c4e2 15515->15533 15536 402011 15515->15536 15571 408328 15515->15571 15516->15515 15518 4026fb 15517->15518 15519 4026cd 15517->15519 15518->15505 15520 4026e1 inet_ntoa 15519->15520 15521 4026de 15519->15521 15520->15521 15521->15505 15523 408d02 GetTickCount 15522->15523 15524 408dae 15522->15524 15523->15524 15528 408d19 15523->15528 15524->15515 15525 408da1 GetTickCount 15525->15524 15528->15525 15529 408d89 15528->15529 15623 40a677 15528->15623 15626 40a688 15528->15626 15529->15525 15634 40c2dc 15530->15634 15534 40c2dc 136 API calls 15533->15534 15535 40c4ec 15534->15535 15535->15515 15537 402020 15536->15537 15538 40202e 15536->15538 15539 40f04e 4 API calls 15537->15539 15540 40204b 15538->15540 15542 40f04e 4 API calls 15538->15542 15539->15538 15541 40206e GetTickCount 15540->15541 15543 40f04e 4 API calls 15540->15543 15544 4020db GetTickCount 15541->15544 15554 402090 15541->15554 15542->15540 15546 402068 15543->15546 15545 402132 GetTickCount GetTickCount 15544->15545 15556 4020e7 15544->15556 15549 40f04e 4 API calls 15545->15549 15546->15541 15547 4020d4 GetTickCount 15547->15544 15548 40212b GetTickCount 15548->15545 15551 402159 15549->15551 15550 402684 gethostbyname 15550->15554 15552 4021b4 15551->15552 15555 40e854 13 API calls 15551->15555 15557 40f04e 4 API calls 15552->15557 15554->15547 15554->15550 15561 4020ce 15554->15561 15959 401978 15554->15959 15558 40218e 15555->15558 15556->15548 15563 401978 12 API calls 15556->15563 15564 402125 15556->15564 15962 402ef8 15556->15962 15560 4021d1 15557->15560 15562 40e819 11 API calls 15558->15562 15565 4021f2 15560->15565 15567 40ea84 30 API calls 15560->15567 15561->15547 15566 40219c 15562->15566 15563->15556 15564->15548 15565->15515 15566->15552 15970 401c5f 15566->15970 15568 4021ec 15567->15568 15569 40f04e 4 API calls 15568->15569 15569->15565 15572 407dd6 6 API calls 15571->15572 15573 40833c 15572->15573 15574 406ec3 2 API calls 15573->15574 15578 408340 15573->15578 15575 40834f 15574->15575 15576 40835c 15575->15576 15580 40846b 15575->15580 15577 4073ff 17 API calls 15576->15577 15586 408373 15577->15586 15578->15515 15579 40675c 21 API calls 15597 4085df 15579->15597 15583 4084a7 RegOpenKeyExA 15580->15583 15609 408450 15580->15609 15581 408626 GetTempPathA 15582 408638 15581->15582 16042 406ba7 IsBadCodePtr 15582->16042 15587 4084c0 RegQueryValueExA 15583->15587 15596 40852f 15583->15596 15585 4086ad 15588 408762 15585->15588 15590 407e2f 6 API calls 15585->15590 15586->15578 15603 4083ea RegOpenKeyExA 15586->15603 15586->15609 15589 408521 RegCloseKey 15587->15589 15592 4084dd 15587->15592 15588->15578 15595 40ec2e codecvt 4 API calls 15588->15595 15589->15596 15606 4086bb 15590->15606 15591 408564 RegOpenKeyExA 15593 4085a5 15591->15593 15598 408573 15591->15598 15592->15589 15599 40ebcc 4 API calls 15592->15599 15605 40ec2e codecvt 4 API calls 15593->15605 15593->15609 15594 40875b DeleteFileA 15594->15588 15595->15578 15596->15591 15596->15593 15597->15581 15597->15582 15597->15588 15598->15598 15601 408585 RegSetValueExA RegCloseKey 15598->15601 15600 4084f0 15599->15600 15600->15589 15602 4084f8 RegQueryValueExA 15600->15602 15601->15593 15602->15589 15604 408515 15602->15604 15607 4083fd RegQueryValueExA 15603->15607 15603->15609 15608 40ec2e codecvt 4 API calls 15604->15608 15605->15609 15606->15594 15610 4086e0 lstrcpyA lstrlenA 15606->15610 15611 40842d RegSetValueExA 15607->15611 15612 40841e 15607->15612 15614 40851d 15608->15614 15609->15579 15609->15597 15615 407fcf 64 API calls 15610->15615 15613 408447 RegCloseKey 15611->15613 15612->15611 15612->15613 15613->15609 15614->15589 15616 408719 CreateProcessA 15615->15616 15617 40873d CloseHandle CloseHandle 15616->15617 15618 40874f 15616->15618 15617->15588 15619 407ee6 64 API calls 15618->15619 15620 408754 15619->15620 15621 407ead 6 API calls 15620->15621 15622 40875a 15621->15622 15622->15594 15629 40a63d 15623->15629 15625 40a685 15625->15528 15627 40a63d GetTickCount 15626->15627 15628 40a696 15627->15628 15628->15528 15630 40a645 15629->15630 15631 40a64d 15629->15631 15630->15625 15632 40a66e 15631->15632 15633 40a65e GetTickCount 15631->15633 15632->15625 15633->15632 15650 40a4c7 GetTickCount 15634->15650 15637 40c45e 15642 40c4d2 15637->15642 15643 40c4ab InterlockedIncrement CreateThread 15637->15643 15638 40c300 GetTickCount 15640 40c337 15638->15640 15639 40c326 15639->15640 15641 40c32b GetTickCount 15639->15641 15640->15637 15645 40c363 GetTickCount 15640->15645 15641->15640 15642->15515 15643->15642 15644 40c4cb CloseHandle 15643->15644 15655 40b535 15643->15655 15644->15642 15645->15637 15646 40c373 15645->15646 15647 40c378 GetTickCount 15646->15647 15648 40c37f 15646->15648 15647->15648 15649 40c43b GetTickCount 15648->15649 15649->15637 15651 40a4f7 InterlockedExchange 15650->15651 15652 40a500 15651->15652 15653 40a4e4 GetTickCount 15651->15653 15652->15637 15652->15638 15652->15639 15653->15652 15654 40a4ef Sleep 15653->15654 15654->15651 15656 40b566 15655->15656 15657 40ebcc 4 API calls 15656->15657 15658 40b587 15657->15658 15659 40ebcc 4 API calls 15658->15659 15707 40b590 15659->15707 15660 40bdcd InterlockedDecrement 15661 40bde2 15660->15661 15663 40ec2e codecvt 4 API calls 15661->15663 15664 40bdea 15663->15664 15666 40ec2e codecvt 4 API calls 15664->15666 15665 40bdb7 Sleep 15665->15707 15667 40bdf2 15666->15667 15669 40be05 15667->15669 15670 40ec2e codecvt 4 API calls 15667->15670 15668 40bdcc 15668->15660 15670->15669 15671 40ebed 8 API calls 15671->15707 15674 40b6b6 lstrlenA 15674->15707 15675 4030b5 2 API calls 15675->15707 15676 40b6ed lstrcpyA 15728 405ce1 15676->15728 15677 40e819 11 API calls 15677->15707 15680 40b731 lstrlenA 15680->15707 15681 40b71f lstrcmpA 15681->15680 15681->15707 15682 40b772 GetTickCount 15682->15707 15683 40bd49 InterlockedIncrement 15822 40a628 15683->15822 15686 40bc5b InterlockedIncrement 15686->15707 15687 40b7ce InterlockedIncrement 15738 40acd7 15687->15738 15690 40b912 GetTickCount 15690->15707 15691 40b826 InterlockedIncrement 15691->15682 15692 40b932 GetTickCount 15693 40bc6d InterlockedIncrement 15692->15693 15692->15707 15693->15707 15694 405ce1 22 API calls 15694->15707 15695 4038f0 6 API calls 15695->15707 15697 40bba6 InterlockedIncrement 15697->15707 15699 40a7c1 22 API calls 15699->15707 15702 40ba71 wsprintfA 15756 40a7c1 15702->15756 15703 40ab81 lstrcpynA InterlockedIncrement 15703->15707 15706 40ef1e lstrlenA 15706->15707 15707->15660 15707->15665 15707->15668 15707->15671 15707->15674 15707->15675 15707->15676 15707->15677 15707->15680 15707->15681 15707->15682 15707->15683 15707->15686 15707->15687 15707->15690 15707->15691 15707->15692 15707->15694 15707->15695 15707->15697 15707->15699 15707->15702 15707->15703 15707->15706 15708 405ded 12 API calls 15707->15708 15709 40a688 GetTickCount 15707->15709 15710 403e10 15707->15710 15713 403e4f 15707->15713 15716 40384f 15707->15716 15736 40a7a3 inet_ntoa 15707->15736 15743 40abee 15707->15743 15755 401feb GetTickCount 15707->15755 15776 403cfb 15707->15776 15779 40b3c5 15707->15779 15810 40ab81 15707->15810 15708->15707 15709->15707 15711 4030fa 4 API calls 15710->15711 15712 403e1d 15711->15712 15712->15707 15714 4030fa 4 API calls 15713->15714 15715 403e5c 15714->15715 15715->15707 15717 4030fa 4 API calls 15716->15717 15718 403863 15717->15718 15719 4038b9 15718->15719 15720 403889 15718->15720 15727 4038b2 15718->15727 15831 4035f9 15719->15831 15825 403718 15720->15825 15725 403718 6 API calls 15725->15727 15726 4035f9 6 API calls 15726->15727 15727->15707 15729 405cf4 15728->15729 15730 405cec 15728->15730 15732 404bd1 4 API calls 15729->15732 15837 404bd1 GetTickCount 15730->15837 15733 405d02 15732->15733 15842 405472 15733->15842 15737 40a7b9 15736->15737 15737->15707 15739 40f315 12 API calls 15738->15739 15740 40aceb 15739->15740 15741 40acff 15740->15741 15742 40f315 12 API calls 15740->15742 15741->15707 15742->15741 15744 40abfb 15743->15744 15747 40ac65 15744->15747 15905 402f22 15744->15905 15746 40f315 12 API calls 15746->15747 15747->15746 15748 40ac8a 15747->15748 15749 40ac6f 15747->15749 15748->15707 15751 40ab81 2 API calls 15749->15751 15750 40ac23 15750->15747 15752 402684 gethostbyname 15750->15752 15753 40ac81 15751->15753 15752->15750 15913 4038f0 15753->15913 15755->15707 15757 40a87d lstrlenA send 15756->15757 15758 40a7df 15756->15758 15759 40a899 15757->15759 15760 40a8bf 15757->15760 15758->15757 15764 40a7fa wsprintfA 15758->15764 15767 40a80a 15758->15767 15768 40a8f2 15758->15768 15761 40a8a5 wsprintfA 15759->15761 15769 40a89e 15759->15769 15762 40a8c4 send 15760->15762 15760->15768 15761->15769 15765 40a8d8 wsprintfA 15762->15765 15762->15768 15763 40a978 recv 15763->15768 15770 40a982 15763->15770 15764->15767 15765->15769 15766 40a9b0 wsprintfA 15766->15769 15767->15757 15768->15763 15768->15766 15768->15770 15769->15707 15770->15769 15771 4030b5 2 API calls 15770->15771 15772 40ab05 15771->15772 15773 40e819 11 API calls 15772->15773 15774 40ab17 15773->15774 15775 40a7a3 inet_ntoa 15774->15775 15775->15769 15777 4030fa 4 API calls 15776->15777 15778 403d0b 15777->15778 15778->15707 15780 405ce1 22 API calls 15779->15780 15781 40b3e6 15780->15781 15782 405ce1 22 API calls 15781->15782 15784 40b404 15782->15784 15783 40b440 15785 40ef7c 3 API calls 15783->15785 15784->15783 15786 40ef7c 3 API calls 15784->15786 15787 40b458 wsprintfA 15785->15787 15788 40b42b 15786->15788 15789 40ef7c 3 API calls 15787->15789 15790 40ef7c 3 API calls 15788->15790 15791 40b480 15789->15791 15790->15783 15792 40ef7c 3 API calls 15791->15792 15793 40b493 15792->15793 15794 40ef7c 3 API calls 15793->15794 15795 40b4bb 15794->15795 15927 40ad89 GetLocalTime SystemTimeToFileTime 15795->15927 15799 40b4cc 15800 40ef7c 3 API calls 15799->15800 15801 40b4dd 15800->15801 15802 40b211 7 API calls 15801->15802 15803 40b4ec 15802->15803 15804 40ef7c 3 API calls 15803->15804 15805 40b4fd 15804->15805 15806 40b211 7 API calls 15805->15806 15807 40b509 15806->15807 15808 40ef7c 3 API calls 15807->15808 15809 40b51a 15808->15809 15809->15707 15811 40abe9 GetTickCount 15810->15811 15813 40ab8c 15810->15813 15815 40a51d 15811->15815 15812 40aba8 lstrcpynA 15812->15813 15813->15811 15813->15812 15814 40abe1 InterlockedIncrement 15813->15814 15814->15813 15816 40a4c7 4 API calls 15815->15816 15817 40a52c 15816->15817 15818 40a542 GetTickCount 15817->15818 15820 40a539 GetTickCount 15817->15820 15818->15820 15821 40a56c 15820->15821 15821->15707 15823 40a4c7 4 API calls 15822->15823 15824 40a633 15823->15824 15824->15707 15826 40f04e 4 API calls 15825->15826 15828 40372a 15826->15828 15827 403847 15827->15725 15827->15727 15828->15827 15829 4037b3 GetCurrentThreadId 15828->15829 15829->15828 15830 4037c8 GetCurrentThreadId 15829->15830 15830->15828 15832 40f04e 4 API calls 15831->15832 15833 40360c 15832->15833 15834 4036da GetCurrentThreadId 15833->15834 15835 4036f1 15833->15835 15834->15835 15836 4036e5 GetCurrentThreadId 15834->15836 15835->15726 15835->15727 15836->15835 15838 404bff InterlockedExchange 15837->15838 15839 404c08 15838->15839 15840 404bec GetTickCount 15838->15840 15839->15729 15840->15839 15841 404bf7 Sleep 15840->15841 15841->15838 15861 404763 15842->15861 15844 405b58 15871 404699 15844->15871 15847 404763 lstrlenA 15848 405b6e 15847->15848 15892 404f9f 15848->15892 15850 405b79 15850->15707 15851 40548a 15851->15844 15855 40558d lstrcpynA 15851->15855 15856 405a9f lstrcpyA 15851->15856 15857 405472 13 API calls 15851->15857 15858 405935 lstrcpynA 15851->15858 15859 4058e7 lstrcpyA 15851->15859 15860 404ae6 8 API calls 15851->15860 15865 404ae6 15851->15865 15869 40ef7c lstrlenA lstrlenA lstrlenA 15851->15869 15853 405549 lstrlenA 15853->15851 15855->15851 15856->15851 15857->15851 15858->15851 15859->15851 15860->15851 15863 40477a 15861->15863 15862 404859 15862->15851 15863->15862 15864 40480d lstrlenA 15863->15864 15864->15863 15866 404af3 15865->15866 15868 404b03 15865->15868 15867 40ebed 8 API calls 15866->15867 15867->15868 15868->15853 15870 40efb4 15869->15870 15870->15851 15897 4045b3 15871->15897 15874 4045b3 7 API calls 15875 4046c6 15874->15875 15876 4045b3 7 API calls 15875->15876 15877 4046d8 15876->15877 15878 4045b3 7 API calls 15877->15878 15879 4046ea 15878->15879 15880 4045b3 7 API calls 15879->15880 15881 4046ff 15880->15881 15882 4045b3 7 API calls 15881->15882 15883 404711 15882->15883 15884 4045b3 7 API calls 15883->15884 15885 404723 15884->15885 15886 40ef7c 3 API calls 15885->15886 15887 404735 15886->15887 15888 40ef7c 3 API calls 15887->15888 15889 40474a 15888->15889 15890 40ef7c 3 API calls 15889->15890 15891 40475c 15890->15891 15891->15847 15893 404fac 15892->15893 15896 404fb0 15892->15896 15893->15850 15894 404ffd 15894->15850 15895 404fd5 IsBadCodePtr 15895->15896 15896->15894 15896->15895 15898 4045c1 15897->15898 15899 4045c8 15897->15899 15900 40ebcc 4 API calls 15898->15900 15901 40ebcc 4 API calls 15899->15901 15903 4045e1 15899->15903 15900->15899 15901->15903 15902 404691 15902->15874 15903->15902 15904 40ef7c 3 API calls 15903->15904 15904->15903 15920 402d21 GetModuleHandleA 15905->15920 15908 402fcf GetProcessHeap HeapFree 15912 402f44 15908->15912 15909 402f85 15909->15908 15909->15909 15910 402f4f 15911 402f6b GetProcessHeap HeapFree 15910->15911 15911->15912 15912->15750 15914 403900 15913->15914 15915 403980 15913->15915 15916 4030fa 4 API calls 15914->15916 15915->15748 15918 40390a 15916->15918 15917 40391b GetCurrentThreadId 15917->15918 15918->15915 15918->15917 15919 403939 GetCurrentThreadId 15918->15919 15919->15918 15921 402d46 LoadLibraryA 15920->15921 15922 402d5b GetProcAddress 15920->15922 15921->15922 15923 402d54 15921->15923 15922->15923 15924 402d6b 15922->15924 15923->15909 15923->15910 15923->15912 15924->15923 15925 402d97 GetProcessHeap HeapAlloc 15924->15925 15926 402db5 lstrcpynA 15924->15926 15925->15923 15925->15924 15926->15924 15928 40adbf 15927->15928 15952 40ad08 gethostname 15928->15952 15931 4030b5 2 API calls 15932 40add3 15931->15932 15933 40a7a3 inet_ntoa 15932->15933 15934 40ade4 15932->15934 15933->15934 15935 40ae85 wsprintfA 15934->15935 15938 40ae36 wsprintfA wsprintfA 15934->15938 15936 40ef7c 3 API calls 15935->15936 15937 40aebb 15936->15937 15939 40ef7c 3 API calls 15937->15939 15940 40ef7c 3 API calls 15938->15940 15941 40aed2 15939->15941 15940->15934 15942 40b211 15941->15942 15943 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 15942->15943 15944 40b2af GetLocalTime 15942->15944 15945 40b2d2 15943->15945 15944->15945 15946 40b2d9 SystemTimeToFileTime 15945->15946 15947 40b31c GetTimeZoneInformation 15945->15947 15948 40b2ec 15946->15948 15950 40b33a wsprintfA 15947->15950 15949 40b312 FileTimeToSystemTime 15948->15949 15949->15947 15950->15799 15953 40ad71 15952->15953 15954 40ad26 lstrlenA 15952->15954 15955 40ad85 15953->15955 15956 40ad79 lstrcpyA 15953->15956 15954->15953 15958 40ad68 lstrlenA 15954->15958 15955->15931 15956->15955 15958->15953 15960 40f428 12 API calls 15959->15960 15961 40198a 15960->15961 15961->15554 15963 402d21 6 API calls 15962->15963 15964 402f01 15963->15964 15965 402f0f 15964->15965 15978 402df2 GetModuleHandleA 15964->15978 15966 402684 gethostbyname 15965->15966 15969 402f1f 15965->15969 15968 402f1d 15966->15968 15968->15556 15969->15556 15974 401c80 15970->15974 15971 401d1c 15971->15971 15975 401d47 wsprintfA 15971->15975 15972 401cc2 wsprintfA 15973 402684 gethostbyname 15972->15973 15973->15974 15974->15971 15974->15972 15977 401d79 15974->15977 15976 402684 gethostbyname 15975->15976 15976->15977 15977->15552 15979 402e10 LoadLibraryA 15978->15979 15980 402e0b 15978->15980 15981 402e17 15979->15981 15980->15979 15980->15981 15982 402ef1 15981->15982 15983 402e28 GetProcAddress 15981->15983 15982->15965 15983->15982 15984 402e3e GetProcessHeap HeapAlloc 15983->15984 15986 402e62 15984->15986 15985 402ede GetProcessHeap HeapFree 15985->15982 15986->15982 15986->15985 15987 402e7f htons 15986->15987 15988 402ea5 gethostbyname 15986->15988 15990 402ceb 15986->15990 15987->15986 15988->15986 15992 402cf2 15990->15992 15993 402d1c 15992->15993 15994 402d0e Sleep 15992->15994 15995 402a62 GetProcessHeap HeapAlloc 15992->15995 15993->15986 15994->15992 15994->15993 15996 402a99 socket 15995->15996 16005 402a92 15995->16005 15997 402cd3 GetProcessHeap HeapFree 15996->15997 15998 402ab4 15996->15998 15997->16005 15998->15997 16007 402abd 15998->16007 15999 402adb htons 16015 4026ff 15999->16015 16001 402b04 select 16001->16007 16002 402ca4 16003 402cb3 GetProcessHeap HeapFree 16002->16003 16003->16005 16004 402b3f recv 16004->16007 16005->15992 16006 402b66 htons 16006->16002 16006->16007 16007->15999 16007->16001 16007->16002 16007->16003 16007->16004 16007->16006 16008 402b87 htons 16007->16008 16011 402bf3 GetProcessHeap HeapAlloc 16007->16011 16012 402c17 htons 16007->16012 16014 402c4d GetProcessHeap HeapFree 16007->16014 16022 402923 16007->16022 16034 402904 16007->16034 16008->16002 16008->16007 16011->16007 16030 402871 16012->16030 16014->16007 16016 40271d 16015->16016 16017 402717 16015->16017 16019 40272b GetTickCount htons 16016->16019 16018 40ebcc 4 API calls 16017->16018 16018->16016 16020 4027cc htons htons sendto 16019->16020 16021 40278a 16019->16021 16020->16007 16021->16020 16023 402944 16022->16023 16025 40293d 16022->16025 16038 402816 htons 16023->16038 16025->16007 16026 402871 htons 16027 402950 16026->16027 16027->16025 16027->16026 16028 4029bd htons htons htons 16027->16028 16028->16025 16029 4029f6 GetProcessHeap HeapAlloc 16028->16029 16029->16025 16029->16027 16031 4028e3 16030->16031 16033 402889 16030->16033 16031->16007 16032 4028c3 htons 16032->16031 16032->16033 16033->16031 16033->16032 16035 402921 16034->16035 16036 402908 16034->16036 16035->16007 16037 402909 GetProcessHeap HeapFree 16036->16037 16037->16035 16037->16037 16039 40286b 16038->16039 16040 402836 16038->16040 16039->16027 16040->16039 16041 40285c htons 16040->16041 16041->16039 16041->16040 16043 406bc0 16042->16043 16044 406bbc 16042->16044 16045 40ebcc 4 API calls 16043->16045 16047 406bd4 16043->16047 16044->15585 16046 406be4 16045->16046 16046->16047 16048 406c07 CreateFileA 16046->16048 16049 406bfc 16046->16049 16047->15585 16051 406c34 WriteFile 16048->16051 16052 406c2a 16048->16052 16050 40ec2e codecvt 4 API calls 16049->16050 16050->16047 16054 406c49 CloseHandle DeleteFileA 16051->16054 16055 406c5a CloseHandle 16051->16055 16053 40ec2e codecvt 4 API calls 16052->16053 16053->16047 16054->16052 16056 40ec2e codecvt 4 API calls 16055->16056 16056->16047 17742 2bfd7f8 17743 2bfd800 17742->17743 17744 2bfdfa0 3 API calls 17743->17744 17745 2bfd818 17744->17745 16057 29b0005 16062 29b092b GetPEB 16057->16062 16059 29b0030 16064 29b003c 16059->16064 16063 29b0972 16062->16063 16063->16059 16065 29b0049 16064->16065 16079 29b0e0f SetErrorMode SetErrorMode 16065->16079 16070 29b0265 16071 29b02ce VirtualProtect 16070->16071 16073 29b030b 16071->16073 16072 29b0439 VirtualFree 16077 29b05f4 LoadLibraryA 16072->16077 16078 29b04be 16072->16078 16073->16072 16074 29b04e3 LoadLibraryA 16074->16078 16076 29b08c7 16077->16076 16078->16074 16078->16077 16080 29b0223 16079->16080 16081 29b0d90 16080->16081 16082 29b0dad 16081->16082 16083 29b0dbb GetPEB 16082->16083 16084 29b0238 VirtualAlloc 16082->16084 16083->16084 16084->16070 16085 2bfd800 16086 2bfd80f 16085->16086 16089 2bfdfa0 16086->16089 16090 2bfdfbb 16089->16090 16091 2bfdfc4 CreateToolhelp32Snapshot 16090->16091 16092 2bfdfe0 Module32First 16090->16092 16091->16090 16091->16092 16093 2bfdfef 16092->16093 16095 2bfd818 16092->16095 16096 2bfdc5f 16093->16096 16097 2bfdc8a 16096->16097 16098 2bfdc9b VirtualAlloc 16097->16098 16099 2bfdcd3 16097->16099 16098->16099 16099->16099

                                                                                            Executed Functions

                                                                                            Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                            • API String ID: 2089075347-2824936573
                                                                                            • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                            Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 533 409502-40952e call 402544 RegQueryValueExA 520->533 534 4094fb-409500 520->534 523 409634-409637 521->523 527 409639-40964a call 401820 523->527 528 40967b-409682 523->528 545 40964c-409662 527->545 546 40966d-409679 527->546 531 409683 call 4091eb 528->531 542 409688-409690 531->542 549 409530-409537 533->549 550 409539-409565 call 402544 RegQueryValueExA 533->550 535 40957a-40957f 534->535 543 409581-409584 535->543 544 40958a-40958d 535->544 552 409692 542->552 553 409698-4096a0 542->553 543->523 543->544 544->528 554 409593-40959a 544->554 547 409664-40966b 545->547 548 40962b-40962d 545->548 546->531 547->548 558 4096a2-4096a9 548->558 555 40956e-409577 RegCloseKey 549->555 550->555 565 409567 550->565 552->553 553->558 559 40961a-40961f 554->559 560 40959c-4095a1 554->560 555->535 563 409625 559->563 560->559 564 4095a3-4095c0 call 40f0e4 560->564 563->548 570 4095c2-4095db call 4018e0 564->570 571 40960c-409618 564->571 565->555 570->558 574 4095e1-4095f9 570->574 571->563 574->558 575 4095ff-409607 574->575 575->558
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop$runas
                                                                                            • API String ID: 3696105349-2220793183
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b34 call 406987 616->618 617->618 626 406ade 617->626 624 406b56-406b63 FindCloseChangeNotification 618->624 625 406b36-406b54 GetLastError CloseHandle 618->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->618 636->637 637->618
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75568A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1251348514-2980165447
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                            Function 02BFDFA0 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 811 2bfdfa0-2bfdfb9 812 2bfdfbb-2bfdfbd 811->812 813 2bfdfbf 812->813 814 2bfdfc4-2bfdfd0 CreateToolhelp32Snapshot 812->814 813->814 815 2bfdfd2-2bfdfd8 814->815 816 2bfdfe0-2bfdfed Module32First 814->816 815->816 821 2bfdfda-2bfdfde 815->821 817 2bfdfef-2bfdff0 call 2bfdc5f 816->817 818 2bfdff6-2bfdffe 816->818 822 2bfdff5 817->822 821->812 821->816 822->818
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02BFDFC8
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 02BFDFE8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1443238821.0000000002BF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BF9000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bf9000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 4440d5c7ba1a73f628384a68e7969eb56f83200060ae2d534756ff6ed22edbcb
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: C2F096355007126FD7603BF5988CF6EB6ECEF49668F510668E746910C0DBB0E8494A61
                                                                                            Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                            Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 382 4077e0-4077e2 379->382 383 4077de 379->383 380->379 382->359 383->382
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75570F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75570F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75570F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75570F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,75570F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75570F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75570F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                            Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 448 407258 436->448 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 448->437 458 4072dd-4072f4 call 40ed23 451->458 459 4072cd-4072d8 RegCloseKey 451->459 454 4072aa-4072b3 452->454 455 40729c-4072a9 call 40ef00 452->455 454->404 455->454 463 407301 458->463 464 4072f6-4072ff 458->464 459->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 471 40732d-407330 468->471 472 40731f-40732c call 40ef00 468->472 475 4073d5-4073e2 RegCloseKey 469->475 476 40735f-407365 469->476 471->454 472->471 479 4073f2-4073f7 475->479 480 4073e4-4073f1 call 40ef00 475->480 476->475 478 407367-407370 476->478 478->475 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->475 493->492
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75570F10,?,75570F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.KERNELBASE(75570F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75570F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.KERNELBASE(75570F10,?,75570F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"$PromptOnSecureDesktop
                                                                                            • API String ID: 4293430545-98143240
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 587 4067ed-40680b ReadFile 585->587 588 40696e-406971 FindCloseChangeNotification 586->588 587->586 589 406811-406824 SetFilePointer 587->589 588->583 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->588 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 607 406900-40690b SetFilePointer 598->607 599->598 603 4068bd-4068c3 600->603 601->603 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 608 4068d0 606->608 609 40695a-406969 call 40ec2e 607->609 610 40690d-406920 ReadFile 607->610 608->593 609->588 610->609 611 406922-406958 610->611 611->588
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75570F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75570F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75570F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75570F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75570F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75570F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75570F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75570F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75570F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75570F10,00000000), ref: 0040691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,75570F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            Function 029B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 640 29b003c-29b0047 641 29b0049 640->641 642 29b004c-29b0263 call 29b0a3f call 29b0e0f call 29b0d90 VirtualAlloc 640->642 641->642 657 29b028b-29b0292 642->657 658 29b0265-29b0289 call 29b0a69 642->658 660 29b02a1-29b02b0 657->660 662 29b02ce-29b03c2 VirtualProtect call 29b0cce call 29b0ce7 658->662 660->662 663 29b02b2-29b02cc 660->663 669 29b03d1-29b03e0 662->669 663->660 670 29b0439-29b04b8 VirtualFree 669->670 671 29b03e2-29b0437 call 29b0ce7 669->671 673 29b04be-29b04cd 670->673 674 29b05f4-29b05fe 670->674 671->669 676 29b04d3-29b04dd 673->676 677 29b077f-29b0789 674->677 678 29b0604-29b060d 674->678 676->674 682 29b04e3-29b0505 LoadLibraryA 676->682 680 29b078b-29b07a3 677->680 681 29b07a6-29b07b0 677->681 678->677 683 29b0613-29b0637 678->683 680->681 684 29b086e-29b08be LoadLibraryA 681->684 685 29b07b6-29b07cb 681->685 686 29b0517-29b0520 682->686 687 29b0507-29b0515 682->687 688 29b063e-29b0648 683->688 692 29b08c7-29b08f9 684->692 689 29b07d2-29b07d5 685->689 690 29b0526-29b0547 686->690 687->690 688->677 691 29b064e-29b065a 688->691 693 29b07d7-29b07e0 689->693 694 29b0824-29b0833 689->694 695 29b054d-29b0550 690->695 691->677 696 29b0660-29b066a 691->696 697 29b08fb-29b0901 692->697 698 29b0902-29b091d 692->698 699 29b07e2 693->699 700 29b07e4-29b0822 693->700 704 29b0839-29b083c 694->704 701 29b05e0-29b05ef 695->701 702 29b0556-29b056b 695->702 703 29b067a-29b0689 696->703 697->698 699->694 700->689 701->676 705 29b056f-29b057a 702->705 706 29b056d 702->706 707 29b068f-29b06b2 703->707 708 29b0750-29b077a 703->708 704->684 709 29b083e-29b0847 704->709 711 29b059b-29b05bb 705->711 712 29b057c-29b0599 705->712 706->701 713 29b06ef-29b06fc 707->713 714 29b06b4-29b06ed 707->714 708->688 715 29b084b-29b086c 709->715 716 29b0849 709->716 723 29b05bd-29b05db 711->723 712->723 717 29b074b 713->717 718 29b06fe-29b0748 713->718 714->713 715->704 716->684 717->703 718->717 723->695
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 029B024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 42523d658734be5adc1b1daf10dbf1cb7dd777a4bc5754a5a5006f2d178b3ac3
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: 87527974A01229DFDB65CF68C984BADBBB5BF09304F1480D9E94DAB351DB30AA85CF14
                                                                                            Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75568A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4131120076-2980165447
                                                                                            • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                            • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC
                                                                                            Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 408151869-2980165447
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                            Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 752 4069e4-4069fd WriteFile 750->752 751->750 753 4069c0-4069d0 751->753 754 406a4d-406a51 752->754 755 4069ff-406a02 752->755 756 4069d2 753->756 757 4069d5-4069de 753->757 759 406a53-406a56 754->759 760 406a59 754->760 755->754 758 406a04-406a08 755->758 756->757 757->752 761 406a0a-406a0d 758->761 762 406a3c-406a3e 758->762 759->760 763 406a5b-406a5f 760->763 764 406a10-406a2e WriteFile 761->764 762->763 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->763 766->765 767 406a35-406a3a 766->767 767->762 767->764
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 772 40930b-40930f 770->772 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 782 40922e-409230 775->782 778 409250-409270 call 40ee08 776->778 779 40924b 776->779 785 409272-40927f 778->785 786 4092dd-4092e1 778->786 779->778 784 409233-409238 782->784 784->784 787 40923a-40923c 784->787 788 409281-409285 785->788 789 40929b-40929e 785->789 790 4092e3-4092e5 786->790 791 4092e7-4092e8 786->791 787->776 788->788 795 409287 788->795 793 4092a0 789->793 794 40928e-409293 789->794 790->791 792 4092ea-4092ef 790->792 791->786 798 4092f1-4092f6 Sleep 792->798 799 4092fc-409302 792->799 800 4092a8-4092ab 793->800 796 409295-409298 794->796 797 409289-40928c 794->797 795->789 796->800 801 40929a 796->801 797->794 797->801 798->799 799->770 799->771 802 4092a2-4092a5 800->802 803 4092ad-4092b0 800->803 801->789 804 4092b2 802->804 805 4092a7 802->805 803->804 806 4092bd 803->806 807 4092b5-4092b9 804->807 805->800 808 4092bf-4092db ShellExecuteA 806->808 807->807 809 4092bb 807->809 808->786 810 409310-409324 808->810 809->808 810->772
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                            • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-0
                                                                                            • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                            • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                            Function 029B0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 824 29b0e0f-29b0e24 SetErrorMode * 2 825 29b0e2b-29b0e2c 824->825 826 29b0e26 824->826 826->825
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,029B0223,?,?), ref: 029B0E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,029B0223,?,?), ref: 029B0E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: 8c5091a75a8c552e1507ec5e9f2876851e53a5403109e6d851cc54e5729abfa9
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 16D01236245228B7DB012AD4DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4046EA
                                                                                            Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                            Function 02BFDC5F Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02BFDCB0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1443238821.0000000002BF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BF9000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bf9000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 365fcdcf214b5bd6c02bba9b13fcd45d1f0f7d9171205da20b8e0e09368dd7f4
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 3D113C79A00208EFDB01DF98CA85E98BBF5EF08350F058094FA489B361D371EA54DF80

                                                                                            Non-executed Functions

                                                                                            Function 0040C913 Relevance: 115.1, APIs: 45, Strings: 20, Instructions: 1397filestringprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$`4u$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-3237684401
                                                                                            • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                            • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                            Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            Function 00402A62 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 194networkmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7556F380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7556F380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID: `4u
                                                                                            • API String ID: 1639031587-6339388
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDv$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-868794581
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            Function 0040405E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 203COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2404124870-2980165447
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            Function 029B65E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 029B65F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 029B6610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 029B6631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 029B6652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 2e641a22c38312b16daaee350788746e9877bd09c76a33a2abd2fb289dc01123
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 36113D71600218BFDB229F75DD49FDB3FACEF457A5F104024FA08A6250D7B1ED508AA4
                                                                                            Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                            • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                              • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                              • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3754425949-0
                                                                                            • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                            • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                            Function 029B092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$GetProcAddress.$l
                                                                                            • API String ID: 0-2784972518
                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction ID: 0a66f4f24eebff46a6d1eba4c5b0f30797ab4fddd30b559a89f81ec772f921fa
                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction Fuzzy Hash: D33148B6900609DFDB11CF99C984AEEBBF9FF48324F14414AD841A7350D771EA45CBA4
                                                                                            Function 004088B0 Relevance: .1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                            • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                            Function 02BFD87D Relevance: .1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1443238821.0000000002BF9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BF9000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2bf9000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction ID: b03c5603c1ef9047319c2d723c448ef2f929473f4b13b57e26d3d5c93da23a74
                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction Fuzzy Hash: 7D117072340101AFD744DF55DC80FA673EAEB89620B1980A5EA04CB315E67AE802CB60
                                                                                            Function 029B0D90 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction ID: d368135e42564d2e68dd37a759f2409f13f1ff75548028cdd3c4d342cc0a74d6
                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction Fuzzy Hash: 1F01A276A106048FDF22CF24CA05BEB33E9FFC6616F4545A5D90A9B281E774A9418B90
                                                                                            Function 029B9EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 029B9E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 029B9FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 029B9FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 029BA004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 029BA054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 029BA09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 029BA0D6
                                                                                            • lstrcpy.KERNEL32 ref: 029BA12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 029BA13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 029B9F13
                                                                                              • Part of subcall function 029B7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 029B7081
                                                                                              • Part of subcall function 029B6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\sugxygo,029B7043), ref: 029B6F4E
                                                                                              • Part of subcall function 029B6F30: GetProcAddress.KERNEL32(00000000), ref: 029B6F55
                                                                                              • Part of subcall function 029B6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029B6F7B
                                                                                              • Part of subcall function 029B6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029B6F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 029BA1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029BA1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 029BA214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 029BA21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 029BA265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 029BA29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 029BA2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 029BA2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 029BA2F4
                                                                                            • wsprintfA.USER32 ref: 029BA31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 029BA345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 029BA364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 029BA387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 029BA398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029BA1D1
                                                                                              • Part of subcall function 029B9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029B999D
                                                                                              • Part of subcall function 029B9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 029B99BD
                                                                                              • Part of subcall function 029B9966: RegCloseKey.ADVAPI32(?), ref: 029B99C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 029BA3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 029BA3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 029BA41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: 9d0296501e0905c2d4e9aa8298a28ff9b280062e846319ef1dd94a5fb444024c
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: 26F141B1D4025DAFDF22DBA08E48FEE7BBDAF09304F0444A6E605E2151E7759A848F64
                                                                                            Function 029B7CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 029B7D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 029B7D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 029B7DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029B7DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 029B7DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029B7E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 029B7E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 029B7E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029B7E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 7c7ba836c86b22620e20ab916512d3a3523af567d24313c1bda3c30b58163d96
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: 06A14B72900219AFDB128FA0DE88FEEBBBDFF48744F04816AF505E6150D7758A85CB64
                                                                                            Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            Function 029B7A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 029B7A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 029B7ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 029B7B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029B7B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 029B7B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029B7B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 029B7B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 029B7B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029B7B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 029B7BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 029B7BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 029B7C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 029B7C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 029B7CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 029B7CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 029B7CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: f654d0ebd20af280c1c699e3fd905bd77509bb0b3fcbacd0931144b6a0a99d2b
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 20813D72900219AFDB12CFE4DE88FEEBBBCAF48305F04816AE505E6250D7759A45CF64
                                                                                            Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: PromptOnSecureDesktop$localcfg
                                                                                            • API String ID: 237177642-1678164370
                                                                                            • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            Function 0040199C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 106memorylibraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg$W4u
                                                                                            • API String ID: 835516345-1619806614
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            Function 029B858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 029B865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 029B867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 029B86A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 029B86B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 237177642-3108538426
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 128f38fcc887b322a511e1dd8b67b7c755268c2cc85ed0bd091818acd99c2f06
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 88C17F71900149BFEF12ABA4DE89EEE7BBDEF48304F144066F604A6050E7714A948B65
                                                                                            Function 029B2CC9 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 194memorynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 029B2CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 029B2D07
                                                                                            • htons.WS2_32(00000000), ref: 029B2D42
                                                                                            • select.WS2_32 ref: 029B2D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 029B2DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029B2E62
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID: `4u
                                                                                            • API String ID: 127016686-6339388
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: a844754e445bd0e1a5e81102e49a2f9bdfbb3dfbc358388cf5ba20d742e5a797
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: 9A61EF71904305ABC322AF65DD08BEBBBECEF88745F004829FD8497160D7B4D880CBA6
                                                                                            Function 029B14E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 029B1601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 029B17D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: df3caf3a0597b9f19cd2fbfeb3b8e886828a1896a4627902182df770bcccf36e
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: D4F1ACB11083819FD721CF64C998BEBB7E9FF88304F10892DF59A972A0D7B49944CB56
                                                                                            Function 029B7666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029B76D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 029B7757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 029B778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 029B78B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029B794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029B796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029B797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029B79AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029B7A56
                                                                                              • Part of subcall function 029BF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,029B772A,?), ref: 029BF414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 029B79F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029B7A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 6f5b54e8bedef0f98781eeb8a28d7cd6d8db4efced1db3dc229972a8566402c9
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 52C17372900209AFDB12DBE4DE44FEEBBBDEF89710F1441A5E544E6190EB71DA84CB60
                                                                                            Function 00402DF2 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,755723A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll$W4u
                                                                                            • API String ID: 929413710-1050870963
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            Function 029B958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 029B95A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029B95D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 029B95DC
                                                                                            • wsprintfA.USER32 ref: 029B9635
                                                                                            • wsprintfA.USER32 ref: 029B9673
                                                                                            • wsprintfA.USER32 ref: 029B96F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 029B9758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029B978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029B97D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3696105349-2980165447
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: b001f930b03aa73000ae96becf5d14f5538d158dcdeb970be76d510faaee7d44
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: 16A16AB295020CAFEB22DFA0CD85FDA3BADEF48740F104026FA15A6151E7B5D584CFA4
                                                                                            Function 0040F315 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: `4u$time_cfg
                                                                                            • API String ID: 311057483-456741473
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-142018493
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            Function 029B1FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 029B202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 029B204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 029B206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 029B2071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 029B2082
                                                                                            • GetTickCount.KERNEL32 ref: 029B2230
                                                                                              • Part of subcall function 029B1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 029B1E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: ad89a558a526af43ddb215cb195e7ef56d43268a244c1e1827628b41dc779185
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: 1E5137B0900348AFE332AF758D84FE7BAECEF85704F40491DF99692142D7B8A544CB65
                                                                                            Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7568EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7568EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            Function 029B3059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 029B3068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 029B3078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 029B3095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 029B30B6
                                                                                            • htons.WS2_32(00000035), ref: 029B30EF
                                                                                            • inet_addr.WS2_32(?), ref: 029B30FA
                                                                                            • gethostbyname.WS2_32(?), ref: 029B310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 029B314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: a34baf1f08ff3a42c0dd7040d1b1c7549d64c0ca321ca18b9277bb9fac303ece
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: BF31B631A00206BBDB12DBB89D48BEE77BCEF05764F1441A5E918E7290DB74D541CB5C
                                                                                            Function 029BF57C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • htons.WS2_32(029BCC84), ref: 029BF5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 029BF5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 029BF5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: `4u$time_cfg
                                                                                            • API String ID: 311057483-456741473
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: c36697e206fae3cdf7e980bad387d8d87737c7ecd7eaa711cf87e197ec3a304b
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 10318C7290011CABDB12DFB5DD88DEEBBBCEF88314F104566F905E3150E7708A818BA4
                                                                                            Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,755723A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                            • API String ID: 1082366364-2834986871
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2981417381-1403908072
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            Function 029B6778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 029B67C3
                                                                                            • htonl.WS2_32(?), ref: 029B67DF
                                                                                            • htonl.WS2_32(?), ref: 029B67EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 029B68F1
                                                                                            • ExitProcess.KERNEL32 ref: 029B69BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: 252678702cf82b402801c59cd2f9c6b4ca81ac2595015a62932f1b0a42368217
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: B3616E71940208AFDF619FA4DC45FEA77E9FF48300F148066FA6DD2161DB75A9908F14
                                                                                            Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            Function 029B2F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 029B2FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 029B2FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 029B2FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029B3000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 029B3007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 029B3032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 70892c50e9f0fef74d2f2dd83acb9e5615e6e99a6c72556d0a2db01196819b8f
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 8F21A171D01229BBCB22DF54DD88AEEBBBCEF08B50F004461F901E7540D7B49A8187E4
                                                                                            Function 029B6F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\sugxygo,029B7043), ref: 029B6F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 029B6F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029B6F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029B6F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\sugxygo
                                                                                            • API String ID: 1082366364-1010374325
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: 5b80198d06729259e56e476fa3693be4d4e72ab31c98098d4ae44dd958e85e30
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: 8D2102227413447AF72353359E8CFFB3E4D8F92B24F1880A6F944E6490DBD994D682AD
                                                                                            Function 00406BA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3609698214-2980165447
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            Function 029B92CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 029B92E2
                                                                                            • wsprintfA.USER32 ref: 029B9350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029B9375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 029B9389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 029B9394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 029B939B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: d971f06e0db10fb17e1b9cf8529f5022460c67be7a2fcb7cdf31ea2048674fb6
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: E81172B16401147BE7216B31ED0DFEF3A6EDFC9B10F008065BB09A5091EAB54E418A64
                                                                                            Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            Function 029B99E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 029B9A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 029B9A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 029B9A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 029B9A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 029B9AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 029B9AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: 449f0eba3b288d6ad1fe802a7e411e42e269c3f35a46c60dd6b4c4e49e3e0bf3
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 1B213BB1A01219BBEB129BA1DD09EEFBBBCEF05750F404061BA19E5050E7759A84CFA4
                                                                                            Function 029B1C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 029B1C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 029B1C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 029B1C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 029B1C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 029B1CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 029B1D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 029B1D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: 93ec63b452a1e726b86677f70ec18d0d73d7beef71ff0b516573d3844ca42d18
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: C7315E31E00209BFCB129FE4DE988EEBBB9EF85705F24447AE509E2110D7B54E80DB94
                                                                                            Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1586453840-2980165447
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            Function 00404280 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1371578007-2980165447
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            Function 029B6CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 029B6CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 029B6D22
                                                                                            • GetLastError.KERNEL32 ref: 029B6DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 029B6DB5
                                                                                            • GetLastError.KERNEL32 ref: 029B6DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 029B6DE7
                                                                                            • GetLastError.KERNEL32 ref: 029B6DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: 8b323eb0eddfb865d11c9424e8aac627905ba7559ee8614626d6975b43b5d16d
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 5131E176900249BFCB02DFA4DE48ADE7F7DEF88310F148476E251E3250D770AA958B65
                                                                                            Function 029B93AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029B93C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 029B93CD
                                                                                            • CharToOemA.USER32(?,?), ref: 029B93DB
                                                                                            • wsprintfA.USER32 ref: 029B9410
                                                                                              • Part of subcall function 029B92CB: GetTempPathA.KERNEL32(00000400,?), ref: 029B92E2
                                                                                              • Part of subcall function 029B92CB: wsprintfA.USER32 ref: 029B9350
                                                                                              • Part of subcall function 029B92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029B9375
                                                                                              • Part of subcall function 029B92CB: lstrlen.KERNEL32(?,?,00000000), ref: 029B9389
                                                                                              • Part of subcall function 029B92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 029B9394
                                                                                              • Part of subcall function 029B92CB: CloseHandle.KERNEL32(00000000), ref: 029B939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 029B9448
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: c6c1ec20cdbecd40651e6a05e1a5bec1c252ce1a6c8c2fe8c6c113f18cfb704d
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: 33015EF69001187BEB21A7619E8DEDF3B7CDB95701F0040A2BB49E2080EAB497C58F75
                                                                                            Function 00409145 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            Function 029BAA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: cfd63c9f51d115d1a3a7bdd0ca8150eef1c3339cb8dc1f674b8cd26bf15dc2df
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: FF713B71A00318BADF338B58DE85FEE376DAF81709F244467F904A6090DF7295C48B59
                                                                                            Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            Function 029BE8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 029BDF6C: GetCurrentThreadId.KERNEL32 ref: 029BDFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 029BE8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,029B6128), ref: 029BE950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 029BE989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: de33c884d5404985c5aea482ab15409ab6ba6d6156173993e0edb9d6f5071644
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 5831B231A007059BDF738F24C9847E67BECEF09715F80892AE5D687551D374E888CB91
                                                                                            Function 029B6E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: 269d167a4fa46e2f1865d4837adcbfaaa042f403356f295e4d73e0c557cbf7ac
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: 37212E7A104119BFDB129BB0FE48EDF7FADEF49665B108425F502D1090EB70EA509B74
                                                                                            Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75570F10,?,00000000,0040E538,?,75570F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            Function 029BC543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 029BC6B4
                                                                                            • InterlockedIncrement.KERNEL32(029BC74B), ref: 029BC715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,029BC747), ref: 029BC728
                                                                                            • CloseHandle.KERNEL32(00000000,?,029BC747,00413588,029B8A77), ref: 029BC733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: bec825192b39cae195558dc7e12f6a7e09e74ab2b81729216591cbf9874febf6
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: FE514AB1A01B468FD7258F69C6D466ABBE9FF88304B50593FE18BC7A90D774E840CB10
                                                                                            Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75570F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75570F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75570F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75570F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75570F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75570F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75570F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 124786226-2980165447
                                                                                            • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            Function 029BE2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,029BE50A,00000000,00000000,00000000,00020106,00000000,029BE50A,00000000,000000E4), ref: 029BE319
                                                                                            • RegSetValueExA.ADVAPI32(029BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029BE38E
                                                                                            • RegDeleteValueA.ADVAPI32(029BE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029BE3BF
                                                                                            • RegCloseKey.ADVAPI32(029BE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,029BE50A), ref: 029BE3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 9d76c320faad90ea19956aa9fab8038ea3668973ae80c17f05a3b634b1221a7c
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: E3214A71A0021DBBDF229FA4ED89EEE7F7DEF08750F008021F944A6160E3718A54DBA0
                                                                                            Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            Function 029B71C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 029B71E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 029B7286
                                                                                            • wsprintfA.USER32 ref: 029B729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 464caa247c195e7534b5bb02cc54ca1f80958e5cce00a0371cebc8f276fa4088
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 9F312972A00208BFDB02DFA8DD45BDA7BACEF44314F14C166F959DB240EB75D6488BA4
                                                                                            Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            Function 029BB478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 029BB51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 029BB529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 029BB548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 029BB590
                                                                                            • wsprintfA.USER32 ref: 029BB61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 724ddb351160e7a98ca85c30cafe30d6e01b5a0d55529ddfa370c3705feaab14
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 5C511EB1D0021CAACF15DFD5D9889EEBBB9BF48304F10856AE505A6150E7F84AC9CF98
                                                                                            Function 029B62D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 029B6303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 029B632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 029B63B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 029B6405
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: aad41257da8cabcb71046fe7f354872aea0c2073ae96a8a25e94b59b3bd7ad9d
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: 3B417971A00609ABDB16CF58CA84BEDBBBDFF04318F188469E969D7290E731F940CB50
                                                                                            Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(75570F18,00000000,?,75570F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75570F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,75570F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            Function 029BE795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 029BDF6C: GetCurrentThreadId.KERNEL32 ref: 029BDFBA
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,029BA6AC), ref: 029BE7BF
                                                                                            • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,029BA6AC), ref: 029BE7EA
                                                                                            • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,029BA6AC), ref: 029BE819
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1396056608-2980165447
                                                                                            • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction ID: d6e9b282dc8568db452486c088d9ea86cdff918c519168309b7c6df57c138980
                                                                                            • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction Fuzzy Hash: D32127B1A003047AF6237735AE49FEB3E0DDFA5B60F500034FA49B55D3EAA594508AB9
                                                                                            Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,75570F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75570F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,75570F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3683885500-2980165447
                                                                                            • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                            • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                            Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            Function 029B7665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029B76D9
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029B796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029B797E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1332880857-2980165447
                                                                                            • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction ID: ef94afd45ec1076651251536969ba03c45657d08baa4c1dd71f67a8475297232
                                                                                            • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction Fuzzy Hash: E811DC32A00109AFDB128FA9DD44FEFBF7DEF86704F140261F510E6290E3B089408B61
                                                                                            Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            Function 029B9966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029B999D
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000), ref: 029B99BD
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 029B99C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction ID: e7075a9d172f9563088b878039ea5a8e8b19e09ea91dffb2c3ee4635050989d4
                                                                                            • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction Fuzzy Hash: 3DF0F6B2A80208BBF7116B54ED46FDB3A2CDF95B10F104060FA05B5091F6E59A9086BD
                                                                                            Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                            • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                            • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                            • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                            Function 029B28EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: e12e3185b9d493d41d2444881e38ff6fe0016d23374082560665e496e5f71b62
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: DCE0C230A041119FCB018B2CF948AC537E8EF0A230F008580F844C31A0C734DCC09780
                                                                                            Function 00402684 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$W4u
                                                                                            • API String ID: 1594361348-4149107023
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            Function 029BD7D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 7sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExitProcessSleepclosesocket
                                                                                            • String ID: `4u
                                                                                            • API String ID: 2012141568-6339388
                                                                                            • Opcode ID: a6f9f776857f4ecde53a678587fdf16408cfdffbb3d2d617deb71ab51d0e9a11
                                                                                            • Instruction ID: 3aef7f9a6dea1a1d2c3181746ccb3f84fcea5ab5969f81252adab277ea808dad
                                                                                            • Opcode Fuzzy Hash: a6f9f776857f4ecde53a678587fdf16408cfdffbb3d2d617deb71ab51d0e9a11
                                                                                            • Instruction Fuzzy Hash: F4C04830801208EBCB422BB4FC4CACC3E6AAF48302B20C160A14A910B0CAB00A909A29
                                                                                            Function 029B69C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 029B69E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 029B6A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 029B6A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 029B6BD8
                                                                                              • Part of subcall function 029BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029B1DCF,?), ref: 029BEEA8
                                                                                              • Part of subcall function 029BEE95: HeapFree.KERNEL32(00000000), ref: 029BEEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: 37a56a69097bbaca44971f93b24aa9fc4b056b55e35b644095545d563b4f8c0d
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: 1C71057190422DEFDF129FA4CD80AEEBBBDFF08354F10456AE515A6190D730AE92DB60
                                                                                            Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            Function 029B41F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029B421F
                                                                                            • GetLastError.KERNEL32 ref: 029B4229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 029B423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029B424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 1583882053477f464152fbe648e7064e94fafd86c941f07aa2be2d7e6cc1a3b1
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: E801A572911109ABDF02DF90EE84BEE7BACEF08255F108461F901E6051D7709A54ABB6
                                                                                            Function 029B417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029B41AB
                                                                                            • GetLastError.KERNEL32 ref: 029B41B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 029B41C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029B41D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 0bf8d5b814dfd0e2f984cb7a65127b0e70dc19d50f841843927de349a85ea806
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: A6010C7691110AAFDF02DF90EE84BEF7B6CEF18255F004061F905E2051D770DA549BB5
                                                                                            Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            Function 029BE036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 029BE066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 4c529f75edd2e8cfe3e5ce6fd2df7b88aaa4afb1ac67e450f00f64224b4967f4
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 5EF062312047069BCB22CF25D984AD2B7FDFF05325B84862AE595C3060D374A498CB55
                                                                                            Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            Function 029BE3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,029B44E2,00000000,00000000,00000000), ref: 029BE470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 029BE484
                                                                                              • Part of subcall function 029BE2FC: RegCreateKeyExA.ADVAPI32(80000001,029BE50A,00000000,00000000,00000000,00020106,00000000,029BE50A,00000000,000000E4), ref: 029BE319
                                                                                              • Part of subcall function 029BE2FC: RegSetValueExA.ADVAPI32(029BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029BE38E
                                                                                              • Part of subcall function 029BE2FC: RegDeleteValueA.ADVAPI32(029BE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029BE3BF
                                                                                              • Part of subcall function 029BE2FC: RegCloseKey.ADVAPI32(029BE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,029BE50A), ref: 029BE3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: bcb20d6c6b0d9502d3813669cb1dd65ff94b44909dfcd9bdd8c423c61b675e4f
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: 6B413AB2D00208BBEF226F518E45FEB3F6DEF45764F408125FE0894091E7B59650CAB4
                                                                                            Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                              • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                              • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                              • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                            • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                            Function 029B8330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 029B83C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 029B8477
                                                                                              • Part of subcall function 029B69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 029B69E5
                                                                                              • Part of subcall function 029B69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 029B6A26
                                                                                              • Part of subcall function 029B69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 029B6A3A
                                                                                              • Part of subcall function 029BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029B1DCF,?), ref: 029BEEA8
                                                                                              • Part of subcall function 029BEE95: HeapFree.KERNEL32(00000000), ref: 029BEEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 359188348-2980165447
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 058d2e2d666173b218db3641edf9ac7209f9ca70d6ccf167a095350667d46fca
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 21417FB2901109BFEB12EBA09F84EFF776EFF48344F0444A6E508D6050E7B05A948B64
                                                                                            Function 029BE631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,029BE859,00000000,00020119,029BE859,PromptOnSecureDesktop), ref: 029BE64D
                                                                                            • RegCloseKey.ADVAPI32(029BE859,?,?,?,?,000000C8,000000E4), ref: 029BE787
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 47109696-2980165447
                                                                                            • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction ID: 3c2d0fbef72c9dfe7e0e6f34c9e6c9280ce7bc3d8b16ed3aa8b90b5dc213d095
                                                                                            • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction Fuzzy Hash: 6C4117B2D0011DBFDF12AFA4DD85EEEBB7EFF04304F504466EA00A6160E3719A559B60
                                                                                            Function 029BAFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 029BAFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 029BB00D
                                                                                              • Part of subcall function 029BAF6F: gethostname.WS2_32(?,00000080), ref: 029BAF83
                                                                                              • Part of subcall function 029BAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 029BAFE6
                                                                                              • Part of subcall function 029B331C: gethostname.WS2_32(?,00000080), ref: 029B333F
                                                                                              • Part of subcall function 029B331C: gethostbyname.WS2_32(?), ref: 029B3349
                                                                                              • Part of subcall function 029BAA0A: inet_ntoa.WS2_32(00000000), ref: 029BAA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: be7d2e97a8a8cedca03450c7ab4067071aee5f4092de5c340df3a6be6ba360d5
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: C041317290020CABDB26EFA0DD45EEE3BADFF48304F144426F92992151EA75D654CF54
                                                                                            Function 029B9452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 029B9536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 029B955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 1cef30d1c57343924a909a52278edcb6d428be0b9a691c09745483575441051d
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 3F4125718583986EFB378B64DA8C7E63BAD9F02314F1400A5DA86871A2D7F44980CF11
                                                                                            Function 029BBC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 029BB9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 029BBA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 029BBA94
                                                                                            • GetTickCount.KERNEL32 ref: 029BBB79
                                                                                            • GetTickCount.KERNEL32 ref: 029BBB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 029BBE15
                                                                                            • closesocket.WS2_32(00000000), ref: 029BBEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 2d9468a872f1de813176799bfbeafec710fd1fcee8303e8f3e7621881576d352
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 07317C71500248DFDF26DFA4DE98BEDB7A9EF88704F20446AFA24821A0DB34D685CF50
                                                                                            Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            Function 029B709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 029B70BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 029B70F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 9175a348efa739e0004460cb552a100cf30286f3c4aaeb23d62e2edb7989c23b
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: E411FA73900118EBDB12CBD4DD84AEEB7BDAF44719F1442A6E501E6194D7709B88CBA0
                                                                                            Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7568EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            Function 029B3189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 029B2F88: GetModuleHandleA.KERNEL32(?), ref: 029B2FA1
                                                                                              • Part of subcall function 029B2F88: LoadLibraryA.KERNEL32(?), ref: 029B2FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 029B31DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 029B31E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1442705056.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_29b0000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 458f2a3c6801884b0a0f90d64a1ec5e32411f1e96aa837dc75be210740d6b19e
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: B7518A7190024AEFCB02DF64DD88AFAB779FF05304B1445A9EC9687220E7329A19CB94
                                                                                            Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,755723A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1441463942.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.1441463942.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SGn3RtDC8Y.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                            Execution Graph

                                                                                            Execution Coverage:3%
                                                                                            Dynamic/Decrypted Code Coverage:30.6%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:1568
                                                                                            Total number of Limit Nodes:14
                                                                                            execution_graph 14327 409961 RegisterServiceCtrlHandlerA 14328 40997d 14327->14328 14334 4099cb 14327->14334 14337 409892 14328->14337 14330 40999a 14331 4099ba 14330->14331 14332 409892 SetServiceStatus 14330->14332 14333 409892 SetServiceStatus 14331->14333 14331->14334 14335 4099aa 14332->14335 14333->14334 14335->14331 14340 4098f2 14335->14340 14338 4098c2 SetServiceStatus 14337->14338 14338->14330 14341 4098f6 14340->14341 14343 409904 Sleep 14341->14343 14345 409917 14341->14345 14348 404280 CreateEventA 14341->14348 14343->14341 14344 409915 14343->14344 14344->14345 14347 409947 14345->14347 14375 40977c 14345->14375 14347->14331 14349 4042a5 14348->14349 14355 40429d 14348->14355 14389 403ecd 14349->14389 14351 4042b0 14393 404000 14351->14393 14354 4043c1 FindCloseChangeNotification 14354->14355 14355->14341 14356 4042ce 14399 403f18 WriteFile 14356->14399 14361 4043ba CloseHandle 14361->14354 14362 404318 14363 403f18 4 API calls 14362->14363 14364 404331 14363->14364 14365 403f18 4 API calls 14364->14365 14366 40434a 14365->14366 14407 40ebcc GetProcessHeap HeapAlloc 14366->14407 14369 403f18 4 API calls 14370 404389 14369->14370 14410 40ec2e 14370->14410 14373 403f8c 4 API calls 14374 40439f CloseHandle CloseHandle 14373->14374 14374->14355 14439 40ee2a 14375->14439 14378 4097bb 14378->14347 14379 4097c2 14380 4097d4 Wow64GetThreadContext 14379->14380 14381 409801 14380->14381 14382 4097f5 14380->14382 14441 40637c 14381->14441 14384 4097f6 TerminateProcess 14382->14384 14384->14378 14385 409816 14385->14384 14386 40981e WriteProcessMemory 14385->14386 14386->14382 14387 40983b Wow64SetThreadContext 14386->14387 14387->14382 14388 409858 ResumeThread 14387->14388 14388->14378 14390 403ee2 14389->14390 14391 403edc 14389->14391 14390->14351 14415 406dc2 14391->14415 14394 40400b CreateFileA 14393->14394 14395 404052 14394->14395 14396 40402c GetLastError 14394->14396 14395->14354 14395->14355 14395->14356 14396->14395 14397 404037 14396->14397 14397->14395 14398 404041 Sleep 14397->14398 14398->14394 14398->14395 14400 403f4e GetLastError 14399->14400 14402 403f7c 14399->14402 14401 403f5b WaitForSingleObject GetOverlappedResult 14400->14401 14400->14402 14401->14402 14403 403f8c ReadFile 14402->14403 14404 403ff0 14403->14404 14405 403fc2 GetLastError 14403->14405 14404->14361 14404->14362 14405->14404 14406 403fcf WaitForSingleObject GetOverlappedResult 14405->14406 14406->14404 14433 40eb74 14407->14433 14411 40ec37 14410->14411 14412 40438f 14410->14412 14436 40eba0 14411->14436 14412->14373 14416 406dd7 14415->14416 14420 406e24 14415->14420 14421 406cc9 14416->14421 14418 406ddc 14418->14418 14419 406e02 GetVolumeInformationA 14418->14419 14418->14420 14419->14420 14420->14390 14422 406cdc GetModuleHandleA GetProcAddress 14421->14422 14423 406dbe 14421->14423 14424 406d12 GetSystemDirectoryA 14422->14424 14425 406cfd 14422->14425 14423->14418 14426 406d27 GetWindowsDirectoryA 14424->14426 14427 406d1e 14424->14427 14425->14424 14428 406d8b 14425->14428 14429 406d42 14426->14429 14427->14426 14427->14428 14428->14423 14431 40ef1e lstrlenA 14429->14431 14432 40ef32 14431->14432 14432->14428 14434 40eb7b GetProcessHeap HeapSize 14433->14434 14435 404350 14433->14435 14434->14435 14435->14369 14437 40eba7 GetProcessHeap HeapSize 14436->14437 14438 40ebbf GetProcessHeap HeapFree 14436->14438 14437->14438 14438->14412 14440 409794 CreateProcessA 14439->14440 14440->14378 14440->14379 14442 406386 14441->14442 14443 40638a GetModuleHandleA VirtualAlloc 14441->14443 14442->14385 14444 4063f5 14443->14444 14445 4063b6 14443->14445 14444->14385 14446 4063be VirtualAllocEx 14445->14446 14446->14444 14447 4063d6 14446->14447 14448 4063df WriteProcessMemory 14447->14448 14448->14444 14477 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14594 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14477->14594 14479 409a95 14480 409aa3 GetModuleHandleA GetModuleFileNameA 14479->14480 14485 40a3c7 14479->14485 14494 409ac4 14480->14494 14481 40a41c CreateThread WSAStartup 14705 40e52e 14481->14705 15528 40405e CreateEventA 14481->15528 14483 409afd GetCommandLineA 14492 409b22 14483->14492 14484 40a406 DeleteFileA 14484->14485 14486 40a40d 14484->14486 14485->14481 14485->14484 14485->14486 14489 40a3ed GetLastError 14485->14489 14486->14481 14487 40a445 14724 40eaaf 14487->14724 14489->14486 14490 40a3f8 Sleep 14489->14490 14490->14484 14491 40a44d 14728 401d96 14491->14728 14497 409c0c 14492->14497 14504 409b47 14492->14504 14494->14483 14495 40a457 14776 4080c9 14495->14776 14595 4096aa 14497->14595 14508 409b96 lstrlenA 14504->14508 14514 409b58 14504->14514 14505 40a1d2 14515 40a1e3 GetCommandLineA 14505->14515 14506 409c39 14509 40a167 GetModuleHandleA GetModuleFileNameA 14506->14509 14513 409c4b 14506->14513 14508->14514 14511 409c05 ExitProcess 14509->14511 14512 40a189 14509->14512 14512->14511 14523 40a1b2 GetDriveTypeA 14512->14523 14513->14509 14517 404280 30 API calls 14513->14517 14514->14511 14518 409bd2 14514->14518 14541 40a205 14515->14541 14520 409c5b 14517->14520 14607 40675c 14518->14607 14520->14509 14526 40675c 21 API calls 14520->14526 14523->14511 14525 40a1c5 14523->14525 14697 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14525->14697 14528 409c79 14526->14528 14528->14509 14535 409ca0 GetTempPathA 14528->14535 14536 409e3e 14528->14536 14529 409bff 14529->14511 14531 40a491 14532 40a49f GetTickCount 14531->14532 14533 40a4be Sleep 14531->14533 14540 40a4b7 GetTickCount 14531->14540 14822 40c913 14531->14822 14532->14531 14532->14533 14533->14531 14535->14536 14537 409cba 14535->14537 14544 409e6b GetEnvironmentVariableA 14536->14544 14546 409e04 14536->14546 14645 4099d2 lstrcpyA 14537->14645 14539 40ec2e codecvt 4 API calls 14543 40a15d 14539->14543 14540->14533 14545 40a285 lstrlenA 14541->14545 14554 40a239 14541->14554 14543->14509 14543->14511 14544->14546 14547 409e7d 14544->14547 14545->14554 14546->14539 14548 4099d2 16 API calls 14547->14548 14550 409e9d 14548->14550 14549 406dc2 6 API calls 14551 409d5f 14549->14551 14550->14546 14553 409eb0 lstrcpyA lstrlenA 14550->14553 14557 406cc9 5 API calls 14551->14557 14556 409ef4 14553->14556 14603 406ec3 14554->14603 14555 40a3c2 14558 4098f2 41 API calls 14555->14558 14559 406dc2 6 API calls 14556->14559 14562 409f03 14556->14562 14561 409d72 lstrcpyA lstrcatA lstrcatA 14557->14561 14558->14485 14559->14562 14560 40a39d StartServiceCtrlDispatcherA 14560->14555 14566 409cf6 14561->14566 14563 409f32 RegOpenKeyExA 14562->14563 14565 409f48 RegSetValueExA RegCloseKey 14563->14565 14569 409f70 14563->14569 14564 40a35f 14564->14555 14564->14560 14565->14569 14652 409326 14566->14652 14574 409f9d GetModuleHandleA GetModuleFileNameA 14569->14574 14570 409e0c DeleteFileA 14570->14536 14571 409dde GetFileAttributesExA 14571->14570 14572 409df7 14571->14572 14572->14546 14689 4096ff 14572->14689 14576 409fc2 14574->14576 14577 40a093 14574->14577 14576->14577 14583 409ff1 GetDriveTypeA 14576->14583 14578 40a103 CreateProcessA 14577->14578 14579 40a0a4 wsprintfA 14577->14579 14580 40a13a 14578->14580 14581 40a12a DeleteFileA 14578->14581 14695 402544 14579->14695 14580->14546 14587 4096ff 3 API calls 14580->14587 14581->14580 14583->14577 14585 40a00d 14583->14585 14589 40a02d lstrcatA 14585->14589 14586 40ee2a 14588 40a0ec lstrcatA 14586->14588 14587->14546 14588->14578 14590 40a046 14589->14590 14591 40a052 lstrcatA 14590->14591 14592 40a064 lstrcatA 14590->14592 14591->14592 14592->14577 14593 40a081 lstrcatA 14592->14593 14593->14577 14594->14479 14596 4096b9 14595->14596 14923 4073ff 14596->14923 14598 4096e2 14599 4096e9 14598->14599 14600 4096fa 14598->14600 14943 40704c 14599->14943 14600->14505 14600->14506 14602 4096f7 14602->14600 14604 406ed5 14603->14604 14605 406ecc 14603->14605 14604->14564 14968 406e36 GetUserNameW 14605->14968 14608 406784 CreateFileA 14607->14608 14609 40677a SetFileAttributesA 14607->14609 14610 4067a4 CreateFileA 14608->14610 14611 4067b5 14608->14611 14609->14608 14610->14611 14612 4067c5 14611->14612 14613 4067ba SetFileAttributesA 14611->14613 14614 406977 14612->14614 14615 4067cf GetFileSize 14612->14615 14613->14612 14614->14511 14632 406a60 CreateFileA 14614->14632 14616 4067e5 14615->14616 14630 406922 14615->14630 14617 4067ed ReadFile 14616->14617 14616->14630 14619 406811 SetFilePointer 14617->14619 14617->14630 14618 40696e CloseHandle 14618->14614 14620 40682a ReadFile 14619->14620 14619->14630 14621 406848 SetFilePointer 14620->14621 14620->14630 14624 406867 14621->14624 14621->14630 14622 4068d0 14622->14618 14625 40ebcc 4 API calls 14622->14625 14623 406878 ReadFile 14623->14622 14623->14624 14624->14622 14624->14623 14626 4068f8 14625->14626 14627 406900 SetFilePointer 14626->14627 14626->14630 14628 40695a 14627->14628 14629 40690d ReadFile 14627->14629 14631 40ec2e codecvt 4 API calls 14628->14631 14629->14628 14629->14630 14630->14618 14631->14630 14633 406b8c GetLastError 14632->14633 14634 406a8f GetDiskFreeSpaceA 14632->14634 14635 406b86 14633->14635 14636 406ac5 14634->14636 14644 406ad7 14634->14644 14635->14529 14971 40eb0e 14636->14971 14640 406b56 CloseHandle 14640->14635 14643 406b65 GetLastError CloseHandle 14640->14643 14641 406b36 GetLastError CloseHandle 14642 406b7f DeleteFileA 14641->14642 14642->14635 14643->14642 14975 406987 14644->14975 14646 4099eb 14645->14646 14647 409a2f lstrcatA 14646->14647 14648 40ee2a 14647->14648 14649 409a4b lstrcatA 14648->14649 14650 406a60 13 API calls 14649->14650 14651 409a60 14650->14651 14651->14536 14651->14549 14651->14566 14985 401910 14652->14985 14655 40934a GetModuleHandleA GetModuleFileNameA 14657 40937f 14655->14657 14658 4093a4 14657->14658 14659 4093d9 14657->14659 14660 4093c3 wsprintfA 14658->14660 14661 409401 wsprintfA 14659->14661 14663 409415 14660->14663 14661->14663 14662 4094a0 14987 406edd 14662->14987 14663->14662 14666 406cc9 5 API calls 14663->14666 14665 4094ac 14667 40962f 14665->14667 14668 4094e8 RegOpenKeyExA 14665->14668 14672 409439 14666->14672 14674 409646 14667->14674 15008 401820 14667->15008 14670 409502 14668->14670 14671 4094fb 14668->14671 14676 40951f RegQueryValueExA 14670->14676 14671->14667 14675 40958a 14671->14675 14677 40ef1e lstrlenA 14672->14677 14683 4095d6 14674->14683 15014 4091eb 14674->15014 14675->14674 14679 409593 14675->14679 14680 409530 14676->14680 14681 409539 14676->14681 14678 409462 14677->14678 14684 40947e wsprintfA 14678->14684 14679->14683 14995 40f0e4 14679->14995 14682 40956e RegCloseKey 14680->14682 14685 409556 RegQueryValueExA 14681->14685 14682->14671 14683->14570 14683->14571 14684->14662 14685->14680 14685->14682 14687 4095bb 14687->14683 15002 4018e0 14687->15002 14690 402544 14689->14690 14691 40972d RegOpenKeyExA 14690->14691 14692 409765 14691->14692 14693 409740 14691->14693 14692->14546 14694 40974f RegDeleteValueA RegCloseKey 14693->14694 14694->14692 14696 402554 lstrcatA 14695->14696 14696->14586 14698 402544 14697->14698 14699 40919e wsprintfA 14698->14699 14700 4091bb 14699->14700 15052 409064 GetTempPathA 14700->15052 14703 4091d5 ShellExecuteA 14704 4091e7 14703->14704 14704->14529 15059 40dd05 GetTickCount 14705->15059 14707 40e538 15066 40dbcf 14707->15066 14709 40e544 14710 40e555 GetFileSize 14709->14710 14714 40e5b8 14709->14714 14711 40e5b1 CloseHandle 14710->14711 14712 40e566 14710->14712 14711->14714 15076 40db2e 14712->15076 15085 40e3ca RegOpenKeyExA 14714->15085 14716 40e576 ReadFile 14716->14711 14718 40e58d 14716->14718 15080 40e332 14718->15080 14721 40e5f2 14722 40e3ca 19 API calls 14721->14722 14723 40e629 14721->14723 14722->14723 14723->14487 14725 40eabe 14724->14725 14727 40eaba 14724->14727 14726 40dd05 6 API calls 14725->14726 14725->14727 14726->14727 14727->14491 14729 40ee2a 14728->14729 14730 401db4 GetVersionExA 14729->14730 14731 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14730->14731 14733 401e24 14731->14733 14734 401e16 GetCurrentProcess 14731->14734 15138 40e819 14733->15138 14734->14733 14736 401e3d 14737 40e819 11 API calls 14736->14737 14738 401e4e 14737->14738 14739 401e77 14738->14739 15145 40df70 14738->15145 15154 40ea84 14739->15154 14742 401e6c 14745 40df70 12 API calls 14742->14745 14744 40e819 11 API calls 14746 401e93 14744->14746 14745->14739 15158 40199c 14746->15158 14749 40e819 11 API calls 14750 401eb9 14749->14750 14751 401ed8 14750->14751 14752 40f04e 4 API calls 14750->14752 14753 40e819 11 API calls 14751->14753 14755 401ec9 14752->14755 14754 401eee 14753->14754 14763 401f0a 14754->14763 15172 401b71 14754->15172 14756 40ea84 30 API calls 14755->14756 14756->14751 14758 40e819 11 API calls 14762 401f23 14758->14762 14759 401efd 14760 40ea84 30 API calls 14759->14760 14760->14763 14761 401f3f 14765 40e819 11 API calls 14761->14765 14762->14761 15176 401bdf 14762->15176 14763->14758 14766 401f5e 14765->14766 14768 401f77 14766->14768 14770 40ea84 30 API calls 14766->14770 15183 4030b5 14768->15183 14769 40ea84 30 API calls 14769->14761 14770->14768 14774 406ec3 2 API calls 14775 401f8e GetTickCount 14774->14775 14775->14495 14777 406ec3 2 API calls 14776->14777 14778 4080eb 14777->14778 14779 4080f9 14778->14779 14780 4080ef 14778->14780 14782 40704c 16 API calls 14779->14782 15231 407ee6 14780->15231 14784 408110 14782->14784 14783 408269 CreateThread 14801 405e6c 14783->14801 15557 40877e 14783->15557 14786 408156 RegOpenKeyExA 14784->14786 14787 4080f4 14784->14787 14785 40675c 21 API calls 14791 408244 14785->14791 14786->14787 14788 40816d RegQueryValueExA 14786->14788 14787->14783 14787->14785 14789 4081f7 14788->14789 14790 40818d 14788->14790 14792 40820d RegCloseKey 14789->14792 14794 40ec2e codecvt 4 API calls 14789->14794 14790->14789 14795 40ebcc 4 API calls 14790->14795 14791->14783 14793 40ec2e codecvt 4 API calls 14791->14793 14792->14787 14793->14783 14800 4081dd 14794->14800 14796 4081a0 14795->14796 14796->14792 14797 4081aa RegQueryValueExA 14796->14797 14797->14789 14798 4081c4 14797->14798 14799 40ebcc 4 API calls 14798->14799 14799->14800 14800->14792 15299 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14801->15299 14803 405e71 15300 40e654 14803->15300 14805 405ec1 14806 403132 14805->14806 14807 40df70 12 API calls 14806->14807 14808 40313b 14807->14808 14809 40c125 14808->14809 15311 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14809->15311 14811 40c12d 14812 40e654 13 API calls 14811->14812 14813 40c2bd 14812->14813 14814 40e654 13 API calls 14813->14814 14815 40c2c9 14814->14815 14816 40e654 13 API calls 14815->14816 14817 40a47a 14816->14817 14818 408db1 14817->14818 14819 408dbc 14818->14819 14820 40e654 13 API calls 14819->14820 14821 408dec Sleep 14820->14821 14821->14531 14823 40c92f 14822->14823 14824 40c93c 14823->14824 15312 40c517 14823->15312 14826 40ca2b 14824->14826 14827 40e819 11 API calls 14824->14827 14826->14531 14828 40c96a 14827->14828 14829 40e819 11 API calls 14828->14829 14830 40c97d 14829->14830 14831 40e819 11 API calls 14830->14831 14832 40c990 14831->14832 14833 40c9aa 14832->14833 14834 40ebcc 4 API calls 14832->14834 14833->14826 15329 402684 14833->15329 14834->14833 14839 40ca26 15336 40c8aa 14839->15336 14842 40ca44 14842->14839 14843 40ca83 14842->14843 14844 40ea84 30 API calls 14843->14844 14845 40caac 14844->14845 14846 40f04e 4 API calls 14845->14846 14847 40cab2 14846->14847 14848 40ea84 30 API calls 14847->14848 14849 40caca 14848->14849 14850 40ea84 30 API calls 14849->14850 14851 40cad9 14850->14851 15344 40c65c 14851->15344 14854 40dad2 14855 40e318 23 API calls 14854->14855 14855->14826 14856 40df4c 20 API calls 14916 40cb59 14856->14916 14862 40e654 13 API calls 14862->14916 14867 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 14867->14916 14868 40ea84 30 API calls 14868->14916 14869 40d569 Sleep 15391 40e318 14869->15391 14870 40d815 wsprintfA 14870->14916 14871 40cc1c GetTempPathA 14871->14916 14872 40c517 23 API calls 14872->14916 14873 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 14873->14916 14874 40e8a1 30 API calls 14874->14916 14877 40d582 ExitProcess 14878 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 14878->14916 14879 40cfe3 GetSystemDirectoryA 14879->14916 14880 40cfad GetEnvironmentVariableA 14880->14916 14881 40d027 GetSystemDirectoryA 14881->14916 14882 40675c 21 API calls 14882->14916 14883 40d105 lstrcatA 14883->14916 14884 40ef1e lstrlenA 14884->14916 14885 40cc9f CreateFileA 14886 40ccc6 WriteFile 14885->14886 14885->14916 14889 40cdcc CloseHandle 14886->14889 14890 40cced CloseHandle 14886->14890 14887 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 14887->14916 14888 40d15b CreateFileA 14891 40d182 WriteFile CloseHandle 14888->14891 14888->14916 14889->14916 14896 40cd2f 14890->14896 14891->14916 14892 40cd16 wsprintfA 14892->14896 14893 40d149 SetFileAttributesA 14893->14888 14894 40d36e GetEnvironmentVariableA 14894->14916 14895 40d1bf SetFileAttributesA 14895->14916 14896->14892 15373 407fcf 14896->15373 14897 40d22d GetEnvironmentVariableA 14897->14916 14898 407ead 6 API calls 14898->14916 14900 40d3af lstrcatA 14903 40d3f2 CreateFileA 14900->14903 14900->14916 14902 407fcf 64 API calls 14902->14916 14904 40d415 WriteFile CloseHandle 14903->14904 14903->14916 14904->14916 14905 40cd81 WaitForSingleObject CloseHandle CloseHandle 14907 40f04e 4 API calls 14905->14907 14906 40cda5 14908 407ee6 64 API calls 14906->14908 14907->14906 14911 40cdbd DeleteFileA 14908->14911 14909 40d3e0 SetFileAttributesA 14909->14903 14910 40d26e lstrcatA 14913 40d2b1 CreateFileA 14910->14913 14910->14916 14911->14916 14912 40d4b1 CreateProcessA 14914 40d4e8 CloseHandle CloseHandle 14912->14914 14912->14916 14913->14916 14917 40d2d8 WriteFile CloseHandle 14913->14917 14914->14916 14915 40d452 SetFileAttributesA 14915->14916 14916->14826 14916->14854 14916->14856 14916->14862 14916->14867 14916->14868 14916->14869 14916->14870 14916->14871 14916->14872 14916->14873 14916->14874 14916->14878 14916->14879 14916->14880 14916->14881 14916->14882 14916->14883 14916->14884 14916->14885 14916->14887 14916->14888 14916->14893 14916->14894 14916->14895 14916->14897 14916->14898 14916->14900 14916->14902 14916->14903 14916->14909 14916->14910 14916->14912 14916->14913 14916->14915 14918 407ee6 64 API calls 14916->14918 14919 40d29f SetFileAttributesA 14916->14919 14922 40d31d SetFileAttributesA 14916->14922 15352 40c75d 14916->15352 15364 407e2f 14916->15364 15386 407ead 14916->15386 15396 4031d0 14916->15396 15413 403c09 14916->15413 15423 403a00 14916->15423 15427 40e7b4 14916->15427 15430 40c06c 14916->15430 15436 406f5f GetUserNameA 14916->15436 15447 40e854 14916->15447 15457 407dd6 14916->15457 14917->14916 14918->14916 14919->14913 14922->14916 14924 40741b 14923->14924 14925 406dc2 6 API calls 14924->14925 14926 40743f 14925->14926 14927 407469 RegOpenKeyExA 14926->14927 14929 4077f9 14927->14929 14939 407487 ___ascii_stricmp 14927->14939 14928 407703 RegEnumKeyA 14930 407714 RegCloseKey 14928->14930 14928->14939 14929->14598 14930->14929 14931 40f1a5 lstrlenA 14931->14939 14932 4074d2 RegOpenKeyExA 14932->14939 14933 40772c 14935 407742 RegCloseKey 14933->14935 14936 40774b 14933->14936 14934 407521 RegQueryValueExA 14934->14939 14935->14936 14937 4077ec RegCloseKey 14936->14937 14937->14929 14938 4076e4 RegCloseKey 14938->14939 14939->14928 14939->14931 14939->14932 14939->14933 14939->14934 14939->14938 14941 40777e GetFileAttributesExA 14939->14941 14942 407769 14939->14942 14940 4077e3 RegCloseKey 14940->14937 14941->14942 14942->14940 14944 407073 14943->14944 14945 4070b9 RegOpenKeyExA 14944->14945 14946 4070d0 14945->14946 14960 4071b8 14945->14960 14947 406dc2 6 API calls 14946->14947 14950 4070d5 14947->14950 14948 40719b RegEnumValueA 14949 4071af RegCloseKey 14948->14949 14948->14950 14949->14960 14950->14948 14952 4071d0 14950->14952 14966 40f1a5 lstrlenA 14950->14966 14953 407205 RegCloseKey 14952->14953 14954 407227 14952->14954 14953->14960 14955 4072b8 ___ascii_stricmp 14954->14955 14956 40728e RegCloseKey 14954->14956 14957 4072cd RegCloseKey 14955->14957 14958 4072dd 14955->14958 14956->14960 14957->14960 14959 407311 RegCloseKey 14958->14959 14962 407335 14958->14962 14959->14960 14960->14602 14961 4073d5 RegCloseKey 14963 4073e4 14961->14963 14962->14961 14964 40737e GetFileAttributesExA 14962->14964 14965 407397 14962->14965 14964->14965 14965->14961 14967 40f1c3 14966->14967 14967->14950 14969 406e5f LookupAccountNameW 14968->14969 14970 406e97 14968->14970 14969->14970 14970->14604 14972 40eb17 14971->14972 14973 40eb21 14971->14973 14981 40eae4 14972->14981 14973->14644 14977 4069b9 WriteFile 14975->14977 14978 4069ff 14977->14978 14979 406a3c 14977->14979 14978->14979 14980 406a10 WriteFile 14978->14980 14979->14640 14979->14641 14980->14978 14980->14979 14982 40eb02 GetProcAddress 14981->14982 14983 40eaed LoadLibraryA 14981->14983 14982->14973 14983->14982 14984 40eb01 14983->14984 14984->14973 14986 401924 GetVersionExA 14985->14986 14986->14655 14988 406eef AllocateAndInitializeSid 14987->14988 14994 406f55 14987->14994 14989 406f1c CheckTokenMembership 14988->14989 14992 406f44 14988->14992 14990 406f3b FreeSid 14989->14990 14991 406f2e 14989->14991 14990->14992 14991->14990 14993 406e36 2 API calls 14992->14993 14992->14994 14993->14994 14994->14665 14996 40f0f1 14995->14996 14997 40f0ed 14995->14997 14998 40f119 14996->14998 14999 40f0fa lstrlenA SysAllocStringByteLen 14996->14999 14997->14687 15001 40f11c MultiByteToWideChar 14998->15001 15000 40f117 14999->15000 14999->15001 15000->14687 15001->15000 15003 401820 17 API calls 15002->15003 15004 4018f2 15003->15004 15005 4018f9 15004->15005 15019 401280 15004->15019 15005->14683 15007 401908 15007->14683 15031 401000 15008->15031 15010 401839 15011 401851 GetCurrentProcess 15010->15011 15012 40183d 15010->15012 15013 401864 15011->15013 15012->14674 15013->14674 15015 40920e 15014->15015 15018 409308 15014->15018 15016 4092f1 Sleep 15015->15016 15017 4092bf ShellExecuteA 15015->15017 15015->15018 15016->15015 15017->15015 15017->15018 15018->14683 15020 4012e1 15019->15020 15021 4016f9 GetLastError 15020->15021 15022 4013a8 15020->15022 15023 401699 15021->15023 15022->15023 15024 401570 lstrlenW 15022->15024 15025 4015be GetStartupInfoW 15022->15025 15026 4015ff CreateProcessWithLogonW 15022->15026 15030 401668 CloseHandle 15022->15030 15023->15007 15024->15022 15025->15022 15027 4016bf GetLastError 15026->15027 15028 40163f WaitForSingleObject 15026->15028 15027->15023 15028->15022 15029 401659 CloseHandle 15028->15029 15029->15022 15030->15022 15032 40100d LoadLibraryA 15031->15032 15038 401023 15031->15038 15033 401021 15032->15033 15032->15038 15033->15010 15034 4010b5 GetProcAddress 15035 4010d1 GetProcAddress 15034->15035 15036 40127b 15034->15036 15035->15036 15037 4010f0 GetProcAddress 15035->15037 15036->15010 15037->15036 15039 401110 GetProcAddress 15037->15039 15038->15034 15051 4010ae 15038->15051 15039->15036 15040 401130 GetProcAddress 15039->15040 15040->15036 15041 40114f GetProcAddress 15040->15041 15041->15036 15042 40116f GetProcAddress 15041->15042 15042->15036 15043 40118f GetProcAddress 15042->15043 15043->15036 15044 4011ae GetProcAddress 15043->15044 15044->15036 15045 4011ce GetProcAddress 15044->15045 15045->15036 15046 4011ee GetProcAddress 15045->15046 15046->15036 15047 401209 GetProcAddress 15046->15047 15047->15036 15048 401225 GetProcAddress 15047->15048 15048->15036 15049 401241 GetProcAddress 15048->15049 15049->15036 15050 40125c GetProcAddress 15049->15050 15050->15036 15051->15010 15053 40908d 15052->15053 15054 4090e2 wsprintfA 15053->15054 15055 40ee2a 15054->15055 15056 4090fd CreateFileA 15055->15056 15057 40911a lstrlenA WriteFile CloseHandle 15056->15057 15058 40913f 15056->15058 15057->15058 15058->14703 15058->14704 15060 40dd41 InterlockedExchange 15059->15060 15061 40dd20 GetCurrentThreadId 15060->15061 15062 40dd4a 15060->15062 15063 40dd53 GetCurrentThreadId 15061->15063 15064 40dd2e GetTickCount 15061->15064 15062->15063 15063->14707 15064->15062 15065 40dd39 Sleep 15064->15065 15065->15060 15067 40dbf0 15066->15067 15099 40db67 GetEnvironmentVariableA 15067->15099 15069 40dc19 15070 40dcda 15069->15070 15071 40db67 3 API calls 15069->15071 15070->14709 15072 40dc5c 15071->15072 15072->15070 15073 40db67 3 API calls 15072->15073 15074 40dc9b 15073->15074 15074->15070 15075 40db67 3 API calls 15074->15075 15075->15070 15077 40db55 15076->15077 15078 40db3a 15076->15078 15077->14711 15077->14716 15103 40ebed 15078->15103 15112 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15080->15112 15082 40e3be 15082->14711 15083 40e342 15083->15082 15115 40de24 15083->15115 15086 40e528 15085->15086 15087 40e3f4 15085->15087 15086->14721 15088 40e434 RegQueryValueExA 15087->15088 15089 40e458 15088->15089 15090 40e51d RegCloseKey 15088->15090 15091 40e46e RegQueryValueExA 15089->15091 15090->15086 15091->15089 15092 40e488 15091->15092 15092->15090 15093 40db2e 8 API calls 15092->15093 15094 40e499 15093->15094 15094->15090 15095 40e4b9 RegQueryValueExA 15094->15095 15096 40e4e8 15094->15096 15095->15094 15095->15096 15096->15090 15097 40e332 14 API calls 15096->15097 15098 40e513 15097->15098 15098->15090 15100 40db89 lstrcpyA CreateFileA 15099->15100 15101 40dbca 15099->15101 15100->15069 15101->15069 15104 40ec01 15103->15104 15105 40ebf6 15103->15105 15106 40eba0 codecvt 2 API calls 15104->15106 15107 40ebcc 4 API calls 15105->15107 15108 40ec0a GetProcessHeap HeapReAlloc 15106->15108 15109 40ebfe 15107->15109 15110 40eb74 2 API calls 15108->15110 15109->15077 15111 40ec28 15110->15111 15111->15077 15126 40eb41 15112->15126 15116 40de3a 15115->15116 15121 40de4e 15116->15121 15130 40dd84 15116->15130 15119 40de9e 15120 40ebed 8 API calls 15119->15120 15119->15121 15124 40def6 15120->15124 15121->15083 15122 40de76 15134 40ddcf 15122->15134 15124->15121 15125 40ddcf lstrcmpA 15124->15125 15125->15121 15127 40eb54 15126->15127 15128 40eb4a 15126->15128 15127->15083 15129 40eae4 2 API calls 15128->15129 15129->15127 15131 40ddc5 15130->15131 15132 40dd96 15130->15132 15131->15119 15131->15122 15132->15131 15133 40ddad lstrcmpiA 15132->15133 15133->15131 15133->15132 15135 40dddd 15134->15135 15137 40de20 15134->15137 15136 40ddfa lstrcmpA 15135->15136 15135->15137 15136->15135 15137->15121 15139 40dd05 6 API calls 15138->15139 15140 40e821 15139->15140 15141 40dd84 lstrcmpiA 15140->15141 15142 40e82c 15141->15142 15144 40e844 15142->15144 15187 402480 15142->15187 15144->14736 15146 40dd05 6 API calls 15145->15146 15147 40df7c 15146->15147 15148 40dd84 lstrcmpiA 15147->15148 15152 40df89 15148->15152 15149 40dfc4 15149->14742 15150 40ddcf lstrcmpA 15150->15152 15151 40ec2e codecvt 4 API calls 15151->15152 15152->15149 15152->15150 15152->15151 15153 40dd84 lstrcmpiA 15152->15153 15153->15152 15155 40ea98 15154->15155 15196 40e8a1 15155->15196 15157 401e84 15157->14744 15159 4019b7 LoadLibraryA 15158->15159 15160 4019d5 GetProcAddress GetProcAddress GetProcAddress 15159->15160 15163 4019ce 15159->15163 15161 401ab3 FreeLibrary 15160->15161 15162 401a04 15160->15162 15161->15163 15162->15161 15164 401a14 GetProcessHeap 15162->15164 15163->14749 15164->15163 15166 401a2e HeapAlloc 15164->15166 15166->15163 15167 401a42 15166->15167 15168 401a52 HeapReAlloc 15167->15168 15170 401a62 15167->15170 15168->15170 15169 401aa1 FreeLibrary 15169->15163 15170->15169 15171 401a96 HeapFree 15170->15171 15171->15169 15224 401ac3 LoadLibraryA 15172->15224 15175 401bcf 15175->14759 15177 401ac3 12 API calls 15176->15177 15178 401c09 15177->15178 15179 401c41 15178->15179 15180 401c0d GetComputerNameA 15178->15180 15179->14769 15181 401c45 GetVolumeInformationA 15180->15181 15182 401c1f 15180->15182 15181->15179 15182->15179 15182->15181 15184 40ee2a 15183->15184 15185 4030d0 gethostname gethostbyname 15184->15185 15186 401f82 15185->15186 15186->14774 15186->14775 15190 402419 lstrlenA 15187->15190 15189 402491 15189->15144 15191 40243d lstrlenA 15190->15191 15194 402474 15190->15194 15192 402464 lstrlenA 15191->15192 15193 40244e lstrcmpiA 15191->15193 15192->15191 15192->15194 15193->15192 15195 40245c 15193->15195 15194->15189 15195->15192 15195->15194 15197 40dd05 6 API calls 15196->15197 15198 40e8b4 15197->15198 15199 40dd84 lstrcmpiA 15198->15199 15200 40e8c0 15199->15200 15201 40e90a 15200->15201 15202 40e8c8 lstrcpynA 15200->15202 15203 402419 4 API calls 15201->15203 15212 40ea27 15201->15212 15204 40e8f5 15202->15204 15205 40e926 lstrlenA lstrlenA 15203->15205 15217 40df4c 15204->15217 15206 40e96a 15205->15206 15207 40e94c lstrlenA 15205->15207 15211 40ebcc 4 API calls 15206->15211 15206->15212 15207->15206 15209 40e901 15210 40dd84 lstrcmpiA 15209->15210 15210->15201 15213 40e98f 15211->15213 15212->15157 15213->15212 15214 40df4c 20 API calls 15213->15214 15215 40ea1e 15214->15215 15216 40ec2e codecvt 4 API calls 15215->15216 15216->15212 15218 40dd05 6 API calls 15217->15218 15219 40df51 15218->15219 15220 40f04e 4 API calls 15219->15220 15221 40df58 15220->15221 15222 40de24 10 API calls 15221->15222 15223 40df63 15222->15223 15223->15209 15225 401ae2 GetProcAddress 15224->15225 15226 401b68 GetComputerNameA GetVolumeInformationA 15224->15226 15225->15226 15227 401af5 15225->15227 15226->15175 15228 40ebed 8 API calls 15227->15228 15229 401b29 15227->15229 15228->15227 15229->15226 15229->15229 15230 40ec2e codecvt 4 API calls 15229->15230 15230->15226 15232 406ec3 2 API calls 15231->15232 15233 407ef4 15232->15233 15234 407fc9 15233->15234 15235 4073ff 17 API calls 15233->15235 15234->14787 15236 407f16 15235->15236 15236->15234 15244 407809 GetUserNameA 15236->15244 15238 407f63 15238->15234 15239 40ef1e lstrlenA 15238->15239 15240 407fa6 15239->15240 15241 40ef1e lstrlenA 15240->15241 15242 407fb7 15241->15242 15268 407a95 RegOpenKeyExA 15242->15268 15245 40783d LookupAccountNameA 15244->15245 15246 407a8d 15244->15246 15245->15246 15247 407874 GetLengthSid GetFileSecurityA 15245->15247 15246->15238 15247->15246 15248 4078a8 GetSecurityDescriptorOwner 15247->15248 15249 4078c5 EqualSid 15248->15249 15250 40791d GetSecurityDescriptorDacl 15248->15250 15249->15250 15251 4078dc LocalAlloc 15249->15251 15250->15246 15266 407941 15250->15266 15251->15250 15252 4078ef InitializeSecurityDescriptor 15251->15252 15253 407916 LocalFree 15252->15253 15254 4078fb SetSecurityDescriptorOwner 15252->15254 15253->15250 15254->15253 15256 40790b SetFileSecurityA 15254->15256 15255 40795b GetAce 15255->15266 15256->15253 15257 407980 EqualSid 15257->15266 15258 407a3d 15258->15246 15261 407a43 LocalAlloc 15258->15261 15259 4079be EqualSid 15259->15266 15260 40799d DeleteAce 15260->15266 15261->15246 15262 407a56 InitializeSecurityDescriptor 15261->15262 15263 407a62 SetSecurityDescriptorDacl 15262->15263 15264 407a86 LocalFree 15262->15264 15263->15264 15265 407a73 SetFileSecurityA 15263->15265 15264->15246 15265->15264 15267 407a83 15265->15267 15266->15246 15266->15255 15266->15257 15266->15258 15266->15259 15266->15260 15267->15264 15269 407ac4 15268->15269 15270 407acb GetUserNameA 15268->15270 15269->15234 15271 407da7 RegCloseKey 15270->15271 15272 407aed LookupAccountNameA 15270->15272 15271->15269 15272->15271 15273 407b24 RegGetKeySecurity 15272->15273 15273->15271 15274 407b49 GetSecurityDescriptorOwner 15273->15274 15275 407b63 EqualSid 15274->15275 15276 407bb8 GetSecurityDescriptorDacl 15274->15276 15275->15276 15278 407b74 LocalAlloc 15275->15278 15277 407da6 15276->15277 15285 407bdc 15276->15285 15277->15271 15278->15276 15279 407b8a InitializeSecurityDescriptor 15278->15279 15281 407bb1 LocalFree 15279->15281 15282 407b96 SetSecurityDescriptorOwner 15279->15282 15280 407bf8 GetAce 15280->15285 15281->15276 15282->15281 15283 407ba6 RegSetKeySecurity 15282->15283 15283->15281 15284 407c1d EqualSid 15284->15285 15285->15277 15285->15280 15285->15284 15286 407cd9 15285->15286 15287 407c5f EqualSid 15285->15287 15288 407c3a DeleteAce 15285->15288 15286->15277 15289 407d5a LocalAlloc 15286->15289 15290 407cf2 RegOpenKeyExA 15286->15290 15287->15285 15288->15285 15289->15277 15291 407d70 InitializeSecurityDescriptor 15289->15291 15290->15289 15296 407d0f 15290->15296 15292 407d7c SetSecurityDescriptorDacl 15291->15292 15293 407d9f LocalFree 15291->15293 15292->15293 15294 407d8c RegSetKeySecurity 15292->15294 15293->15277 15294->15293 15295 407d9c 15294->15295 15295->15293 15297 407d43 RegSetValueExA 15296->15297 15297->15289 15298 407d54 15297->15298 15298->15289 15299->14803 15301 40dd05 6 API calls 15300->15301 15304 40e65f 15301->15304 15302 40e6a5 15303 40ebcc 4 API calls 15302->15303 15307 40e6f5 15302->15307 15306 40e6b0 15303->15306 15304->15302 15305 40e68c lstrcmpA 15304->15305 15305->15304 15306->15307 15309 40e6b7 15306->15309 15310 40e6e0 lstrcpynA 15306->15310 15308 40e71d lstrcmpA 15307->15308 15307->15309 15308->15307 15309->14805 15310->15307 15311->14811 15313 40c525 15312->15313 15317 40c532 15312->15317 15315 40ec2e codecvt 4 API calls 15313->15315 15313->15317 15314 40c548 15318 40e7ff lstrcmpiA 15314->15318 15325 40c54f 15314->15325 15315->15317 15317->15314 15464 40e7ff 15317->15464 15319 40c615 15318->15319 15320 40ebcc 4 API calls 15319->15320 15319->15325 15320->15325 15321 40c5d1 15323 40ebcc 4 API calls 15321->15323 15323->15325 15324 40e819 11 API calls 15326 40c5b7 15324->15326 15325->14824 15327 40f04e 4 API calls 15326->15327 15328 40c5bf 15327->15328 15328->15314 15328->15321 15330 402692 15329->15330 15331 40268e 15329->15331 15330->15331 15332 40269e gethostbyname 15330->15332 15333 40f428 15331->15333 15332->15331 15467 40f315 15333->15467 15338 40c8d2 15336->15338 15337 40c907 15337->14826 15338->15337 15339 40c517 23 API calls 15338->15339 15339->15337 15340 40f43e 15341 40f473 recv 15340->15341 15342 40f458 15341->15342 15343 40f47c 15341->15343 15342->15341 15342->15343 15343->14842 15345 40c670 15344->15345 15347 40c67d 15344->15347 15346 40ebcc 4 API calls 15345->15346 15346->15347 15348 40ebcc 4 API calls 15347->15348 15350 40c699 15347->15350 15348->15350 15349 40c6f3 15349->14916 15350->15349 15351 40c73c send 15350->15351 15351->15349 15353 40c770 15352->15353 15354 40c77d 15352->15354 15355 40ebcc 4 API calls 15353->15355 15356 40c799 15354->15356 15357 40ebcc 4 API calls 15354->15357 15355->15354 15358 40c7b5 15356->15358 15359 40ebcc 4 API calls 15356->15359 15357->15356 15360 40f43e recv 15358->15360 15359->15358 15361 40c7cb 15360->15361 15362 40f43e recv 15361->15362 15363 40c7d3 15361->15363 15362->15363 15363->14916 15477 407db7 15364->15477 15367 40f04e 4 API calls 15369 407e4c 15367->15369 15368 407e96 15368->14916 15371 40f04e 4 API calls 15369->15371 15372 407e70 15369->15372 15370 40f04e 4 API calls 15370->15368 15371->15372 15372->15368 15372->15370 15374 406ec3 2 API calls 15373->15374 15375 407fdd 15374->15375 15376 4073ff 17 API calls 15375->15376 15385 4080c2 CreateProcessA 15375->15385 15377 407fff 15376->15377 15378 407809 21 API calls 15377->15378 15377->15385 15379 40804d 15378->15379 15380 40ef1e lstrlenA 15379->15380 15379->15385 15381 40809e 15380->15381 15382 40ef1e lstrlenA 15381->15382 15383 4080af 15382->15383 15384 407a95 24 API calls 15383->15384 15384->15385 15385->14905 15385->14906 15387 407db7 2 API calls 15386->15387 15388 407eb8 15387->15388 15389 40f04e 4 API calls 15388->15389 15390 407ece DeleteFileA 15389->15390 15390->14916 15392 40dd05 6 API calls 15391->15392 15393 40e31d 15392->15393 15481 40e177 15393->15481 15395 40e326 15395->14877 15397 4031f3 15396->15397 15399 4031ec 15396->15399 15398 40ebcc 4 API calls 15397->15398 15400 4031fc 15398->15400 15399->14916 15400->15399 15407 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15400->15407 15408 40344d 15400->15408 15410 40344b 15400->15410 15412 403141 lstrcmpiA 15400->15412 15507 4030fa GetTickCount 15400->15507 15401 403459 15404 40f04e 4 API calls 15401->15404 15402 40349d 15403 40ec2e codecvt 4 API calls 15402->15403 15403->15399 15405 40345f 15404->15405 15406 4030fa 4 API calls 15405->15406 15406->15399 15407->15400 15409 40ec2e codecvt 4 API calls 15408->15409 15409->15410 15410->15401 15410->15402 15412->15400 15414 4030fa 4 API calls 15413->15414 15415 403c1a 15414->15415 15419 403ce6 15415->15419 15512 403a72 15415->15512 15418 403a72 9 API calls 15422 403c5e 15418->15422 15419->14916 15420 403a72 9 API calls 15420->15422 15421 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15421->15422 15422->15419 15422->15420 15422->15421 15424 403a10 15423->15424 15425 4030fa 4 API calls 15424->15425 15426 403a1a 15425->15426 15426->14916 15428 40dd05 6 API calls 15427->15428 15429 40e7be 15428->15429 15429->14916 15431 40c105 15430->15431 15432 40c07e wsprintfA 15430->15432 15431->14916 15521 40bfce GetTickCount wsprintfA 15432->15521 15434 40c0ef 15522 40bfce GetTickCount wsprintfA 15434->15522 15437 407047 15436->15437 15438 406f88 LookupAccountNameA 15436->15438 15437->14916 15440 407025 15438->15440 15441 406fcb 15438->15441 15442 406edd 5 API calls 15440->15442 15443 406fdb ConvertSidToStringSidA 15441->15443 15444 40702a wsprintfA 15442->15444 15443->15440 15445 406ff1 15443->15445 15444->15437 15446 407013 LocalFree 15445->15446 15446->15440 15448 40dd05 6 API calls 15447->15448 15449 40e85c 15448->15449 15450 40dd84 lstrcmpiA 15449->15450 15451 40e867 15450->15451 15452 40e885 lstrcpyA 15451->15452 15523 4024a5 15451->15523 15526 40dd69 15452->15526 15458 407db7 2 API calls 15457->15458 15459 407de1 15458->15459 15460 40f04e 4 API calls 15459->15460 15463 407e16 15459->15463 15461 407df2 15460->15461 15462 40f04e 4 API calls 15461->15462 15461->15463 15462->15463 15463->14916 15465 40dd84 lstrcmpiA 15464->15465 15466 40c58e 15465->15466 15466->15314 15466->15321 15466->15324 15468 40f33b 15467->15468 15472 40ca1d 15467->15472 15469 40f347 htons socket 15468->15469 15470 40f382 ioctlsocket 15469->15470 15469->15472 15471 40f3aa connect select 15470->15471 15470->15472 15471->15472 15473 40f3f2 __WSAFDIsSet 15471->15473 15472->14839 15472->15340 15473->15472 15474 40f403 ioctlsocket 15473->15474 15476 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15474->15476 15476->15472 15478 407dc8 InterlockedExchange 15477->15478 15479 407dc0 Sleep 15478->15479 15480 407dd4 15478->15480 15479->15478 15480->15367 15480->15372 15482 40e184 15481->15482 15483 40e2e4 15482->15483 15484 40e223 15482->15484 15497 40dfe2 15482->15497 15483->15395 15484->15483 15486 40dfe2 8 API calls 15484->15486 15491 40e23c 15486->15491 15487 40e1be 15487->15484 15488 40dbcf 3 API calls 15487->15488 15490 40e1d6 15488->15490 15489 40e21a CloseHandle 15489->15484 15490->15484 15490->15489 15492 40e1f9 WriteFile 15490->15492 15491->15483 15501 40e095 RegCreateKeyExA 15491->15501 15492->15489 15494 40e213 15492->15494 15494->15489 15495 40e2a3 15495->15483 15496 40e095 4 API calls 15495->15496 15496->15483 15498 40dffc 15497->15498 15500 40e024 15497->15500 15499 40db2e 8 API calls 15498->15499 15498->15500 15499->15500 15500->15487 15502 40e172 15501->15502 15505 40e0c0 15501->15505 15502->15495 15503 40e13d 15504 40e14e RegDeleteValueA RegCloseKey 15503->15504 15504->15502 15505->15503 15506 40e115 RegSetValueExA 15505->15506 15506->15503 15506->15505 15508 403122 InterlockedExchange 15507->15508 15509 40312e 15508->15509 15510 40310f GetTickCount 15508->15510 15509->15400 15510->15509 15511 40311a Sleep 15510->15511 15511->15508 15513 40f04e 4 API calls 15512->15513 15514 403a83 15513->15514 15516 403bc0 15514->15516 15517 403ac1 15514->15517 15520 403b66 lstrlenA 15514->15520 15515 403be6 15518 40ec2e codecvt 4 API calls 15515->15518 15516->15515 15519 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15516->15519 15517->15418 15517->15419 15518->15517 15519->15516 15520->15514 15520->15517 15521->15434 15522->15431 15524 402419 4 API calls 15523->15524 15525 4024b6 15524->15525 15525->15452 15527 40dd79 lstrlenA 15526->15527 15527->14916 15529 404084 15528->15529 15530 40407d 15528->15530 15531 403ecd 6 API calls 15529->15531 15532 40408f 15531->15532 15533 404000 3 API calls 15532->15533 15534 404095 15533->15534 15535 404130 15534->15535 15540 403f18 4 API calls 15534->15540 15536 403ecd 6 API calls 15535->15536 15537 404159 CreateNamedPipeA 15536->15537 15538 404167 Sleep 15537->15538 15539 404188 ConnectNamedPipe 15537->15539 15538->15535 15541 404176 CloseHandle 15538->15541 15543 404195 GetLastError 15539->15543 15552 4041ab 15539->15552 15542 4040da 15540->15542 15541->15539 15544 403f8c 4 API calls 15542->15544 15545 40425e DisconnectNamedPipe 15543->15545 15543->15552 15546 4040ec 15544->15546 15545->15539 15547 404127 CloseHandle 15546->15547 15548 404101 15546->15548 15547->15535 15549 403f18 4 API calls 15548->15549 15550 40411c ExitProcess 15549->15550 15551 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15551->15552 15552->15539 15552->15545 15552->15551 15553 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15552->15553 15554 40426a CloseHandle CloseHandle 15552->15554 15553->15552 15555 40e318 23 API calls 15554->15555 15556 40427b 15555->15556 15556->15556 15558 408791 15557->15558 15559 40879f 15557->15559 15560 40f04e 4 API calls 15558->15560 15561 4087bc 15559->15561 15562 40f04e 4 API calls 15559->15562 15560->15559 15563 40e819 11 API calls 15561->15563 15562->15561 15564 4087d7 15563->15564 15576 408803 15564->15576 15579 4026b2 gethostbyaddr 15564->15579 15567 4087eb 15569 40e8a1 30 API calls 15567->15569 15567->15576 15569->15576 15572 40e819 11 API calls 15572->15576 15573 4088a0 Sleep 15573->15576 15575 4026b2 2 API calls 15575->15576 15576->15572 15576->15573 15576->15575 15577 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15576->15577 15578 40e8a1 30 API calls 15576->15578 15584 408cee 15576->15584 15592 40c4d6 15576->15592 15595 40c4e2 15576->15595 15598 402011 15576->15598 15633 408328 15576->15633 15577->15576 15578->15576 15580 4026fb 15579->15580 15581 4026cd 15579->15581 15580->15567 15582 4026e1 inet_ntoa 15581->15582 15583 4026de 15581->15583 15582->15583 15583->15567 15585 408d02 GetTickCount 15584->15585 15586 408dae 15584->15586 15585->15586 15588 408d19 15585->15588 15586->15576 15587 408da1 GetTickCount 15587->15586 15588->15587 15591 408d89 15588->15591 15685 40a677 15588->15685 15688 40a688 15588->15688 15591->15587 15696 40c2dc 15592->15696 15596 40c2dc 136 API calls 15595->15596 15597 40c4ec 15596->15597 15597->15576 15599 402020 15598->15599 15600 40202e 15598->15600 15602 40f04e 4 API calls 15599->15602 15601 40204b 15600->15601 15603 40f04e 4 API calls 15600->15603 15604 40206e GetTickCount 15601->15604 15605 40f04e 4 API calls 15601->15605 15602->15600 15603->15601 15606 4020db GetTickCount 15604->15606 15616 402090 15604->15616 15608 402068 15605->15608 15607 402132 GetTickCount GetTickCount 15606->15607 15619 4020e7 15606->15619 15610 40f04e 4 API calls 15607->15610 15608->15604 15609 4020d4 GetTickCount 15609->15606 15612 402159 15610->15612 15611 40212b GetTickCount 15611->15607 15614 4021b4 15612->15614 15618 40e854 13 API calls 15612->15618 15613 402684 gethostbyname 15613->15616 15617 40f04e 4 API calls 15614->15617 15616->15609 15616->15613 15622 4020ce 15616->15622 16021 401978 15616->16021 15621 4021d1 15617->15621 15623 40218e 15618->15623 15619->15611 15624 402125 15619->15624 15627 401978 12 API calls 15619->15627 16024 402ef8 15619->16024 15625 4021f2 15621->15625 15628 40ea84 30 API calls 15621->15628 15622->15609 15626 40e819 11 API calls 15623->15626 15624->15611 15625->15576 15629 40219c 15626->15629 15627->15619 15630 4021ec 15628->15630 15629->15614 16032 401c5f 15629->16032 15631 40f04e 4 API calls 15630->15631 15631->15625 15634 407dd6 6 API calls 15633->15634 15635 40833c 15634->15635 15636 406ec3 2 API calls 15635->15636 15645 408340 15635->15645 15637 40834f 15636->15637 15638 40835c 15637->15638 15640 40846b 15637->15640 15639 4073ff 17 API calls 15638->15639 15659 408373 15639->15659 15643 4084a7 RegOpenKeyExA 15640->15643 15673 408450 15640->15673 15641 408626 GetTempPathA 15669 408638 15641->15669 15642 40675c 21 API calls 15652 4085df 15642->15652 15646 4084c0 RegQueryValueExA 15643->15646 15647 40852f 15643->15647 15645->15576 15649 408521 RegCloseKey 15646->15649 15650 4084dd 15646->15650 15653 408564 RegOpenKeyExA 15647->15653 15664 4085a5 15647->15664 15648 4086ad 15651 408762 15648->15651 15654 407e2f 6 API calls 15648->15654 15649->15647 15650->15649 15656 40ebcc 4 API calls 15650->15656 15651->15645 15658 40ec2e codecvt 4 API calls 15651->15658 15652->15641 15652->15651 15652->15669 15655 408573 RegSetValueExA RegCloseKey 15653->15655 15653->15664 15665 4086bb 15654->15665 15655->15664 15661 4084f0 15656->15661 15657 40875b DeleteFileA 15657->15651 15658->15645 15659->15645 15662 4083ea RegOpenKeyExA 15659->15662 15659->15673 15661->15649 15663 4084f8 RegQueryValueExA 15661->15663 15666 4083fd RegQueryValueExA 15662->15666 15662->15673 15663->15649 15667 408515 15663->15667 15668 40ec2e codecvt 4 API calls 15664->15668 15664->15673 15665->15657 15674 4086e0 lstrcpyA lstrlenA 15665->15674 15670 40842d RegSetValueExA 15666->15670 15671 40841e 15666->15671 15672 40ec2e codecvt 4 API calls 15667->15672 15668->15673 16104 406ba7 IsBadCodePtr 15669->16104 15676 408447 RegCloseKey 15670->15676 15671->15670 15671->15676 15677 40851d 15672->15677 15673->15642 15673->15652 15675 407fcf 64 API calls 15674->15675 15678 408719 CreateProcessA 15675->15678 15676->15673 15677->15649 15679 40873d CloseHandle CloseHandle 15678->15679 15680 40874f 15678->15680 15679->15651 15681 407ee6 64 API calls 15680->15681 15682 408754 15681->15682 15683 407ead 6 API calls 15682->15683 15684 40875a 15683->15684 15684->15657 15691 40a63d 15685->15691 15687 40a685 15687->15588 15689 40a63d GetTickCount 15688->15689 15690 40a696 15689->15690 15690->15588 15692 40a645 15691->15692 15693 40a64d 15691->15693 15692->15687 15694 40a65e GetTickCount 15693->15694 15695 40a66e 15693->15695 15694->15695 15695->15687 15712 40a4c7 GetTickCount 15696->15712 15699 40c300 GetTickCount 15701 40c337 15699->15701 15700 40c326 15700->15701 15702 40c32b GetTickCount 15700->15702 15705 40c363 GetTickCount 15701->15705 15711 40c45e 15701->15711 15702->15701 15703 40c4d2 15703->15576 15704 40c4ab InterlockedIncrement CreateThread 15704->15703 15706 40c4cb CloseHandle 15704->15706 15717 40b535 15704->15717 15707 40c373 15705->15707 15705->15711 15706->15703 15708 40c378 GetTickCount 15707->15708 15709 40c37f 15707->15709 15708->15709 15710 40c43b GetTickCount 15709->15710 15710->15711 15711->15703 15711->15704 15713 40a4f7 InterlockedExchange 15712->15713 15714 40a500 15713->15714 15715 40a4e4 GetTickCount 15713->15715 15714->15699 15714->15700 15714->15711 15715->15714 15716 40a4ef Sleep 15715->15716 15716->15713 15718 40b566 15717->15718 15719 40ebcc 4 API calls 15718->15719 15720 40b587 15719->15720 15721 40ebcc 4 API calls 15720->15721 15768 40b590 15721->15768 15722 40bdcd InterlockedDecrement 15723 40bde2 15722->15723 15725 40ec2e codecvt 4 API calls 15723->15725 15726 40bdea 15725->15726 15728 40ec2e codecvt 4 API calls 15726->15728 15727 40bdb7 Sleep 15727->15768 15729 40bdf2 15728->15729 15731 40be05 15729->15731 15732 40ec2e codecvt 4 API calls 15729->15732 15730 40bdcc 15730->15722 15732->15731 15733 40ebed 8 API calls 15733->15768 15736 40b6b6 lstrlenA 15736->15768 15737 4030b5 2 API calls 15737->15768 15738 40b6ed lstrcpyA 15790 405ce1 15738->15790 15739 40e819 11 API calls 15739->15768 15742 40b731 lstrlenA 15742->15768 15743 40b71f lstrcmpA 15743->15742 15743->15768 15744 40b772 GetTickCount 15744->15768 15745 40bd49 InterlockedIncrement 15884 40a628 15745->15884 15748 40ab81 lstrcpynA InterlockedIncrement 15748->15768 15749 40bc5b InterlockedIncrement 15749->15768 15750 4038f0 6 API calls 15750->15768 15751 40b7ce InterlockedIncrement 15800 40acd7 15751->15800 15754 40b912 GetTickCount 15754->15768 15755 40b826 InterlockedIncrement 15755->15744 15756 40b932 GetTickCount 15757 40bc6d InterlockedIncrement 15756->15757 15756->15768 15757->15768 15759 40a7c1 22 API calls 15759->15768 15760 40bba6 InterlockedIncrement 15760->15768 15764 405ce1 22 API calls 15764->15768 15765 40ba71 wsprintfA 15818 40a7c1 15765->15818 15768->15722 15768->15727 15768->15730 15768->15733 15768->15736 15768->15737 15768->15738 15768->15739 15768->15742 15768->15743 15768->15744 15768->15745 15768->15748 15768->15749 15768->15750 15768->15751 15768->15754 15768->15755 15768->15756 15768->15759 15768->15760 15768->15764 15768->15765 15769 40ef1e lstrlenA 15768->15769 15770 405ded 12 API calls 15768->15770 15771 40a688 GetTickCount 15768->15771 15772 403e10 15768->15772 15775 403e4f 15768->15775 15778 40384f 15768->15778 15798 40a7a3 inet_ntoa 15768->15798 15805 40abee 15768->15805 15817 401feb GetTickCount 15768->15817 15838 403cfb 15768->15838 15841 40b3c5 15768->15841 15872 40ab81 15768->15872 15769->15768 15770->15768 15771->15768 15773 4030fa 4 API calls 15772->15773 15774 403e1d 15773->15774 15774->15768 15776 4030fa 4 API calls 15775->15776 15777 403e5c 15776->15777 15777->15768 15779 4030fa 4 API calls 15778->15779 15781 403863 15779->15781 15780 4038b2 15780->15768 15781->15780 15782 4038b9 15781->15782 15783 403889 15781->15783 15893 4035f9 15782->15893 15887 403718 15783->15887 15788 403718 6 API calls 15788->15780 15789 4035f9 6 API calls 15789->15780 15791 405cf4 15790->15791 15792 405cec 15790->15792 15793 404bd1 4 API calls 15791->15793 15899 404bd1 GetTickCount 15792->15899 15795 405d02 15793->15795 15904 405472 15795->15904 15799 40a7b9 15798->15799 15799->15768 15801 40f315 12 API calls 15800->15801 15802 40aceb 15801->15802 15803 40acff 15802->15803 15804 40f315 12 API calls 15802->15804 15803->15768 15804->15803 15806 40abfb 15805->15806 15809 40ac65 15806->15809 15967 402f22 15806->15967 15808 40f315 12 API calls 15808->15809 15809->15808 15810 40ac8a 15809->15810 15811 40ac6f 15809->15811 15810->15768 15813 40ab81 2 API calls 15811->15813 15812 40ac23 15812->15809 15815 402684 gethostbyname 15812->15815 15814 40ac81 15813->15814 15975 4038f0 15814->15975 15815->15812 15817->15768 15819 40a87d lstrlenA send 15818->15819 15820 40a7df 15818->15820 15821 40a899 15819->15821 15822 40a8bf 15819->15822 15820->15819 15826 40a7fa wsprintfA 15820->15826 15829 40a80a 15820->15829 15830 40a8f2 15820->15830 15823 40a8a5 wsprintfA 15821->15823 15837 40a89e 15821->15837 15824 40a8c4 send 15822->15824 15822->15830 15823->15837 15827 40a8d8 wsprintfA 15824->15827 15824->15830 15825 40a978 recv 15825->15830 15831 40a982 15825->15831 15826->15829 15827->15837 15828 40a9b0 wsprintfA 15828->15837 15829->15819 15830->15825 15830->15828 15830->15831 15832 4030b5 2 API calls 15831->15832 15831->15837 15833 40ab05 15832->15833 15834 40e819 11 API calls 15833->15834 15835 40ab17 15834->15835 15836 40a7a3 inet_ntoa 15835->15836 15836->15837 15837->15768 15839 4030fa 4 API calls 15838->15839 15840 403d0b 15839->15840 15840->15768 15842 405ce1 22 API calls 15841->15842 15843 40b3e6 15842->15843 15844 405ce1 22 API calls 15843->15844 15846 40b404 15844->15846 15845 40b440 15847 40ef7c 3 API calls 15845->15847 15846->15845 15848 40ef7c 3 API calls 15846->15848 15849 40b458 wsprintfA 15847->15849 15850 40b42b 15848->15850 15851 40ef7c 3 API calls 15849->15851 15852 40ef7c 3 API calls 15850->15852 15853 40b480 15851->15853 15852->15845 15854 40ef7c 3 API calls 15853->15854 15855 40b493 15854->15855 15856 40ef7c 3 API calls 15855->15856 15857 40b4bb 15856->15857 15989 40ad89 GetLocalTime SystemTimeToFileTime 15857->15989 15861 40b4cc 15862 40ef7c 3 API calls 15861->15862 15863 40b4dd 15862->15863 15864 40b211 7 API calls 15863->15864 15865 40b4ec 15864->15865 15866 40ef7c 3 API calls 15865->15866 15867 40b4fd 15866->15867 15868 40b211 7 API calls 15867->15868 15869 40b509 15868->15869 15870 40ef7c 3 API calls 15869->15870 15871 40b51a 15870->15871 15871->15768 15873 40abe9 GetTickCount 15872->15873 15875 40ab8c 15872->15875 15877 40a51d 15873->15877 15874 40aba8 lstrcpynA 15874->15875 15875->15873 15875->15874 15876 40abe1 InterlockedIncrement 15875->15876 15876->15875 15878 40a4c7 4 API calls 15877->15878 15879 40a52c 15878->15879 15880 40a542 GetTickCount 15879->15880 15882 40a539 GetTickCount 15879->15882 15880->15882 15883 40a56c 15882->15883 15883->15768 15885 40a4c7 4 API calls 15884->15885 15886 40a633 15885->15886 15886->15768 15888 40f04e 4 API calls 15887->15888 15890 40372a 15888->15890 15889 403847 15889->15780 15889->15788 15890->15889 15891 4037b3 GetCurrentThreadId 15890->15891 15891->15890 15892 4037c8 GetCurrentThreadId 15891->15892 15892->15890 15894 40f04e 4 API calls 15893->15894 15898 40360c 15894->15898 15895 4036f1 15895->15780 15895->15789 15896 4036da GetCurrentThreadId 15896->15895 15897 4036e5 GetCurrentThreadId 15896->15897 15897->15895 15898->15895 15898->15896 15900 404bff InterlockedExchange 15899->15900 15901 404c08 15900->15901 15902 404bec GetTickCount 15900->15902 15901->15791 15902->15901 15903 404bf7 Sleep 15902->15903 15903->15900 15923 404763 15904->15923 15906 405b58 15933 404699 15906->15933 15909 404763 lstrlenA 15910 405b6e 15909->15910 15954 404f9f 15910->15954 15912 405b79 15912->15768 15914 405549 lstrlenA 15922 40548a 15914->15922 15916 40558d lstrcpynA 15916->15922 15917 405a9f lstrcpyA 15917->15922 15918 404ae6 8 API calls 15918->15922 15919 405935 lstrcpynA 15919->15922 15920 405472 13 API calls 15920->15922 15921 4058e7 lstrcpyA 15921->15922 15922->15906 15922->15916 15922->15917 15922->15918 15922->15919 15922->15920 15922->15921 15927 404ae6 15922->15927 15931 40ef7c lstrlenA lstrlenA lstrlenA 15922->15931 15925 40477a 15923->15925 15924 404859 15924->15922 15925->15924 15926 40480d lstrlenA 15925->15926 15926->15925 15928 404af3 15927->15928 15930 404b03 15927->15930 15929 40ebed 8 API calls 15928->15929 15929->15930 15930->15914 15932 40efb4 15931->15932 15932->15922 15959 4045b3 15933->15959 15936 4045b3 7 API calls 15937 4046c6 15936->15937 15938 4045b3 7 API calls 15937->15938 15939 4046d8 15938->15939 15940 4045b3 7 API calls 15939->15940 15941 4046ea 15940->15941 15942 4045b3 7 API calls 15941->15942 15943 4046ff 15942->15943 15944 4045b3 7 API calls 15943->15944 15945 404711 15944->15945 15946 4045b3 7 API calls 15945->15946 15947 404723 15946->15947 15948 40ef7c 3 API calls 15947->15948 15949 404735 15948->15949 15950 40ef7c 3 API calls 15949->15950 15951 40474a 15950->15951 15952 40ef7c 3 API calls 15951->15952 15953 40475c 15952->15953 15953->15909 15955 404fac 15954->15955 15958 404fb0 15954->15958 15955->15912 15956 404ffd 15956->15912 15957 404fd5 IsBadCodePtr 15957->15958 15958->15956 15958->15957 15960 4045c1 15959->15960 15961 4045c8 15959->15961 15962 40ebcc 4 API calls 15960->15962 15963 40ebcc 4 API calls 15961->15963 15965 4045e1 15961->15965 15962->15961 15963->15965 15964 404691 15964->15936 15965->15964 15966 40ef7c 3 API calls 15965->15966 15966->15965 15982 402d21 GetModuleHandleA 15967->15982 15970 402fcf GetProcessHeap HeapFree 15974 402f44 15970->15974 15971 402f4f 15973 402f6b GetProcessHeap HeapFree 15971->15973 15972 402f85 15972->15970 15972->15972 15973->15974 15974->15812 15976 403900 15975->15976 15977 403980 15975->15977 15978 4030fa 4 API calls 15976->15978 15977->15810 15981 40390a 15978->15981 15979 40391b GetCurrentThreadId 15979->15981 15980 403939 GetCurrentThreadId 15980->15981 15981->15977 15981->15979 15981->15980 15983 402d46 LoadLibraryA 15982->15983 15984 402d5b GetProcAddress 15982->15984 15983->15984 15986 402d54 15983->15986 15984->15986 15988 402d6b 15984->15988 15985 402d97 GetProcessHeap HeapAlloc 15985->15986 15985->15988 15986->15971 15986->15972 15986->15974 15987 402db5 lstrcpynA 15987->15988 15988->15985 15988->15986 15988->15987 15990 40adbf 15989->15990 16014 40ad08 gethostname 15990->16014 15993 4030b5 2 API calls 15994 40add3 15993->15994 15995 40a7a3 inet_ntoa 15994->15995 15997 40ade4 15994->15997 15995->15997 15996 40ae85 wsprintfA 15998 40ef7c 3 API calls 15996->15998 15997->15996 15999 40ae36 wsprintfA wsprintfA 15997->15999 16000 40aebb 15998->16000 16001 40ef7c 3 API calls 15999->16001 16002 40ef7c 3 API calls 16000->16002 16001->15997 16003 40aed2 16002->16003 16004 40b211 16003->16004 16005 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16004->16005 16006 40b2af GetLocalTime 16004->16006 16007 40b2d2 16005->16007 16006->16007 16008 40b2d9 SystemTimeToFileTime 16007->16008 16009 40b31c GetTimeZoneInformation 16007->16009 16010 40b2ec 16008->16010 16011 40b33a wsprintfA 16009->16011 16012 40b312 FileTimeToSystemTime 16010->16012 16011->15861 16012->16009 16015 40ad71 16014->16015 16020 40ad26 lstrlenA 16014->16020 16017 40ad85 16015->16017 16018 40ad79 lstrcpyA 16015->16018 16017->15993 16018->16017 16019 40ad68 lstrlenA 16019->16015 16020->16015 16020->16019 16022 40f428 12 API calls 16021->16022 16023 40198a 16022->16023 16023->15616 16025 402d21 6 API calls 16024->16025 16026 402f01 16025->16026 16027 402f0f 16026->16027 16040 402df2 GetModuleHandleA 16026->16040 16029 402684 gethostbyname 16027->16029 16031 402f1f 16027->16031 16030 402f1d 16029->16030 16030->15619 16031->15619 16036 401c80 16032->16036 16033 401d1c 16033->16033 16037 401d47 wsprintfA 16033->16037 16034 401cc2 wsprintfA 16035 402684 gethostbyname 16034->16035 16035->16036 16036->16033 16036->16034 16039 401d79 16036->16039 16038 402684 gethostbyname 16037->16038 16038->16039 16039->15614 16041 402e10 LoadLibraryA 16040->16041 16042 402e0b 16040->16042 16043 402e17 16041->16043 16042->16041 16042->16043 16044 402ef1 16043->16044 16045 402e28 GetProcAddress 16043->16045 16044->16027 16045->16044 16046 402e3e GetProcessHeap HeapAlloc 16045->16046 16048 402e62 16046->16048 16047 402ede GetProcessHeap HeapFree 16047->16044 16048->16044 16048->16047 16049 402e7f htons 16048->16049 16050 402ea5 gethostbyname 16048->16050 16052 402ceb 16048->16052 16049->16048 16050->16048 16053 402cf2 16052->16053 16055 402d1c 16053->16055 16056 402d0e Sleep 16053->16056 16057 402a62 GetProcessHeap HeapAlloc 16053->16057 16055->16048 16056->16053 16056->16055 16058 402a99 socket 16057->16058 16067 402a92 16057->16067 16059 402cd3 GetProcessHeap HeapFree 16058->16059 16060 402ab4 16058->16060 16059->16067 16060->16059 16073 402abd 16060->16073 16061 402adb htons 16077 4026ff 16061->16077 16063 402b04 select 16063->16073 16064 402ca4 16065 402cb3 GetProcessHeap HeapFree 16064->16065 16065->16067 16066 402b3f recv 16066->16073 16067->16053 16068 402b66 htons 16068->16064 16068->16073 16069 402b87 htons 16069->16064 16069->16073 16072 402bf3 GetProcessHeap HeapAlloc 16072->16073 16073->16061 16073->16063 16073->16064 16073->16065 16073->16066 16073->16068 16073->16069 16073->16072 16074 402c17 htons 16073->16074 16076 402c4d GetProcessHeap HeapFree 16073->16076 16084 402923 16073->16084 16096 402904 16073->16096 16092 402871 16074->16092 16076->16073 16078 40271d 16077->16078 16079 402717 16077->16079 16081 40272b GetTickCount htons 16078->16081 16080 40ebcc 4 API calls 16079->16080 16080->16078 16082 4027cc htons htons sendto 16081->16082 16083 40278a 16081->16083 16082->16073 16083->16082 16085 402944 16084->16085 16087 40293d 16084->16087 16100 402816 htons 16085->16100 16087->16073 16088 402871 htons 16091 402950 16088->16091 16089 4029bd htons htons htons 16089->16087 16090 4029f6 GetProcessHeap HeapAlloc 16089->16090 16090->16087 16090->16091 16091->16087 16091->16088 16091->16089 16093 4028e3 16092->16093 16095 402889 16092->16095 16093->16073 16094 4028c3 htons 16094->16093 16094->16095 16095->16093 16095->16094 16097 402921 16096->16097 16098 402908 16096->16098 16097->16073 16099 402909 GetProcessHeap HeapFree 16098->16099 16099->16097 16099->16099 16101 40286b 16100->16101 16102 402836 16100->16102 16101->16091 16102->16101 16103 40285c htons 16102->16103 16103->16101 16103->16102 16105 406bbc 16104->16105 16106 406bc0 16104->16106 16105->15648 16107 40ebcc 4 API calls 16106->16107 16118 406bd4 16106->16118 16108 406be4 16107->16108 16109 406c07 CreateFileA 16108->16109 16110 406bfc 16108->16110 16108->16118 16112 406c34 WriteFile 16109->16112 16113 406c2a 16109->16113 16111 40ec2e codecvt 4 API calls 16110->16111 16111->16118 16114 406c49 CloseHandle DeleteFileA 16112->16114 16115 406c5a CloseHandle 16112->16115 16116 40ec2e codecvt 4 API calls 16113->16116 16114->16113 16117 40ec2e codecvt 4 API calls 16115->16117 16116->16118 16117->16118 16118->15648 18544 29469e0 18545 29469e8 18544->18545 18546 2947188 3 API calls 18545->18546 18547 2946a00 18546->18547 16119 29469e8 16120 29469f7 16119->16120 16123 2947188 16120->16123 16128 29471a3 16123->16128 16124 29471ac CreateToolhelp32Snapshot 16125 29471c8 Module32First 16124->16125 16124->16128 16126 29471d7 16125->16126 16129 2946a00 16125->16129 16130 2946e47 16126->16130 16128->16124 16128->16125 16131 2946e72 16130->16131 16132 2946e83 VirtualAlloc 16131->16132 16133 2946ebb 16131->16133 16132->16133 16133->16133 14449 28f0005 14454 28f092b GetPEB 14449->14454 14451 28f0030 14456 28f003c 14451->14456 14455 28f0972 14454->14455 14455->14451 14457 28f0049 14456->14457 14471 28f0e0f SetErrorMode SetErrorMode 14457->14471 14462 28f0265 14463 28f02ce VirtualProtect 14462->14463 14465 28f030b 14463->14465 14464 28f0439 VirtualFree 14469 28f04be 14464->14469 14470 28f05f4 LoadLibraryA 14464->14470 14465->14464 14466 28f04e3 LoadLibraryA 14466->14469 14468 28f08c7 14469->14466 14469->14470 14470->14468 14472 28f0223 14471->14472 14473 28f0d90 14472->14473 14474 28f0dad 14473->14474 14475 28f0dbb GetPEB 14474->14475 14476 28f0238 VirtualAlloc 14474->14476 14475->14476 14476->14462

                                                                                            Executed Functions

                                                                                            Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(C:\Users\user\Desktop\SGn3RtDC8Y.exe), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\SGn3RtDC8Y.exe$C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe$D$P$\$jlxopxf
                                                                                            • API String ID: 2089075347-2332278139
                                                                                            • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                            Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 522 40637c-406384 523 406386-406389 522->523 524 40638a-4063b4 GetModuleHandleA VirtualAlloc 522->524 525 4063f5-4063f7 524->525 526 4063b6-4063d4 call 40ee08 VirtualAllocEx 524->526 527 40640b-40640f 525->527 526->525 530 4063d6-4063f3 call 4062b7 WriteProcessMemory 526->530 530->525 533 4063f9-40640a 530->533 533->527
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 305->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 378 4077d7-4077dc 376->378 379 4077ca-4077d6 call 40ef00 376->379 377->376 383 4077e0-4077e2 378->383 384 4077de 378->384 379->378 383->359 384->383
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75570F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75570F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75570F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75570F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75570F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75570F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75570F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                            Function 028F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 386 28f003c-28f0047 387 28f004c-28f0263 call 28f0a3f call 28f0e0f call 28f0d90 VirtualAlloc 386->387 388 28f0049 386->388 403 28f028b-28f0292 387->403 404 28f0265-28f0289 call 28f0a69 387->404 388->387 406 28f02a1-28f02b0 403->406 408 28f02ce-28f03c2 VirtualProtect call 28f0cce call 28f0ce7 404->408 406->408 409 28f02b2-28f02cc 406->409 415 28f03d1-28f03e0 408->415 409->406 416 28f0439-28f04b8 VirtualFree 415->416 417 28f03e2-28f0437 call 28f0ce7 415->417 418 28f04be-28f04cd 416->418 419 28f05f4-28f05fe 416->419 417->415 422 28f04d3-28f04dd 418->422 423 28f077f-28f0789 419->423 424 28f0604-28f060d 419->424 422->419 428 28f04e3-28f0505 LoadLibraryA 422->428 426 28f078b-28f07a3 423->426 427 28f07a6-28f07b0 423->427 424->423 429 28f0613-28f0637 424->429 426->427 430 28f086e-28f08be LoadLibraryA 427->430 431 28f07b6-28f07cb 427->431 432 28f0517-28f0520 428->432 433 28f0507-28f0515 428->433 434 28f063e-28f0648 429->434 438 28f08c7-28f08f9 430->438 435 28f07d2-28f07d5 431->435 436 28f0526-28f0547 432->436 433->436 434->423 437 28f064e-28f065a 434->437 439 28f07d7-28f07e0 435->439 440 28f0824-28f0833 435->440 441 28f054d-28f0550 436->441 437->423 442 28f0660-28f066a 437->442 443 28f08fb-28f0901 438->443 444 28f0902-28f091d 438->444 445 28f07e4-28f0822 439->445 446 28f07e2 439->446 450 28f0839-28f083c 440->450 447 28f0556-28f056b 441->447 448 28f05e0-28f05ef 441->448 449 28f067a-28f0689 442->449 443->444 445->435 446->440 451 28f056f-28f057a 447->451 452 28f056d 447->452 448->422 453 28f068f-28f06b2 449->453 454 28f0750-28f077a 449->454 450->430 455 28f083e-28f0847 450->455 457 28f057c-28f0599 451->457 458 28f059b-28f05bb 451->458 452->448 459 28f06ef-28f06fc 453->459 460 28f06b4-28f06ed 453->460 454->434 461 28f084b-28f086c 455->461 462 28f0849 455->462 469 28f05bd-28f05db 457->469 458->469 463 28f06fe-28f0748 459->463 464 28f074b 459->464 460->459 461->450 462->430 463->464 464->449 469->441
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 028F024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 69f71b938f3a6d9eeffa4f2f6de03bae6fbad3792799538104a82ea99e8ee75e
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: 20526D78A01229DFDBA4CF58C984BACBBB1BF09304F1480D9E54DA7356DB30AA95CF15
                                                                                            Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadprocessinjectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 481 4097f6-4097ff TerminateProcess 478->481 483 40981e-409839 WriteProcessMemory 478->483 479->481 481->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2098669666-2746444292
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            Function 00404000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 534 404000-404008 535 40400b-40402a CreateFileA 534->535 536 404057 535->536 537 40402c-404035 GetLastError 535->537 538 404059-40405c 536->538 539 404052 537->539 540 404037-40403a 537->540 541 404054-404056 538->541 539->541 540->539 542 40403c-40403f 540->542 542->538 543 404041-404050 Sleep 542->543 543->535 543->539
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                            Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                            Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 545 406e36-406e5d GetUserNameW 546 406ebe-406ec2 545->546 547 406e5f-406e95 LookupAccountNameW 545->547 547->546 548 406e97-406e9b 547->548 549 406ebb-406ebd 548->549 550 406e9d-406ea3 548->550 549->546 550->549 551 406ea5-406eaa 550->551 552 406eb7-406eb9 551->552 553 406eac-406eb0 551->553 552->546 553->549 554 406eb2-406eb5 553->554 554->549 554->552
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID:
                                                                                            • API String ID: 2370142434-0
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                                            Function 02947188 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 555 2947188-29471a1 556 29471a3-29471a5 555->556 557 29471a7 556->557 558 29471ac-29471b8 CreateToolhelp32Snapshot 556->558 557->558 559 29471c8-29471d5 Module32First 558->559 560 29471ba-29471c0 558->560 561 29471d7-29471d8 call 2946e47 559->561 562 29471de-29471e6 559->562 560->559 565 29471c2-29471c6 560->565 566 29471dd 561->566 565->556 565->559 566->562
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 029471B0
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 029471D0
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461743704.0000000002942000.00000040.00000020.00020000.00000000.sdmp, Offset: 02942000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2942000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 9051d2012629686916d5b6917adcc5b1ecd48e65d31cfb91bdc89b51b8669267
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 84F090322007196FE7203BF9ACCCFAFB6EDAF8D625F100628E646914C0DF70E8454A61
                                                                                            Function 028F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 568 28f0e0f-28f0e24 SetErrorMode * 2 569 28f0e2b-28f0e2c 568->569 570 28f0e26 568->570 570->569
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,028F0223,?,?), ref: 028F0E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,028F0223,?,?), ref: 028F0E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: f9c93ad7a8c7aa5f7df069495d7554a66e6d268b830cae725a4b375d2c60ecd3
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 2ED01235545128B7D7402A94DC09BCD7B1CDF05B66F008011FB0DD9081C770954046E5
                                                                                            Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 571 406dc2-406dd5 572 406e33-406e35 571->572 573 406dd7-406df1 call 406cc9 call 40ef00 571->573 578 406df4-406df9 573->578 578->578 579 406dfb-406e00 578->579 580 406e02-406e22 GetVolumeInformationA 579->580 581 406e24 579->581 580->581 582 406e2e 580->582 581->582 582->572
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                            Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 583 409892-4098c0 584 4098c2-4098c5 583->584 585 4098d9 583->585 584->585 586 4098c7-4098d7 584->586 587 4098e0-4098f1 SetServiceStatus 585->587 586->587
                                                                                            APIs
                                                                                            • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ServiceStatus
                                                                                            • String ID:
                                                                                            • API String ID: 3969395364-0
                                                                                            • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                            • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                            Function 02946E47 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 588 2946e47-2946e81 call 294715a 591 2946e83-2946eb6 VirtualAlloc call 2946ed4 588->591 592 2946ecf 588->592 594 2946ebb-2946ecd 591->594 592->592 594->592
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02946E98
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461743704.0000000002942000.00000040.00000020.00020000.00000000.sdmp, Offset: 02942000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2942000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 61fc4d192b974c49e13e68d934ec68da92e4b0af6152e5be98b64c43be007374
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 43113979A00208EFDB01DF98C985E99BFF5AF48350F0580A4FA489B361D771EA90DF80
                                                                                            Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 595 4098f2-4098f4 596 4098f6-409902 call 404280 595->596 599 409904-409913 Sleep 596->599 600 409917 596->600 599->596 601 409915 599->601 602 409919-409942 call 402544 call 40977c 600->602 603 40995e-409960 600->603 601->600 607 409947-409957 call 40ee2a 602->607 607->603
                                                                                            APIs
                                                                                              • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3100162736-0
                                                                                            • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                            • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED

                                                                                            Non-executed Functions

                                                                                            Function 028F65E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 028F65F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 028F6610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 028F6631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 028F6652
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: f40ccf4471f8913a95bfcca5ad6437c13ea84249bcc3d175c15071a9bd8392f3
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 8E11A779600228BFDB519F65DC05F9B3FACEB047A5F004124FB18E7251E7B1DD008AA4
                                                                                            Function 028F9EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 028F9E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 028F9FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 028F9FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 028FA004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 028FA054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 028FA09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 028FA0D6
                                                                                            • lstrcpy.KERNEL32 ref: 028FA12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 028FA13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 028F9F13
                                                                                              • Part of subcall function 028F7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 028F7081
                                                                                              • Part of subcall function 028F6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\sugxygo,028F7043), ref: 028F6F4E
                                                                                              • Part of subcall function 028F6F30: GetProcAddress.KERNEL32(00000000), ref: 028F6F55
                                                                                              • Part of subcall function 028F6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 028F6F7B
                                                                                              • Part of subcall function 028F6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 028F6F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 028FA1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 028FA1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 028FA214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 028FA21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 028FA265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 028FA29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 028FA2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 028FA2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 028FA2F4
                                                                                            • wsprintfA.USER32 ref: 028FA31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 028FA345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 028FA364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 028FA387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 028FA398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 028FA1D1
                                                                                              • Part of subcall function 028F9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 028F999D
                                                                                              • Part of subcall function 028F9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 028F99BD
                                                                                              • Part of subcall function 028F9966: RegCloseKey.ADVAPI32(?), ref: 028F99C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 028FA3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 028FA3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 028FA41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: 6e244ad612768661b333f83193bb8efd52f8fd05b3fb024f36c6a8cf7b726d28
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: 62F150B9D40219AFDF65DBA4DC48FEF7BBCAB08304F0480A6E709E2141E77596848F65
                                                                                            Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            Function 028F7CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 028F7D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 028F7D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 028F7D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 028F7DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 028F7DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 028F7DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 028F7DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 028F7DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 028F7E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 028F7E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 028F7E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 028F7E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe$D
                                                                                            • API String ID: 2976863881-1525390353
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 3ac7913e89886c20ca028ca03cf6e682bea571d8f5e4be03d07d377a6f6eef4f
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: FCA16179900219AFEF51CFA4DC44FEEBBB9FB48704F04816AF605E6150D7758A84CB64
                                                                                            Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe$D
                                                                                            • API String ID: 2976863881-1525390353
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            Function 028F7A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 028F7A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 028F7ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 028F7ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 028F7B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 028F7B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 028F7B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 028F7B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 028F7B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 028F7B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 028F7B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 028F7B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 028F7B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 028F7BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 028F7BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 028F7C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 028F7C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 028F7CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 028F7CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 028F7CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 028F7CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 028F7CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 609a89b13ae7ed6533eff87bf674ce29eba371b48ad38762fb4b53e9453f4476
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: E1814D79900219AFFB51CFA4DD84FEEBBB8AF08304F14816AE609E6150D7759641CB64
                                                                                            Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe$localcfg
                                                                                            • API String ID: 237177642-1805313226
                                                                                            • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            Function 00402A62 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 194networkmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7556F380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7556F380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID: `4u
                                                                                            • API String ID: 1639031587-6339388
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDv$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-868794581
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            Function 0040199C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 106memorylibraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg$W4u
                                                                                            • API String ID: 835516345-1619806614
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            Function 028F858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 028F865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 028F867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 028F86A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 028F86B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe
                                                                                            • API String ID: 237177642-960168564
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 50ad59b2954be3e42300e8dc8ea82db7abd91cfffea6aa6ec4d6a3bb0934bfde
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 0AC1A17E900249BEEB51ABA4DD84EEF7BBDEB08304F144066F704E6050E7704A948F65
                                                                                            Function 028F2CC9 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 194memorynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 028F2CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 028F2D07
                                                                                            • htons.WS2_32(00000000), ref: 028F2D42
                                                                                            • select.WS2_32 ref: 028F2D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 028F2DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 028F2E62
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID: `4u
                                                                                            • API String ID: 127016686-6339388
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: 4bb18e8a8334c21515cde5e16255334120e9d7757af38038e3a7405a63141326
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: 3E61F37D504309ABC360AF64DC08B6BBBE8EB48755F114819FE88D7155E7B4D880CBA6
                                                                                            Function 028F14E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 028F1601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 028F17D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: c0ba871c71d8b957537cf1c339359c2abe325f3f883af1bd4c9b03f7b40fa733
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 94F17EB9608341DFD720CF64C888BABB7E5FB88305F40892DFA99D7290D7749944CB66
                                                                                            Function 00402DF2 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,755723A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll$W4u
                                                                                            • API String ID: 929413710-1050870963
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            Function 028F7666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 028F76D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 028F7757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 028F778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 028F78B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 028F794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 028F796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 028F797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 028F79AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 028F7A56
                                                                                              • Part of subcall function 028FF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,028F772A,?), ref: 028FF414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 028F79F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 028F7A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 9136a90525a85471ee27d9cc49cade45a1a223bd8ebdbc03332e067ff373a2cf
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 43C1947D900209AFEB51DFA8DC44FEEBBB9EF49310F1040A5E704E6190EB759A94CB61
                                                                                            Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75570F10,?,75570F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.ADVAPI32(75570F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75570F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(75570F10,?,75570F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75570F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75570F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75570F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75570F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75570F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75570F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75570F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75570F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75570F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75570F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNEL32(000000FF,?,75570F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            Function 0040F315 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: `4u$time_cfg
                                                                                            • API String ID: 311057483-456741473
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            Function 028F1FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 028F202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 028F204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 028F206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 028F2071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 028F2082
                                                                                            • GetTickCount.KERNEL32 ref: 028F2230
                                                                                              • Part of subcall function 028F1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 028F1E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: 8a14d01e93f3fbc83d38237ce3517d49e70f94e148b6c56a952fce444b49da1b
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: 2551F578500348AFE370AF698C84F67BBECEB54708F00091DFB9AC2151D7B4A594CB66
                                                                                            Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7568EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7568EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            Function 028F3059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 028F3068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 028F3078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 028F3095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 028F30B6
                                                                                            • htons.WS2_32(00000035), ref: 028F30EF
                                                                                            • inet_addr.WS2_32(?), ref: 028F30FA
                                                                                            • gethostbyname.WS2_32(?), ref: 028F310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 028F314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 2cfb970782c5a98315e26e3a36644dce4846150299471c8321f284652b8fadf6
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 3B31D63DA00246ABDB919BB8DC48BAE77B8EF04364F1441A5FA1CE3290DB74D581CB58
                                                                                            Function 028F958D Relevance: 15.3, APIs: 10, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 028F95A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 028F95D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 028F95DC
                                                                                            • wsprintfA.USER32 ref: 028F9635
                                                                                            • wsprintfA.USER32 ref: 028F9673
                                                                                            • wsprintfA.USER32 ref: 028F96F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 028F9758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 028F978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 028F97D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID:
                                                                                            • API String ID: 3696105349-0
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: bad65a179705288cdd008f3146ab9e930d9b3d264e906bb23131800287587f11
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: EFA18ABA90020CEBEB61DFA4CC85FDA3BADEB04745F104026FA15E2161E7B5D584CFA5
                                                                                            Function 028FF57C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • htons.WS2_32(028FCC84), ref: 028FF5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 028FF5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 028FF5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: `4u$time_cfg
                                                                                            • API String ID: 311057483-456741473
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: edd1a05421d0011df7bcc7a51c694982ec422122722e6c5fd49963153700ff60
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: C6316D7990011CABDB109FA5DC849EE7BBCEF88310F104566FB09D3190E7748A81CBA5
                                                                                            Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,755723A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75568A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            Function 028F6778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 028F67C3
                                                                                            • htonl.WS2_32(?), ref: 028F67DF
                                                                                            • htonl.WS2_32(?), ref: 028F67EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 028F68F1
                                                                                            • ExitProcess.KERNEL32 ref: 028F69BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: f50938b33fa677d94035177f78bac81ec05b5e84fc475984266d0da83c5a5bec
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: D3617E71A50208AFDB609FB4DC45FEA77E9FB08300F14816AFA6DD2161EB759990CF14
                                                                                            Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            Function 028F2F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 028F2FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 028F2FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 028F2FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 028F3000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 028F3007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 028F3032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: f75db398d28921d53b0d5684f4482d25648a7b7ab05bd2ce47ca5a1aa804f27a
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 1D21A479D4022ABBCB619B54DC44AEEBBBCEF48B10F014461FA05E7540D7B49A8187D4
                                                                                            Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            Function 028F99E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 028F9A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 028F9A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 028F9A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 028F9A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 028F9AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 028F9AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: 268d167c9d51bbdf625b2873ac0bc633711d23003709495c0f5f18eb1bde802f
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 63216BB5E01229BBDB619BA1DC09FEF7BBCEF04754F004061FA19E1050E7718A54CBA4
                                                                                            Function 028F1C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 028F1C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 028F1C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 028F1C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 028F1C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 028F1CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 028F1D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 028F1D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: 173e9756039abe2e08ad3f2097c2bad48f20e3c076585d9227a9f1f3a0779b46
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: BF31723AD00209FFCB519FA4DC8C8AEBBB5EB45705B24407AE609E2110D7B55D80DBA4
                                                                                            Function 028F6CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 028F6CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 028F6D22
                                                                                            • GetLastError.KERNEL32 ref: 028F6DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 028F6DB5
                                                                                            • GetLastError.KERNEL32 ref: 028F6DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 028F6DE7
                                                                                            • GetLastError.KERNEL32 ref: 028F6DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: 385f6daf59ffe8c6267a50972132fdaf3004358fae726c8ea0cfcd4fcc6bbbe7
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: C231DF7E900249BFCB41AFA49D44ADE7F7DEB48310F148265E321E3220E771A6558B62
                                                                                            Function 028F6F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\sugxygo,028F7043), ref: 028F6F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 028F6F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 028F6F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 028F6F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$\\.\pipe\sugxygo
                                                                                            • API String ID: 1082366364-1981845078
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: 28e6046da452fc21e8c3fd76dac1042c9ceb0b1867c0985cc21e59f9ba1ca2c5
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: 2C21F22D74035039F7A257359C88FBB2B4C8F92724F1840A5FA08D59D0EBD984D6866E
                                                                                            Function 028FAA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: ec9dc151b3a96945f8385c4782c3e00da7f69e88725b670bdbba27de9455338a
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: 24712D7EA00308AAEFA99B58DC85FEE376D9B00779F244026FB0CE60D0DF6255C48B55
                                                                                            Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            Function 028FE8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 028FDF6C: GetCurrentThreadId.KERNEL32 ref: 028FDFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 028FE8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,028F6128), ref: 028FE950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 028FE989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: fc6c057f42852865bc82651108fd2559273f32e673b01c1e7d0cc29ee93d95c0
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: D131743DB007159BDBB18F24C884B667BE5EB05716F10852AEB59C7561D374E480CB62
                                                                                            Function 028F6E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: 52135d97e155a4a187af746819e182dd37fd3bee87786874f5aacbecad53cd8a
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: 89215B7F204129BFDB509BA4FC48EDF3FADDB49264B208521F616D1090FB71DA009674
                                                                                            Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            Function 028F92CB Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 028F92E2
                                                                                            • wsprintfA.USER32 ref: 028F9350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 028F9375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 028F9389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 028F9394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 028F939B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: 95c294ca55d2a0656566804f49d1a6b5a4da57a446fd4565cf98288815fcc358
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: 031172BA6401147BE7606735EC0DFEF3B6EDFC8B10F0080A5BB09E5090EAB44A418A65
                                                                                            Function 00409064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75570F10,?,00000000,0040E538,?,75570F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            Function 028FC543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 028FC6B4
                                                                                            • InterlockedIncrement.KERNEL32(028FC74B), ref: 028FC715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,028FC747), ref: 028FC728
                                                                                            • CloseHandle.KERNEL32(00000000,?,028FC747,00413588,028F8A77), ref: 028FC733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 90e24a1ecbcc5c4c0c32d9ea1ac32b5289a6cc5c8856601db22a08eedbec3d98
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: 80515EB9A04B498FD7A4CF29C5C462ABBE9FB48304B50593FE28BC7A91D774E544CB10
                                                                                            Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75570F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75570F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75570F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75570F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75570F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75570F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75570F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe
                                                                                            • API String ID: 124786226-680064073
                                                                                            • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            Function 028F71C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 028F71E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 028F7228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 028F7286
                                                                                            • wsprintfA.USER32 ref: 028F729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: b76cd740951ae9538ff1978c1a5c533c38868d45d2ca7abdb24298d05a93da76
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 2E31297AA00208BFDB41DFA8DC45BDA7BACEF04314F14C066FA59DB240EB75D6488B94
                                                                                            Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            Function 0040E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            Function 028FB478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 028FB51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 028FB529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 028FB548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 028FB590
                                                                                            • wsprintfA.USER32 ref: 028FB61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: e8c36375da4d78e987939ad83942909bc71842b5e23e1e532a884b83eaae3e1c
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 3B511FB5D0021DAACF54DFD5D8885EEBBB9BF48304F10816AF605A6150E7B84AC9CF98
                                                                                            Function 028F62D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 028F6303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 028F632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 028F63B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 028F6405
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 3ea3e0d544a7eabf2e8b575769a41370c174826a4dce9e8d086d48b9064ff4dc
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: 7F41607DA00229EFDB54CF58C884BA9B7B8FF14358F188269EA29D7250E771E940CB50
                                                                                            Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(75570F18,00000000,?,75570F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75570F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,75570F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1802437671-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            Function 028F93AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 028F93C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 028F93CD
                                                                                            • CharToOemA.USER32(?,?), ref: 028F93DB
                                                                                            • wsprintfA.USER32 ref: 028F9410
                                                                                              • Part of subcall function 028F92CB: GetTempPathA.KERNEL32(00000400,?), ref: 028F92E2
                                                                                              • Part of subcall function 028F92CB: wsprintfA.USER32 ref: 028F9350
                                                                                              • Part of subcall function 028F92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 028F9375
                                                                                              • Part of subcall function 028F92CB: lstrlen.KERNEL32(?,?,00000000), ref: 028F9389
                                                                                              • Part of subcall function 028F92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 028F9394
                                                                                              • Part of subcall function 028F92CB: CloseHandle.KERNEL32(00000000), ref: 028F939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 028F9448
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: 9aed107310b5f0a6bb6408ae491d86d9e2fedeeadb05cb4d710ea8d59c1d5a88
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: 80015EFA9001187BDB61A7659D89FDF3B7CDB95701F0040A2BB49E2080EAB496C58F75
                                                                                            Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            Function 028F28EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: f0c1707e07e2edf6cd1c7e93afa899d9309019fb8cc41aa7932aa59b74fd0a37
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: A4E0C2386141218FCB808B2CF848AD537E4EF0A230F008180F948C32A4C734DCC09740
                                                                                            Function 00402684 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$W4u
                                                                                            • API String ID: 1594361348-4149107023
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            Function 028FD7D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 7sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExitProcessSleepclosesocket
                                                                                            • String ID: `4u
                                                                                            • API String ID: 2012141568-6339388
                                                                                            • Opcode ID: a6f9f776857f4ecde53a678587fdf16408cfdffbb3d2d617deb71ab51d0e9a11
                                                                                            • Instruction ID: 8ffe05a623409c77bccfd4c008ce85f8e03393b8eb6b08ba275d0cf0b65cabd0
                                                                                            • Opcode Fuzzy Hash: a6f9f776857f4ecde53a678587fdf16408cfdffbb3d2d617deb71ab51d0e9a11
                                                                                            • Instruction Fuzzy Hash: E8C04C34801208DBC7412B74FC4C98C3F65AB08301710C170A10A91070CAB045508A29
                                                                                            Function 028F69C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 028F69E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 028F6A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 028F6A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 028F6BD8
                                                                                              • Part of subcall function 028FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,028F1DCF,?), ref: 028FEEA8
                                                                                              • Part of subcall function 028FEE95: HeapFree.KERNEL32(00000000), ref: 028FEEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: 52c45dcc7c0c1718de47be88b45dc2693e9d5f59e2a0afdd1dac08ed519c3fe2
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: 13711C7990022DEFDF11DFA4CD809EEBBB9FB04354F10466AE625E6190E7309E91DB50
                                                                                            Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            Function 028FE2FC Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,028FE50A,00000000,00000000,00000000,00020106,00000000,028FE50A,00000000,000000E4), ref: 028FE319
                                                                                            • RegSetValueExA.ADVAPI32(028FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 028FE38E
                                                                                            • RegDeleteValueA.ADVAPI32(028FE50A,?,?,?,?,?,000000C8,004122F8), ref: 028FE3BF
                                                                                            • RegCloseKey.ADVAPI32(028FE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,028FE50A), ref: 028FE3C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 99b5c0802cfd056bdb623dcbff66f79fc5e4f5eb3d646c2f1d780565cb520b90
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: 79215379A0021DBBDF609FA5EC89EDE7F79EF08750F048061FA08E6160E7718A54DB91
                                                                                            Function 0040E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            Function 028F41F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 028F421F
                                                                                            • GetLastError.KERNEL32 ref: 028F4229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 028F423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 028F424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 60bad7e3cb5b37c011f43a8c08e109fc81a0a228a425e8d4125343e6510c541e
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: E901C876511109AFDF41DF90ED84BEF7BACEB08256F108462FA05E2050E770DA548BB6
                                                                                            Function 028F417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 028F41AB
                                                                                            • GetLastError.KERNEL32 ref: 028F41B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 028F41C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 028F41D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: db835cb029891e6d0654933540308e46485d48af3587e5bf7af2935c092b3e80
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 2301E97A51110EABDF01DF90ED84BEF7B6CEB18259F004062FA05E2050D770AA948BB5
                                                                                            Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            Function 028FE036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 028FE066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 20de0414a7b37f62fb85f3b7274d0d48155d8cec20561067ad11e8efb3ff62dc
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 19F06D3A2007069BCB60CF25D884A82B7E9FB89325B548B2AE658C3870D374A498CB55
                                                                                            Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            Function 028F8330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 028F83C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 028F8477
                                                                                              • Part of subcall function 028F69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 028F69E5
                                                                                              • Part of subcall function 028F69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 028F6A26
                                                                                              • Part of subcall function 028F69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 028F6A3A
                                                                                              • Part of subcall function 028FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,028F1DCF,?), ref: 028FEEA8
                                                                                              • Part of subcall function 028FEE95: HeapFree.KERNEL32(00000000), ref: 028FEEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe
                                                                                            • API String ID: 359188348-680064073
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 364258fff5a67c2405309e9d50cee3dd5303b1159220de3206e66320c0e7359f
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 7D4160BE900109BFEB50EBA49E80EFF776DEB14344F1484AAE708D6150F7B05A948F65
                                                                                            Function 028FAFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 028FAFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 028FB00D
                                                                                              • Part of subcall function 028FAF6F: gethostname.WS2_32(?,00000080), ref: 028FAF83
                                                                                              • Part of subcall function 028FAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 028FAFE6
                                                                                              • Part of subcall function 028F331C: gethostname.WS2_32(?,00000080), ref: 028F333F
                                                                                              • Part of subcall function 028F331C: gethostbyname.WS2_32(?), ref: 028F3349
                                                                                              • Part of subcall function 028FAA0A: inet_ntoa.WS2_32(00000000), ref: 028FAA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: 491063f46591598ec75f94777c890be842021f5b7a033120b6adb93be54ec65d
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: 07418E7A90020CABCB25EFA4DC45EEE3BADFF48304F144426FA28D2151EB75E6848F55
                                                                                            Function 028F9452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 028F9536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 028F955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: d5991c9526e425f0ba0d4f3ed0a5fe6376decb1107a755a7f9ba6ecca8b41c47
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 5841297DC08389AEEBB68B68D89C7A63FA49B16318F1440E5D78AD71A2D7744980C711
                                                                                            Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            Function 028FBC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 028FB9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 028FBA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 028FBA94
                                                                                            • GetTickCount.KERNEL32 ref: 028FBB79
                                                                                            • GetTickCount.KERNEL32 ref: 028FBB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 028FBE15
                                                                                            • closesocket.WS2_32(00000000), ref: 028FBEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 8a08ba3e5e03d264e3b02db3a8ec53b5e5f9690c6be4a858c9c518e3015d2ace
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: B2317C79500248DFDFA5DFA4DC84AE9B7A9EB48708F20405AFB28D2160EB34E685CF11
                                                                                            Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            Function 028F709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 028F70BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 028F70F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: d0e8d3b5c3d9bf3287051d2eb6dd9176fa9972cc57c0760b9af5d73c8d6f9046
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 6A110C7A90011CEBEF51CFD4DC84ADEF7BDAB04715F1441A6E605E6194E7709B88CBA0
                                                                                            Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7568EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            Function 028F3189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 028F2F88: GetModuleHandleA.KERNEL32(?), ref: 028F2FA1
                                                                                              • Part of subcall function 028F2F88: LoadLibraryA.KERNEL32(?), ref: 028F2FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 028F31DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 028F31E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1461678796.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_28f0000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 10919bc75b8b179ab4e02bf1e51068fb5f6cfdfe094e254e83f6842aa2c58a99
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 0451B03990028AEFCB41DF64D8849FAB775FF15305F1441A9EE9AC7210E732DA59CB90
                                                                                            Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,755723A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.1460336110.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_ubezyssm.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                            Execution Graph

                                                                                            Execution Coverage:15.2%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0.8%
                                                                                            Total number of Nodes:1798
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 7970 475c05 IsBadWritePtr 7971 475c24 IsBadWritePtr 7970->7971 7978 475ca6 7970->7978 7972 475c32 7971->7972 7971->7978 7973 475c82 7972->7973 7974 474bd1 4 API calls 7972->7974 7975 474bd1 4 API calls 7973->7975 7974->7973 7976 475c90 7975->7976 7977 475472 18 API calls 7976->7977 7977->7978 7979 47f304 7982 47f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7979->7982 7981 47f312 7982->7981 7983 475b84 IsBadWritePtr 7984 475b99 7983->7984 7985 475b9d 7983->7985 7986 474bd1 4 API calls 7985->7986 7987 475bcc 7986->7987 7988 475472 18 API calls 7987->7988 7989 475be5 7988->7989 7990 47f483 WSAStartup 7823 475e4d 7828 475048 7823->7828 7829 474bd1 4 API calls 7828->7829 7831 475056 7829->7831 7830 47ec2e codecvt 4 API calls 7832 47508b 7830->7832 7831->7830 7831->7832 7991 475e0d 7994 4750dc 7991->7994 7993 475e20 7995 474bd1 4 API calls 7994->7995 7996 4750f2 7995->7996 7997 474ae6 8 API calls 7996->7997 8003 4750ff 7997->8003 7998 475130 7999 474ae6 8 API calls 7998->7999 8001 475138 7999->8001 8000 474ae6 8 API calls 8002 475110 lstrcmpA 8000->8002 8005 474ae6 8 API calls 8001->8005 8007 47516e 8001->8007 8036 47513e 8001->8036 8002->7998 8002->8003 8003->7998 8003->8000 8004 474ae6 8 API calls 8003->8004 8004->8003 8009 47515e 8005->8009 8006 474ae6 8 API calls 8008 4751b6 8006->8008 8007->8006 8007->8036 8037 474a3d 8008->8037 8009->8007 8011 474ae6 8 API calls 8009->8011 8011->8007 8013 474ae6 8 API calls 8014 4751c7 8013->8014 8015 474ae6 8 API calls 8014->8015 8016 4751d7 8015->8016 8017 474ae6 8 API calls 8016->8017 8018 4751e7 8017->8018 8019 474ae6 8 API calls 8018->8019 8018->8036 8020 475219 8019->8020 8021 474ae6 8 API calls 8020->8021 8022 475227 8021->8022 8023 474ae6 8 API calls 8022->8023 8024 47524f lstrcpyA 8023->8024 8025 474ae6 8 API calls 8024->8025 8029 475263 8025->8029 8026 474ae6 8 API calls 8027 475315 8026->8027 8028 474ae6 8 API calls 8027->8028 8030 475323 8028->8030 8029->8026 8031 474ae6 8 API calls 8030->8031 8033 475331 8031->8033 8032 474ae6 8 API calls 8032->8033 8033->8032 8034 474ae6 8 API calls 8033->8034 8033->8036 8035 475351 lstrcmpA 8034->8035 8035->8033 8035->8036 8036->7993 8038 474a53 8037->8038 8039 474a4a 8037->8039 8041 474a78 8038->8041 8042 47ebed 8 API calls 8038->8042 8040 47ebed 8 API calls 8039->8040 8040->8038 8043 474aa3 8041->8043 8044 474a8e 8041->8044 8042->8041 8045 474a9b 8043->8045 8047 47ebed 8 API calls 8043->8047 8044->8045 8046 47ec2e codecvt 4 API calls 8044->8046 8045->8013 8046->8045 8047->8045 8048 474c0d 8049 474ae6 8 API calls 8048->8049 8050 474c17 8049->8050 7833 47444a 7834 474458 7833->7834 7835 47446a 7834->7835 7837 471940 7834->7837 7838 47ec2e codecvt 4 API calls 7837->7838 7839 471949 7838->7839 7839->7835 7840 47e749 7841 47dd05 6 API calls 7840->7841 7842 47e751 7841->7842 7843 47e781 lstrcmpA 7842->7843 7844 47e799 7842->7844 7843->7842 8064 478314 8065 47675c 21 API calls 8064->8065 8066 478324 8065->8066 7845 475453 7850 47543a 7845->7850 7851 475048 8 API calls 7850->7851 7852 47544b 7851->7852 7853 474ed3 7858 474c9a 7853->7858 7859 474ca9 7858->7859 7861 474cd8 7858->7861 7860 47ec2e codecvt 4 API calls 7859->7860 7860->7861 8067 475d93 IsBadWritePtr 8068 475ddc 8067->8068 8069 475da8 8067->8069 8069->8068 8071 475389 8069->8071 8072 474bd1 4 API calls 8071->8072 8073 4753a5 8072->8073 8074 474ae6 8 API calls 8073->8074 8077 4753ad 8074->8077 8075 475407 8075->8068 8076 474ae6 8 API calls 8076->8077 8077->8075 8077->8076 7862 4743d2 7863 4743e0 7862->7863 7864 4743ef 7863->7864 7865 471940 4 API calls 7863->7865 7865->7864 8078 474e92 GetTickCount 8079 474ec0 InterlockedExchange 8078->8079 8080 474ead GetTickCount 8079->8080 8081 474ec9 8079->8081 8080->8081 8082 474eb8 Sleep 8080->8082 8082->8079 7866 478c51 7867 478c86 7866->7867 7868 478c5d 7866->7868 7869 478c8b lstrcmpA 7867->7869 7879 478c7b 7867->7879 7871 478c6e 7868->7871 7872 478c7d 7868->7872 7870 478c9e 7869->7870 7869->7879 7873 478cad 7870->7873 7876 47ec2e codecvt 4 API calls 7870->7876 7880 478be7 7871->7880 7888 478bb3 7872->7888 7878 47ebcc 4 API calls 7873->7878 7873->7879 7876->7873 7878->7879 7881 478bf2 7880->7881 7882 478c2a 7880->7882 7883 478bb3 6 API calls 7881->7883 7882->7879 7884 478bf8 7883->7884 7892 476410 7884->7892 7886 478c01 7886->7882 7907 476246 7886->7907 7889 478bbc 7888->7889 7891 478be4 7888->7891 7890 476246 6 API calls 7889->7890 7889->7891 7890->7891 7893 476421 7892->7893 7894 47641e 7892->7894 7895 47643a 7893->7895 7896 47643e VirtualAlloc 7893->7896 7894->7886 7895->7886 7897 476472 7896->7897 7898 47645b VirtualAlloc 7896->7898 7899 47ebcc 4 API calls 7897->7899 7898->7897 7906 4764fb 7898->7906 7900 476479 7899->7900 7900->7906 7917 476069 7900->7917 7903 4764da 7904 476246 6 API calls 7903->7904 7903->7906 7904->7906 7906->7886 7908 4762b3 7907->7908 7910 476252 7907->7910 7908->7882 7909 476297 7912 4762a0 VirtualFree 7909->7912 7913 4762ad 7909->7913 7910->7909 7911 47628f 7910->7911 7914 476281 FreeLibrary 7910->7914 7915 47ec2e codecvt 4 API calls 7911->7915 7912->7913 7916 47ec2e codecvt 4 API calls 7913->7916 7914->7910 7915->7909 7916->7908 7918 476090 IsBadReadPtr 7917->7918 7919 476089 7917->7919 7918->7919 7921 4760aa 7918->7921 7919->7903 7927 475f3f 7919->7927 7920 4760c0 LoadLibraryA 7920->7919 7920->7921 7921->7919 7921->7920 7922 47ebcc 4 API calls 7921->7922 7923 47ebed 8 API calls 7921->7923 7924 476191 IsBadReadPtr 7921->7924 7925 476155 GetProcAddress 7921->7925 7926 476141 GetProcAddress 7921->7926 7922->7921 7923->7921 7924->7919 7924->7921 7925->7921 7926->7921 7928 475f61 7927->7928 7929 475fe6 7927->7929 7928->7929 7930 475fbf VirtualProtect 7928->7930 7929->7903 7930->7928 7930->7929 8083 476511 wsprintfA IsBadReadPtr 8084 47674e 8083->8084 8085 47656a htonl htonl wsprintfA wsprintfA 8083->8085 8086 47e318 23 API calls 8084->8086 8089 4765f3 8085->8089 8087 476753 ExitProcess 8086->8087 8088 47668a GetCurrentProcess StackWalk64 8088->8089 8090 4766a0 wsprintfA 8088->8090 8089->8088 8089->8090 8092 476652 wsprintfA 8089->8092 8091 4766ba 8090->8091 8093 476712 wsprintfA 8091->8093 8094 4766ed wsprintfA 8091->8094 8095 4766da wsprintfA 8091->8095 8092->8089 8096 47e8a1 30 API calls 8093->8096 8094->8091 8095->8094 8097 476739 8096->8097 8098 47e318 23 API calls 8097->8098 8099 476741 8098->8099 7931 47195b 7932 47196b 7931->7932 7934 471971 7931->7934 7933 47ec2e codecvt 4 API calls 7932->7933 7933->7934 8100 475099 8101 474bd1 4 API calls 8100->8101 8102 4750a2 8101->8102 8103 4735a5 8104 4730fa 4 API calls 8103->8104 8105 4735b3 8104->8105 8109 4735ea 8105->8109 8110 47355d 8105->8110 8107 4735da 8108 47355d 4 API calls 8107->8108 8107->8109 8108->8109 8111 47f04e 4 API calls 8110->8111 8112 47356a 8111->8112 8112->8107 7939 474861 IsBadWritePtr 7940 474876 7939->7940 7941 479961 RegisterServiceCtrlHandlerA 7942 47997d 7941->7942 7949 4799cb 7941->7949 7951 479892 7942->7951 7944 47999a 7945 4799ba 7944->7945 7946 479892 SetServiceStatus 7944->7946 7947 479892 SetServiceStatus 7945->7947 7945->7949 7948 4799aa 7946->7948 7947->7949 7948->7945 7950 4798f2 41 API calls 7948->7950 7950->7945 7952 4798c2 SetServiceStatus 7951->7952 7952->7944 8113 475e21 8114 475e36 8113->8114 8115 475e29 8113->8115 8116 4750dc 17 API calls 8115->8116 8116->8114 7954 474960 7955 47496d 7954->7955 7957 47497d 7954->7957 7956 47ebed 8 API calls 7955->7956 7956->7957 6059 479a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6175 47ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6059->6175 6061 479a95 6062 479aa3 GetModuleHandleA GetModuleFileNameA 6061->6062 6069 47a3cc 6061->6069 6075 479ac4 6062->6075 6063 47a41c CreateThread WSAStartup 6176 47e52e 6063->6176 7224 47405e CreateEventA 6063->7224 6064 479afd GetCommandLineA 6076 479b22 6064->6076 6065 47a406 DeleteFileA 6068 47a40d 6065->6068 6065->6069 6067 47a445 6195 47eaaf 6067->6195 6068->6063 6069->6063 6069->6065 6069->6068 6071 47a3ed GetLastError 6069->6071 6071->6068 6073 47a3f8 Sleep 6071->6073 6072 47a44d 6199 471d96 6072->6199 6073->6065 6075->6064 6079 479c0c 6076->6079 6086 479b47 6076->6086 6077 47a457 6247 4780c9 6077->6247 6437 4796aa 6079->6437 6090 479b96 lstrlenA 6086->6090 6093 479b58 6086->6093 6087 47a1d2 6094 47a1e3 GetCommandLineA 6087->6094 6088 479c39 6091 47a167 GetModuleHandleA GetModuleFileNameA 6088->6091 6443 474280 CreateEventA 6088->6443 6090->6093 6092 479c05 ExitProcess 6091->6092 6096 47a189 6091->6096 6093->6092 6396 47675c 6093->6396 6119 47a205 6094->6119 6096->6092 6102 47a1b2 GetDriveTypeA 6096->6102 6102->6092 6105 47a1c5 6102->6105 6544 479145 GetModuleHandleA GetModuleFileNameA CharToOemA 6105->6544 6106 47675c 21 API calls 6108 479c79 6106->6108 6108->6091 6115 479ca0 GetTempPathA 6108->6115 6116 479e3e 6108->6116 6109 479bff 6109->6092 6111 47a49f GetTickCount 6112 47a491 6111->6112 6113 47a4be Sleep 6111->6113 6112->6111 6112->6113 6118 47a4b7 GetTickCount 6112->6118 6294 47c913 6112->6294 6113->6112 6115->6116 6117 479cba 6115->6117 6122 479e6b GetEnvironmentVariableA 6116->6122 6127 479e04 6116->6127 6469 4799d2 lstrcpyA 6117->6469 6118->6113 6123 47a285 lstrlenA 6119->6123 6135 47a239 6119->6135 6126 479e7d 6122->6126 6122->6127 6123->6135 6128 4799d2 16 API calls 6126->6128 6539 47ec2e 6127->6539 6129 479e9d 6128->6129 6129->6127 6134 479eb0 lstrcpyA lstrlenA 6129->6134 6132 479d5f 6483 476cc9 6132->6483 6133 47a3c2 6556 4798f2 6133->6556 6137 479ef4 6134->6137 6552 476ec3 6135->6552 6141 476dc2 6 API calls 6137->6141 6144 479f03 6137->6144 6139 479d72 lstrcpyA lstrcatA lstrcatA 6143 479cf6 6139->6143 6140 47a3c7 6140->6069 6141->6144 6142 47a39d StartServiceCtrlDispatcherA 6142->6133 6492 479326 6143->6492 6145 479f32 RegOpenKeyExA 6144->6145 6146 479f48 RegSetValueExA RegCloseKey 6145->6146 6150 479f70 6145->6150 6146->6150 6147 47a35f 6147->6133 6147->6142 6155 479f9d GetModuleHandleA GetModuleFileNameA 6150->6155 6151 479e0c DeleteFileA 6151->6116 6152 479dde GetFileAttributesExA 6152->6151 6153 479df7 6152->6153 6153->6127 6529 4796ff 6153->6529 6157 479fc2 6155->6157 6158 47a093 6155->6158 6157->6158 6164 479ff1 GetDriveTypeA 6157->6164 6159 47a103 CreateProcessA 6158->6159 6162 47a0a4 wsprintfA 6158->6162 6160 47a13a 6159->6160 6161 47a12a DeleteFileA 6159->6161 6160->6127 6167 4796ff 3 API calls 6160->6167 6161->6160 6535 472544 6162->6535 6164->6158 6165 47a00d 6164->6165 6169 47a02d lstrcatA 6165->6169 6167->6127 6171 47a046 6169->6171 6172 47a064 lstrcatA 6171->6172 6173 47a052 lstrcatA 6171->6173 6172->6158 6174 47a081 lstrcatA 6172->6174 6173->6172 6174->6158 6175->6061 6563 47dd05 GetTickCount 6176->6563 6178 47e538 6571 47dbcf 6178->6571 6180 47e544 6181 47e555 GetFileSize 6180->6181 6185 47e5b8 6180->6185 6182 47e566 6181->6182 6183 47e5b1 CloseHandle 6181->6183 6595 47db2e 6182->6595 6183->6185 6581 47e3ca RegOpenKeyExA 6185->6581 6187 47e576 ReadFile 6187->6183 6188 47e58d 6187->6188 6599 47e332 6188->6599 6191 47e5f2 6193 47e3ca 19 API calls 6191->6193 6194 47e629 6191->6194 6193->6194 6194->6067 6196 47eabe 6195->6196 6198 47eaba 6195->6198 6197 47dd05 6 API calls 6196->6197 6196->6198 6197->6198 6198->6072 6200 47ee2a 6199->6200 6201 471db4 GetVersionExA 6200->6201 6202 471dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6201->6202 6204 471e16 GetCurrentProcess 6202->6204 6205 471e24 6202->6205 6204->6205 6657 47e819 6205->6657 6207 471e3d 6208 47e819 11 API calls 6207->6208 6209 471e4e 6208->6209 6216 471e77 6209->6216 6699 47df70 6209->6699 6212 471e6c 6214 47df70 12 API calls 6212->6214 6214->6216 6215 47e819 11 API calls 6217 471e93 6215->6217 6664 47ea84 6216->6664 6668 47199c 6217->6668 6220 47e819 11 API calls 6221 471eb9 6220->6221 6222 471ed8 6221->6222 6223 47f04e 4 API calls 6221->6223 6224 47e819 11 API calls 6222->6224 6225 471ec9 6223->6225 6226 471eee 6224->6226 6227 47ea84 30 API calls 6225->6227 6228 471f0a 6226->6228 6683 471b71 6226->6683 6227->6222 6229 47e819 11 API calls 6228->6229 6231 471f23 6229->6231 6233 471f3f 6231->6233 6687 471bdf 6231->6687 6232 471efd 6234 47ea84 30 API calls 6232->6234 6236 47e819 11 API calls 6233->6236 6234->6228 6238 471f5e 6236->6238 6240 471f77 6238->6240 6241 47ea84 30 API calls 6238->6241 6239 47ea84 30 API calls 6239->6233 6695 4730b5 6240->6695 6241->6240 6244 476ec3 2 API calls 6246 471f8e GetTickCount 6244->6246 6246->6077 6248 476ec3 2 API calls 6247->6248 6249 4780eb 6248->6249 6250 4780ef 6249->6250 6251 4780f9 6249->6251 6753 477ee6 6250->6753 6766 47704c 6251->6766 6254 478269 CreateThread 6273 475e6c 6254->6273 7254 47877e 6254->7254 6255 4780f4 6255->6254 6257 47675c 21 API calls 6255->6257 6256 478110 6256->6255 6258 478156 RegOpenKeyExA 6256->6258 6263 478244 6257->6263 6259 478216 6258->6259 6260 47816d RegQueryValueExA 6258->6260 6259->6255 6261 4781f7 6260->6261 6262 47818d 6260->6262 6264 47820d RegCloseKey 6261->6264 6266 47ec2e codecvt 4 API calls 6261->6266 6262->6261 6267 47ebcc 4 API calls 6262->6267 6263->6254 6265 47ec2e codecvt 4 API calls 6263->6265 6264->6259 6265->6254 6272 4781dd 6266->6272 6268 4781a0 6267->6268 6268->6264 6269 4781aa RegQueryValueExA 6268->6269 6269->6261 6270 4781c4 6269->6270 6271 47ebcc 4 API calls 6270->6271 6271->6272 6272->6264 6868 47ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6273->6868 6275 475e71 6869 47e654 6275->6869 6277 475ec1 6278 473132 6277->6278 6279 47df70 12 API calls 6278->6279 6280 47313b 6279->6280 6281 47c125 6280->6281 6880 47ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6281->6880 6283 47c12d 6284 47e654 13 API calls 6283->6284 6285 47c2bd 6284->6285 6286 47e654 13 API calls 6285->6286 6287 47c2c9 6286->6287 6288 47e654 13 API calls 6287->6288 6289 47a47a 6288->6289 6290 478db1 6289->6290 6291 478dbc 6290->6291 6292 47e654 13 API calls 6291->6292 6293 478dec Sleep 6292->6293 6293->6112 6295 47c92f 6294->6295 6297 47c93c 6295->6297 6892 47c517 6295->6892 6298 47ca2b 6297->6298 6299 47e819 11 API calls 6297->6299 6298->6112 6300 47c96a 6299->6300 6301 47e819 11 API calls 6300->6301 6302 47c97d 6301->6302 6303 47e819 11 API calls 6302->6303 6304 47c990 6303->6304 6305 47c9aa 6304->6305 6306 47ebcc 4 API calls 6304->6306 6305->6298 6881 472684 6305->6881 6306->6305 6311 47ca26 6909 47c8aa 6311->6909 6314 47ca44 6314->6311 6315 47ca83 6314->6315 6316 47ea84 30 API calls 6315->6316 6317 47caac 6316->6317 6318 47f04e 4 API calls 6317->6318 6319 47cab2 6318->6319 6320 47ea84 30 API calls 6319->6320 6321 47caca 6320->6321 6322 47ea84 30 API calls 6321->6322 6323 47cad9 6322->6323 6913 47c65c 6323->6913 6325 47cb60 6325->6298 6327 47dad2 6328 47e318 23 API calls 6327->6328 6328->6325 6329 47df4c 20 API calls 6389 47cb59 6329->6389 6334 47e654 13 API calls 6334->6389 6340 47c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6340->6389 6341 47d815 wsprintfA 6341->6389 6342 47cc1c GetTempPathA 6342->6389 6343 47ea84 30 API calls 6343->6389 6344 47d569 Sleep 6960 47e318 6344->6960 6345 47f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6345->6389 6346 477ead 6 API calls 6346->6389 6347 47c517 23 API calls 6347->6389 6348 47e8a1 30 API calls 6348->6389 6351 47ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6351->6389 6352 47d582 ExitProcess 6353 47cfe3 GetSystemDirectoryA 6353->6389 6354 47d027 GetSystemDirectoryA 6354->6389 6355 47675c 21 API calls 6355->6389 6356 47cfad GetEnvironmentVariableA 6356->6389 6357 47d105 lstrcatA 6357->6389 6358 47ef1e lstrlenA 6358->6389 6359 47cc9f CreateFileA 6361 47ccc6 WriteFile 6359->6361 6359->6389 6360 47d15b CreateFileA 6362 47d182 WriteFile CloseHandle 6360->6362 6360->6389 6363 47cced CloseHandle 6361->6363 6364 47cdcc CloseHandle 6361->6364 6362->6389 6370 47cd2f 6363->6370 6364->6389 6365 47d149 SetFileAttributesA 6365->6360 6366 47cd16 wsprintfA 6366->6370 6367 47d36e GetEnvironmentVariableA 6367->6389 6368 47d1bf SetFileAttributesA 6368->6389 6369 478e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6369->6389 6370->6366 6942 477fcf 6370->6942 6371 47d22d GetEnvironmentVariableA 6371->6389 6373 47d3af lstrcatA 6376 47d3f2 CreateFileA 6373->6376 6373->6389 6375 477fcf 64 API calls 6375->6389 6379 47d415 WriteFile CloseHandle 6376->6379 6376->6389 6377 47cd81 WaitForSingleObject CloseHandle CloseHandle 6380 47f04e 4 API calls 6377->6380 6378 47cda5 6381 477ee6 64 API calls 6378->6381 6379->6389 6380->6378 6382 47cdbd DeleteFileA 6381->6382 6382->6389 6383 47d4b1 CreateProcessA 6387 47d4e8 CloseHandle CloseHandle 6383->6387 6383->6389 6384 47d3e0 SetFileAttributesA 6384->6376 6385 47d26e lstrcatA 6386 47d2b1 CreateFileA 6385->6386 6385->6389 6386->6389 6390 47d2d8 WriteFile CloseHandle 6386->6390 6387->6389 6388 47d452 SetFileAttributesA 6388->6389 6389->6325 6389->6327 6389->6329 6389->6334 6389->6340 6389->6341 6389->6342 6389->6343 6389->6344 6389->6345 6389->6346 6389->6347 6389->6348 6389->6351 6389->6353 6389->6354 6389->6355 6389->6356 6389->6357 6389->6358 6389->6359 6389->6360 6389->6365 6389->6367 6389->6368 6389->6369 6389->6371 6389->6373 6389->6375 6389->6376 6389->6383 6389->6384 6389->6385 6389->6386 6389->6388 6391 477ee6 64 API calls 6389->6391 6392 47d29f SetFileAttributesA 6389->6392 6395 47d31d SetFileAttributesA 6389->6395 6921 47c75d 6389->6921 6933 477e2f 6389->6933 6955 477ead 6389->6955 6965 4731d0 6389->6965 6982 473c09 6389->6982 6992 473a00 6389->6992 6996 47e7b4 6389->6996 6999 47c06c 6389->6999 7005 476f5f GetUserNameA 6389->7005 7016 47e854 6389->7016 7026 477dd6 6389->7026 6390->6389 6391->6389 6392->6386 6395->6389 6397 476784 CreateFileA 6396->6397 6398 47677a SetFileAttributesA 6396->6398 6399 4767b5 6397->6399 6400 4767a4 CreateFileA 6397->6400 6398->6397 6401 4767c5 6399->6401 6402 4767ba SetFileAttributesA 6399->6402 6400->6399 6403 476977 6401->6403 6404 4767cf GetFileSize 6401->6404 6402->6401 6403->6092 6424 476a60 CreateFileA 6403->6424 6405 4767e5 6404->6405 6423 476965 6404->6423 6407 4767ed ReadFile 6405->6407 6405->6423 6406 47696e FindCloseChangeNotification 6406->6403 6408 476811 SetFilePointer 6407->6408 6407->6423 6409 47682a ReadFile 6408->6409 6408->6423 6410 476848 SetFilePointer 6409->6410 6409->6423 6411 476867 6410->6411 6410->6423 6412 476878 ReadFile 6411->6412 6413 4768d5 6411->6413 6414 476891 6412->6414 6418 4768d0 6412->6418 6413->6406 6415 47ebcc 4 API calls 6413->6415 6414->6412 6414->6418 6416 4768f8 6415->6416 6417 476900 SetFilePointer 6416->6417 6416->6423 6419 47690d ReadFile 6417->6419 6420 47695a 6417->6420 6418->6413 6419->6420 6421 476922 6419->6421 6422 47ec2e codecvt 4 API calls 6420->6422 6421->6406 6422->6423 6423->6406 6425 476a8f GetDiskFreeSpaceA 6424->6425 6426 476b8c GetLastError 6424->6426 6427 476ac5 6425->6427 6436 476ad7 6425->6436 6428 476b86 6426->6428 7108 47eb0e 6427->7108 6428->6109 6432 476b56 CloseHandle 6432->6428 6435 476b65 GetLastError CloseHandle 6432->6435 6433 476b36 GetLastError CloseHandle 6434 476b7f DeleteFileA 6433->6434 6434->6428 6435->6434 7112 476987 6436->7112 6438 4796b9 6437->6438 6439 4773ff 17 API calls 6438->6439 6440 4796e2 6439->6440 6441 4796f7 6440->6441 6442 47704c 16 API calls 6440->6442 6441->6087 6441->6088 6442->6441 6444 4742a5 6443->6444 6445 47429d 6443->6445 7118 473ecd 6444->7118 6445->6091 6445->6106 6447 4742b0 7122 474000 6447->7122 6449 4743c1 CloseHandle 6449->6445 6450 4742b6 6450->6445 6450->6449 7128 473f18 WriteFile 6450->7128 6455 4743ba CloseHandle 6455->6449 6456 474318 6457 473f18 4 API calls 6456->6457 6458 474331 6457->6458 6459 473f18 4 API calls 6458->6459 6460 47434a 6459->6460 6461 47ebcc 4 API calls 6460->6461 6462 474350 6461->6462 6463 473f18 4 API calls 6462->6463 6464 474389 6463->6464 6465 47ec2e codecvt 4 API calls 6464->6465 6466 47438f 6465->6466 6467 473f8c 4 API calls 6466->6467 6468 47439f CloseHandle CloseHandle 6467->6468 6468->6445 6470 4799eb 6469->6470 6471 479a2f lstrcatA 6470->6471 6472 47ee2a 6471->6472 6473 479a4b lstrcatA 6472->6473 6474 476a60 13 API calls 6473->6474 6475 479a60 6474->6475 6475->6116 6475->6143 6476 476dc2 6475->6476 6477 476dd7 6476->6477 6478 476e33 6476->6478 6479 476cc9 5 API calls 6477->6479 6478->6132 6480 476ddc 6479->6480 6481 476e24 6480->6481 6482 476e02 GetVolumeInformationA 6480->6482 6481->6478 6482->6481 6484 476cdc GetModuleHandleA GetProcAddress 6483->6484 6489 476d8b 6483->6489 6485 476d12 GetSystemDirectoryA 6484->6485 6486 476cfd 6484->6486 6487 476d27 GetWindowsDirectoryA 6485->6487 6488 476d1e 6485->6488 6486->6485 6486->6489 6491 476d42 6487->6491 6488->6487 6488->6489 6489->6139 6490 47ef1e lstrlenA 6490->6489 6491->6490 7136 471910 6492->7136 6495 47934a GetModuleHandleA GetModuleFileNameA 6497 47937f 6495->6497 6498 4793a4 6497->6498 6499 4793d9 6497->6499 6500 4793c3 wsprintfA 6498->6500 6501 479401 wsprintfA 6499->6501 6502 479415 6500->6502 6501->6502 6505 476cc9 5 API calls 6502->6505 6525 4794a0 6502->6525 6503 476edd 5 API calls 6504 4794ac 6503->6504 6506 47962f 6504->6506 6507 4794e8 RegOpenKeyExA 6504->6507 6508 479439 6505->6508 6513 479646 6506->6513 7151 471820 6506->7151 6510 479502 6507->6510 6511 4794fb 6507->6511 6515 47ef1e lstrlenA 6508->6515 6514 47951f RegQueryValueExA 6510->6514 6511->6506 6516 47958a 6511->6516 6517 4795d6 6513->6517 7157 4791eb 6513->7157 6518 479530 6514->6518 6519 479539 6514->6519 6520 479462 6515->6520 6516->6513 6521 479593 6516->6521 6517->6151 6517->6152 6522 47956e RegCloseKey 6518->6522 6523 479556 RegQueryValueExA 6519->6523 6524 47947e wsprintfA 6520->6524 6521->6517 7138 47f0e4 6521->7138 6522->6511 6523->6518 6523->6522 6524->6525 6525->6503 6527 4795bb 6527->6517 7145 4718e0 6527->7145 6530 472544 6529->6530 6531 47972d RegOpenKeyExA 6530->6531 6532 479765 6531->6532 6533 479740 6531->6533 6532->6127 6534 47974f RegDeleteValueA RegCloseKey 6533->6534 6534->6532 6536 472554 lstrcatA 6535->6536 6537 47ee2a 6536->6537 6538 47a0ec lstrcatA 6537->6538 6538->6159 6540 47ec37 6539->6540 6541 47a15d 6539->6541 6542 47eba0 codecvt 2 API calls 6540->6542 6541->6091 6541->6092 6543 47ec3d GetProcessHeap RtlFreeHeap 6542->6543 6543->6541 6545 472544 6544->6545 6546 47919e wsprintfA 6545->6546 6547 4791bb 6546->6547 7195 479064 GetTempPathA 6547->7195 6550 4791e7 6550->6109 6551 4791d5 ShellExecuteA 6551->6550 6553 476ed5 6552->6553 6554 476ecc 6552->6554 6553->6147 6555 476e36 2 API calls 6554->6555 6555->6553 6557 4798f6 6556->6557 6558 474280 30 API calls 6557->6558 6559 479904 Sleep 6557->6559 6560 479915 6557->6560 6558->6557 6559->6557 6559->6560 6561 479947 6560->6561 7202 47977c 6560->7202 6561->6140 6564 47dd41 InterlockedExchange 6563->6564 6565 47dd20 GetCurrentThreadId 6564->6565 6566 47dd4a 6564->6566 6567 47dd53 GetCurrentThreadId 6565->6567 6568 47dd2e GetTickCount 6565->6568 6566->6567 6567->6178 6569 47dd4c 6568->6569 6570 47dd39 Sleep 6568->6570 6569->6567 6570->6564 6572 47dbf0 6571->6572 6604 47db67 GetEnvironmentVariableA 6572->6604 6574 47dc19 6575 47dcda 6574->6575 6576 47db67 3 API calls 6574->6576 6575->6180 6577 47dc5c 6576->6577 6577->6575 6578 47db67 3 API calls 6577->6578 6579 47dc9b 6578->6579 6579->6575 6580 47db67 3 API calls 6579->6580 6580->6575 6582 47e528 6581->6582 6583 47e3f4 6581->6583 6582->6191 6584 47e434 RegQueryValueExA 6583->6584 6585 47e51d RegCloseKey 6584->6585 6586 47e458 6584->6586 6585->6582 6587 47e46e RegQueryValueExA 6586->6587 6587->6586 6588 47e488 6587->6588 6588->6585 6589 47db2e 8 API calls 6588->6589 6590 47e499 6589->6590 6590->6585 6591 47e4b9 RegQueryValueExA 6590->6591 6592 47e4e8 6590->6592 6591->6590 6591->6592 6592->6585 6593 47e332 14 API calls 6592->6593 6594 47e513 6593->6594 6594->6585 6596 47db3a 6595->6596 6598 47db55 6595->6598 6608 47ebed 6596->6608 6598->6183 6598->6187 6626 47f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6599->6626 6601 47e3be 6601->6183 6602 47e342 6602->6601 6629 47de24 6602->6629 6605 47dbca 6604->6605 6606 47db89 lstrcpyA CreateFileA 6604->6606 6605->6574 6606->6574 6609 47ebf6 6608->6609 6610 47ec01 6608->6610 6617 47ebcc GetProcessHeap RtlAllocateHeap 6609->6617 6620 47eba0 6610->6620 6618 47eb74 2 API calls 6617->6618 6619 47ebe8 6618->6619 6619->6598 6621 47eba7 GetProcessHeap HeapSize 6620->6621 6622 47ebbf GetProcessHeap RtlReAllocateHeap 6620->6622 6621->6622 6623 47eb74 6622->6623 6624 47eb93 6623->6624 6625 47eb7b GetProcessHeap HeapSize 6623->6625 6624->6598 6625->6624 6640 47eb41 6626->6640 6628 47f0b7 6628->6602 6630 47de3a 6629->6630 6636 47de4e 6630->6636 6649 47dd84 6630->6649 6633 47ebed 8 API calls 6638 47def6 6633->6638 6634 47de9e 6634->6633 6634->6636 6635 47de76 6653 47ddcf 6635->6653 6636->6602 6638->6636 6639 47ddcf lstrcmpA 6638->6639 6639->6636 6641 47eb61 6640->6641 6642 47eb4a 6640->6642 6641->6628 6645 47eae4 6642->6645 6644 47eb54 6644->6628 6644->6641 6646 47eb02 GetProcAddress 6645->6646 6647 47eaed LoadLibraryA 6645->6647 6646->6644 6647->6646 6648 47eb01 6647->6648 6648->6644 6650 47dd96 6649->6650 6651 47ddc5 6649->6651 6650->6651 6652 47ddad lstrcmpiA 6650->6652 6651->6634 6651->6635 6652->6650 6652->6651 6654 47de20 6653->6654 6656 47dddd 6653->6656 6654->6636 6655 47ddfa lstrcmpA 6655->6656 6656->6654 6656->6655 6658 47dd05 6 API calls 6657->6658 6659 47e821 6658->6659 6660 47dd84 lstrcmpiA 6659->6660 6661 47e82c 6660->6661 6662 47e844 6661->6662 6708 472480 6661->6708 6662->6207 6665 47ea98 6664->6665 6717 47e8a1 6665->6717 6667 471e84 6667->6215 6669 4719b7 LoadLibraryA 6668->6669 6670 4719d5 GetProcAddress GetProcAddress GetProcAddress 6669->6670 6673 4719ce 6669->6673 6671 471a04 6670->6671 6672 471ab3 FreeLibrary 6670->6672 6671->6672 6674 471a14 GetBestInterface GetProcessHeap 6671->6674 6672->6673 6673->6220 6674->6673 6675 471a2e HeapAlloc 6674->6675 6675->6673 6676 471a42 GetAdaptersInfo 6675->6676 6677 471a62 6676->6677 6678 471a52 HeapReAlloc 6676->6678 6679 471aa1 FreeLibrary 6677->6679 6680 471a69 GetAdaptersInfo 6677->6680 6678->6677 6679->6673 6680->6679 6681 471a75 HeapFree 6680->6681 6681->6679 6745 471ac3 LoadLibraryA 6683->6745 6686 471bcf 6686->6232 6688 471ac3 13 API calls 6687->6688 6689 471c09 6688->6689 6690 471c0d GetComputerNameA 6689->6690 6691 471c5a 6689->6691 6692 471c45 GetVolumeInformationA 6690->6692 6693 471c1f 6690->6693 6691->6239 6692->6691 6693->6692 6694 471c41 6693->6694 6694->6691 6696 47ee2a 6695->6696 6697 4730d0 gethostname gethostbyname 6696->6697 6698 471f82 6697->6698 6698->6244 6698->6246 6700 47dd05 6 API calls 6699->6700 6701 47df7c 6700->6701 6702 47dd84 lstrcmpiA 6701->6702 6706 47df89 6702->6706 6703 47dfc4 6703->6212 6704 47ddcf lstrcmpA 6704->6706 6705 47ec2e codecvt 4 API calls 6705->6706 6706->6703 6706->6704 6706->6705 6707 47dd84 lstrcmpiA 6706->6707 6707->6706 6711 472419 lstrlenA 6708->6711 6710 472491 6710->6662 6712 47243d lstrlenA 6711->6712 6716 472474 6711->6716 6713 472464 lstrlenA 6712->6713 6714 47244e lstrcmpiA 6712->6714 6713->6712 6713->6716 6714->6713 6715 47245c 6714->6715 6715->6713 6715->6716 6716->6710 6718 47dd05 6 API calls 6717->6718 6719 47e8b4 6718->6719 6720 47dd84 lstrcmpiA 6719->6720 6721 47e8c0 6720->6721 6722 47e8c8 lstrcpynA 6721->6722 6731 47e90a 6721->6731 6723 47e8f5 6722->6723 6738 47df4c 6723->6738 6724 472419 4 API calls 6725 47e926 lstrlenA lstrlenA 6724->6725 6727 47e94c lstrlenA 6725->6727 6729 47e96a 6725->6729 6727->6729 6728 47e901 6730 47dd84 lstrcmpiA 6728->6730 6732 47ebcc 4 API calls 6729->6732 6733 47ea27 6729->6733 6730->6731 6731->6724 6731->6733 6734 47e98f 6732->6734 6733->6667 6734->6733 6735 47df4c 20 API calls 6734->6735 6736 47ea1e 6735->6736 6737 47ec2e codecvt 4 API calls 6736->6737 6737->6733 6739 47dd05 6 API calls 6738->6739 6740 47df51 6739->6740 6741 47f04e 4 API calls 6740->6741 6742 47df58 6741->6742 6743 47de24 10 API calls 6742->6743 6744 47df63 6743->6744 6744->6728 6746 471ae2 GetProcAddress 6745->6746 6751 471b68 GetComputerNameA GetVolumeInformationA 6745->6751 6747 471af5 6746->6747 6746->6751 6748 471b1c GetAdaptersAddresses 6747->6748 6749 471b29 6747->6749 6750 47ebed 8 API calls 6747->6750 6748->6747 6748->6749 6749->6751 6752 47ec2e codecvt 4 API calls 6749->6752 6750->6747 6751->6686 6752->6751 6754 476ec3 2 API calls 6753->6754 6755 477ef4 6754->6755 6756 477fc9 6755->6756 6789 4773ff 6755->6789 6756->6255 6758 477f16 6758->6756 6809 477809 GetUserNameA 6758->6809 6760 477f63 6760->6756 6833 47ef1e lstrlenA 6760->6833 6763 47ef1e lstrlenA 6764 477fb7 6763->6764 6835 477a95 RegOpenKeyExA 6764->6835 6767 477073 6766->6767 6768 4770b9 RegOpenKeyExA 6767->6768 6769 4770d0 6768->6769 6783 4771b8 6768->6783 6770 476dc2 6 API calls 6769->6770 6773 4770d5 6770->6773 6771 47719b RegEnumValueA 6772 4771af RegCloseKey 6771->6772 6771->6773 6772->6783 6773->6771 6775 4771d0 6773->6775 6866 47f1a5 lstrlenA 6773->6866 6776 477205 RegCloseKey 6775->6776 6777 477227 6775->6777 6776->6783 6778 47728e RegCloseKey 6777->6778 6779 4772b8 ___ascii_stricmp 6777->6779 6778->6783 6780 4772cd RegCloseKey 6779->6780 6781 4772dd 6779->6781 6780->6783 6782 477311 RegCloseKey 6781->6782 6785 477335 6781->6785 6782->6783 6783->6256 6784 4773d5 RegCloseKey 6786 4773e4 6784->6786 6785->6784 6787 47737e GetFileAttributesExA 6785->6787 6788 477397 6785->6788 6787->6788 6788->6784 6790 47741b 6789->6790 6791 476dc2 6 API calls 6790->6791 6792 47743f 6791->6792 6793 477469 RegOpenKeyExA 6792->6793 6794 4777f9 6793->6794 6804 477487 ___ascii_stricmp 6793->6804 6794->6758 6795 477703 RegEnumKeyA 6796 477714 RegCloseKey 6795->6796 6795->6804 6796->6794 6797 4774d2 RegOpenKeyExA 6797->6804 6798 47772c 6800 477742 RegCloseKey 6798->6800 6801 47774b 6798->6801 6799 477521 RegQueryValueExA 6799->6804 6800->6801 6802 4777ec RegCloseKey 6801->6802 6802->6794 6803 4776e4 RegCloseKey 6803->6804 6804->6795 6804->6797 6804->6798 6804->6799 6804->6803 6806 47f1a5 lstrlenA 6804->6806 6807 47777e GetFileAttributesExA 6804->6807 6808 477769 6804->6808 6805 4777e3 RegCloseKey 6805->6802 6806->6804 6807->6808 6808->6805 6810 477a8d 6809->6810 6811 47783d LookupAccountNameA 6809->6811 6810->6760 6811->6810 6812 477874 GetLengthSid GetFileSecurityA 6811->6812 6812->6810 6813 4778a8 GetSecurityDescriptorOwner 6812->6813 6814 4778c5 EqualSid 6813->6814 6815 47791d GetSecurityDescriptorDacl 6813->6815 6814->6815 6816 4778dc LocalAlloc 6814->6816 6815->6810 6831 477941 6815->6831 6816->6815 6817 4778ef InitializeSecurityDescriptor 6816->6817 6818 477916 LocalFree 6817->6818 6819 4778fb SetSecurityDescriptorOwner 6817->6819 6818->6815 6819->6818 6821 47790b SetFileSecurityA 6819->6821 6820 47795b GetAce 6820->6831 6821->6818 6822 477980 EqualSid 6822->6831 6823 477a3d 6823->6810 6826 477a43 LocalAlloc 6823->6826 6824 4779be EqualSid 6824->6831 6825 47799d DeleteAce 6825->6831 6826->6810 6827 477a56 InitializeSecurityDescriptor 6826->6827 6828 477a86 LocalFree 6827->6828 6829 477a62 SetSecurityDescriptorDacl 6827->6829 6828->6810 6829->6828 6830 477a73 SetFileSecurityA 6829->6830 6830->6828 6832 477a83 6830->6832 6831->6810 6831->6820 6831->6822 6831->6823 6831->6824 6831->6825 6832->6828 6834 477fa6 6833->6834 6834->6763 6836 477ac4 6835->6836 6837 477acb GetUserNameA 6835->6837 6836->6756 6838 477da7 RegCloseKey 6837->6838 6839 477aed LookupAccountNameA 6837->6839 6838->6836 6839->6838 6840 477b24 RegGetKeySecurity 6839->6840 6840->6838 6841 477b49 GetSecurityDescriptorOwner 6840->6841 6842 477b63 EqualSid 6841->6842 6843 477bb8 GetSecurityDescriptorDacl 6841->6843 6842->6843 6845 477b74 LocalAlloc 6842->6845 6844 477da6 6843->6844 6851 477bdc 6843->6851 6844->6838 6845->6843 6846 477b8a InitializeSecurityDescriptor 6845->6846 6847 477b96 SetSecurityDescriptorOwner 6846->6847 6848 477bb1 LocalFree 6846->6848 6847->6848 6850 477ba6 RegSetKeySecurity 6847->6850 6848->6843 6849 477bf8 GetAce 6849->6851 6850->6848 6851->6844 6851->6849 6852 477c1d EqualSid 6851->6852 6853 477cd9 6851->6853 6854 477c5f EqualSid 6851->6854 6855 477c3a DeleteAce 6851->6855 6852->6851 6853->6844 6856 477d5a LocalAlloc 6853->6856 6858 477cf2 RegOpenKeyExA 6853->6858 6854->6851 6855->6851 6856->6844 6857 477d70 InitializeSecurityDescriptor 6856->6857 6859 477d9f LocalFree 6857->6859 6860 477d7c SetSecurityDescriptorDacl 6857->6860 6858->6856 6863 477d0f 6858->6863 6859->6844 6860->6859 6861 477d8c RegSetKeySecurity 6860->6861 6861->6859 6862 477d9c 6861->6862 6862->6859 6864 477d43 RegSetValueExA 6863->6864 6864->6856 6865 477d54 6864->6865 6865->6856 6867 47f1c3 6866->6867 6867->6773 6868->6275 6870 47dd05 6 API calls 6869->6870 6873 47e65f 6870->6873 6871 47e6a5 6872 47ebcc 4 API calls 6871->6872 6878 47e6f5 6871->6878 6875 47e6b0 6872->6875 6873->6871 6874 47e68c lstrcmpA 6873->6874 6874->6873 6876 47e6e0 lstrcpynA 6875->6876 6875->6878 6879 47e6b7 6875->6879 6876->6878 6877 47e71d lstrcmpA 6877->6878 6878->6877 6878->6879 6879->6277 6880->6283 6882 47268e 6881->6882 6883 472692 6881->6883 6885 47f428 6882->6885 6883->6882 6884 47269e gethostbyname 6883->6884 6884->6882 7033 47f315 6885->7033 6888 47f43e 6889 47f473 recv 6888->6889 6890 47f47c 6889->6890 6891 47f458 6889->6891 6890->6314 6891->6889 6891->6890 6893 47c525 6892->6893 6894 47c532 6892->6894 6893->6894 6896 47ec2e codecvt 4 API calls 6893->6896 6895 47c548 6894->6895 7043 47e7ff 6894->7043 6898 47e7ff lstrcmpiA 6895->6898 6906 47c54f 6895->6906 6896->6894 6899 47c615 6898->6899 6900 47ebcc 4 API calls 6899->6900 6899->6906 6900->6906 6902 47c5d1 6903 47ebcc 4 API calls 6902->6903 6903->6906 6904 47e819 11 API calls 6905 47c5b7 6904->6905 6907 47f04e 4 API calls 6905->6907 6906->6297 6908 47c5bf 6907->6908 6908->6895 6908->6902 6911 47c8d2 6909->6911 6910 47c907 6910->6298 6911->6910 6912 47c517 23 API calls 6911->6912 6912->6910 6914 47c67d 6913->6914 6915 47c670 6913->6915 6917 47ebcc 4 API calls 6914->6917 6919 47c699 6914->6919 6916 47ebcc 4 API calls 6915->6916 6916->6914 6917->6919 6918 47c6f3 6918->6389 6919->6918 6920 47c73c send 6919->6920 6920->6918 6922 47c77d 6921->6922 6923 47c770 6921->6923 6925 47c799 6922->6925 6926 47ebcc 4 API calls 6922->6926 6924 47ebcc 4 API calls 6923->6924 6924->6922 6927 47c7b5 6925->6927 6928 47ebcc 4 API calls 6925->6928 6926->6925 6929 47f43e recv 6927->6929 6928->6927 6930 47c7cb 6929->6930 6931 47f43e recv 6930->6931 6932 47c7d3 6930->6932 6931->6932 6932->6389 7046 477db7 6933->7046 6936 477e70 6938 477e96 6936->6938 6940 47f04e 4 API calls 6936->6940 6937 47f04e 4 API calls 6939 477e4c 6937->6939 6938->6389 6939->6936 6941 47f04e 4 API calls 6939->6941 6940->6938 6941->6936 6943 476ec3 2 API calls 6942->6943 6944 477fdd 6943->6944 6945 4773ff 17 API calls 6944->6945 6946 4780c2 CreateProcessA 6944->6946 6947 477fff 6945->6947 6946->6377 6946->6378 6947->6946 6948 477809 21 API calls 6947->6948 6949 47804d 6948->6949 6949->6946 6950 47ef1e lstrlenA 6949->6950 6951 47809e 6950->6951 6952 47ef1e lstrlenA 6951->6952 6953 4780af 6952->6953 6954 477a95 24 API calls 6953->6954 6954->6946 6956 477db7 2 API calls 6955->6956 6957 477eb8 6956->6957 6958 47f04e 4 API calls 6957->6958 6959 477ece DeleteFileA 6958->6959 6959->6389 6961 47dd05 6 API calls 6960->6961 6962 47e31d 6961->6962 7050 47e177 6962->7050 6964 47e326 6964->6352 6966 4731f3 6965->6966 6976 4731ec 6965->6976 6967 47ebcc 4 API calls 6966->6967 6981 4731fc 6967->6981 6968 47344b 6969 47349d 6968->6969 6970 473459 6968->6970 6971 47ec2e codecvt 4 API calls 6969->6971 6972 47f04e 4 API calls 6970->6972 6971->6976 6973 47345f 6972->6973 6974 4730fa 4 API calls 6973->6974 6974->6976 6975 47ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6975->6981 6976->6389 6977 47344d 6978 47ec2e codecvt 4 API calls 6977->6978 6978->6968 6980 473141 lstrcmpiA 6980->6981 6981->6968 6981->6975 6981->6976 6981->6977 6981->6980 7076 4730fa GetTickCount 6981->7076 6983 4730fa 4 API calls 6982->6983 6984 473c1a 6983->6984 6988 473ce6 6984->6988 7081 473a72 6984->7081 6987 473a72 9 API calls 6991 473c5e 6987->6991 6988->6389 6989 473a72 9 API calls 6989->6991 6990 47ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6990->6991 6991->6988 6991->6989 6991->6990 6993 473a10 6992->6993 6994 4730fa 4 API calls 6993->6994 6995 473a1a 6994->6995 6995->6389 6997 47dd05 6 API calls 6996->6997 6998 47e7be 6997->6998 6998->6389 7000 47c105 6999->7000 7001 47c07e wsprintfA 6999->7001 7000->6389 7090 47bfce GetTickCount wsprintfA 7001->7090 7003 47c0ef 7091 47bfce GetTickCount wsprintfA 7003->7091 7006 477047 7005->7006 7007 476f88 LookupAccountNameA 7005->7007 7006->6389 7009 477025 7007->7009 7010 476fcb 7007->7010 7092 476edd 7009->7092 7012 476fdb ConvertSidToStringSidA 7010->7012 7012->7009 7014 476ff1 7012->7014 7015 477013 LocalFree 7014->7015 7015->7009 7017 47dd05 6 API calls 7016->7017 7018 47e85c 7017->7018 7019 47dd84 lstrcmpiA 7018->7019 7020 47e867 7019->7020 7021 47e885 lstrcpyA 7020->7021 7103 4724a5 7020->7103 7106 47dd69 7021->7106 7027 477db7 2 API calls 7026->7027 7028 477de1 7027->7028 7029 47f04e 4 API calls 7028->7029 7032 477e16 7028->7032 7030 477df2 7029->7030 7031 47f04e 4 API calls 7030->7031 7030->7032 7031->7032 7032->6389 7034 47f33b 7033->7034 7037 47ca1d 7033->7037 7035 47f347 htons socket 7034->7035 7036 47f382 ioctlsocket 7035->7036 7035->7037 7036->7037 7038 47f3aa connect select 7036->7038 7037->6311 7037->6888 7038->7037 7039 47f3f2 __WSAFDIsSet 7038->7039 7039->7037 7040 47f403 ioctlsocket 7039->7040 7042 47f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7040->7042 7042->7037 7044 47dd84 lstrcmpiA 7043->7044 7045 47c58e 7044->7045 7045->6895 7045->6902 7045->6904 7047 477dc8 InterlockedExchange 7046->7047 7048 477dd4 7047->7048 7049 477dc0 Sleep 7047->7049 7048->6936 7048->6937 7049->7047 7053 47e184 7050->7053 7051 47e2e4 7051->6964 7052 47e223 7052->7051 7055 47dfe2 8 API calls 7052->7055 7053->7051 7053->7052 7066 47dfe2 7053->7066 7060 47e23c 7055->7060 7056 47e1be 7056->7052 7057 47dbcf 3 API calls 7056->7057 7059 47e1d6 7057->7059 7058 47e21a CloseHandle 7058->7052 7059->7052 7059->7058 7061 47e1f9 WriteFile 7059->7061 7060->7051 7070 47e095 RegCreateKeyExA 7060->7070 7061->7058 7063 47e213 7061->7063 7063->7058 7064 47e2a3 7064->7051 7065 47e095 4 API calls 7064->7065 7065->7051 7067 47dffc 7066->7067 7069 47e024 7066->7069 7068 47db2e 8 API calls 7067->7068 7067->7069 7068->7069 7069->7056 7071 47e172 7070->7071 7073 47e0c0 7070->7073 7071->7064 7072 47e13d 7074 47e14e RegDeleteValueA RegCloseKey 7072->7074 7073->7072 7075 47e115 RegSetValueExA 7073->7075 7074->7071 7075->7072 7075->7073 7077 473122 InterlockedExchange 7076->7077 7078 47310f GetTickCount 7077->7078 7079 47312e 7077->7079 7078->7079 7080 47311a Sleep 7078->7080 7079->6981 7080->7077 7082 47f04e 4 API calls 7081->7082 7083 473a83 7082->7083 7086 473bc0 7083->7086 7088 473b66 lstrlenA 7083->7088 7089 473ac1 7083->7089 7084 473be6 7087 47ec2e codecvt 4 API calls 7084->7087 7085 47ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7085->7086 7086->7084 7086->7085 7087->7089 7088->7083 7088->7089 7089->6987 7089->6988 7090->7003 7091->7000 7093 476eef AllocateAndInitializeSid 7092->7093 7094 476f55 wsprintfA 7092->7094 7095 476f44 7093->7095 7096 476f1c CheckTokenMembership 7093->7096 7094->7006 7095->7094 7100 476e36 GetUserNameW 7095->7100 7097 476f2e 7096->7097 7098 476f3b FreeSid 7096->7098 7097->7098 7098->7095 7101 476e5f LookupAccountNameW 7100->7101 7102 476e97 7100->7102 7101->7102 7102->7094 7104 472419 4 API calls 7103->7104 7105 4724b6 7104->7105 7105->7021 7107 47dd79 lstrlenA 7106->7107 7107->6389 7109 47eb17 7108->7109 7111 47eb21 7108->7111 7110 47eae4 2 API calls 7109->7110 7110->7111 7111->6436 7114 4769b9 WriteFile 7112->7114 7116 476a3c 7114->7116 7117 4769ff 7114->7117 7115 476a10 WriteFile 7115->7116 7115->7117 7116->6432 7116->6433 7117->7115 7117->7116 7119 473ee2 7118->7119 7120 473edc 7118->7120 7119->6447 7121 476dc2 6 API calls 7120->7121 7121->7119 7123 47400b CreateFileA 7122->7123 7124 47402c GetLastError 7123->7124 7125 474052 7123->7125 7124->7125 7126 474037 7124->7126 7125->6450 7126->7125 7127 474041 Sleep 7126->7127 7127->7123 7127->7125 7129 473f4e GetLastError 7128->7129 7130 473f7c 7128->7130 7129->7130 7131 473f5b WaitForSingleObject GetOverlappedResult 7129->7131 7132 473f8c ReadFile 7130->7132 7131->7130 7133 473fc2 GetLastError 7132->7133 7134 473ff0 7132->7134 7133->7134 7135 473fcf WaitForSingleObject GetOverlappedResult 7133->7135 7134->6455 7134->6456 7135->7134 7137 471924 GetVersionExA 7136->7137 7137->6495 7139 47f0f1 7138->7139 7140 47f0ed 7138->7140 7141 47f0fa lstrlenA SysAllocStringByteLen 7139->7141 7142 47f119 7139->7142 7140->6527 7143 47f117 7141->7143 7144 47f11c MultiByteToWideChar 7141->7144 7142->7144 7143->6527 7144->7143 7146 471820 17 API calls 7145->7146 7147 4718f2 7146->7147 7148 4718f9 7147->7148 7162 471280 7147->7162 7148->6517 7150 471908 7150->6517 7174 471000 7151->7174 7153 471839 7154 471851 GetCurrentProcess 7153->7154 7155 47183d 7153->7155 7156 471864 7154->7156 7155->6513 7156->6513 7159 47920e 7157->7159 7161 479308 7157->7161 7158 4792f1 Sleep 7158->7159 7159->7158 7160 4792bf ShellExecuteA 7159->7160 7159->7161 7160->7159 7160->7161 7161->6517 7163 4712e1 7162->7163 7164 4716f9 GetLastError 7163->7164 7171 4713a8 7163->7171 7165 471699 7164->7165 7165->7150 7166 471570 lstrlenW 7166->7171 7167 4715be GetStartupInfoW 7167->7171 7168 4715ff CreateProcessWithLogonW 7169 4716bf GetLastError 7168->7169 7170 47163f WaitForSingleObject 7168->7170 7169->7165 7170->7171 7172 471659 CloseHandle 7170->7172 7171->7165 7171->7166 7171->7167 7171->7168 7173 471668 CloseHandle 7171->7173 7172->7171 7173->7171 7175 471023 7174->7175 7176 47100d LoadLibraryA 7174->7176 7178 4710b5 GetProcAddress 7175->7178 7194 4710ae 7175->7194 7176->7175 7177 471021 7176->7177 7177->7153 7179 4710d1 GetProcAddress 7178->7179 7180 47127b 7178->7180 7179->7180 7181 4710f0 GetProcAddress 7179->7181 7180->7153 7181->7180 7182 471110 GetProcAddress 7181->7182 7182->7180 7183 471130 GetProcAddress 7182->7183 7183->7180 7184 47114f GetProcAddress 7183->7184 7184->7180 7185 47116f GetProcAddress 7184->7185 7185->7180 7186 47118f GetProcAddress 7185->7186 7186->7180 7187 4711ae GetProcAddress 7186->7187 7187->7180 7188 4711ce GetProcAddress 7187->7188 7188->7180 7189 4711ee GetProcAddress 7188->7189 7189->7180 7190 471209 GetProcAddress 7189->7190 7190->7180 7191 471225 GetProcAddress 7190->7191 7191->7180 7192 471241 GetProcAddress 7191->7192 7192->7180 7193 47125c GetProcAddress 7192->7193 7193->7180 7194->7153 7196 47908d 7195->7196 7197 4790e2 wsprintfA 7196->7197 7198 47ee2a 7197->7198 7199 4790fd CreateFileA 7198->7199 7200 47913f 7199->7200 7201 47911a lstrlenA WriteFile CloseHandle 7199->7201 7200->6550 7200->6551 7201->7200 7203 47ee2a 7202->7203 7204 479794 CreateProcessA 7203->7204 7205 4797c2 7204->7205 7206 4797bb 7204->7206 7207 4797d4 GetThreadContext 7205->7207 7206->6561 7208 4797f5 7207->7208 7209 479801 7207->7209 7210 4797f6 TerminateProcess 7208->7210 7216 47637c 7209->7216 7210->7206 7212 479816 7212->7210 7213 47981e WriteProcessMemory 7212->7213 7213->7208 7214 47983b SetThreadContext 7213->7214 7214->7208 7215 479858 ResumeThread 7214->7215 7215->7206 7217 476386 7216->7217 7218 47638a GetModuleHandleA VirtualAlloc 7216->7218 7217->7212 7219 4763f5 7218->7219 7220 4763b6 7218->7220 7219->7212 7221 4763be VirtualAllocEx 7220->7221 7221->7219 7222 4763d6 7221->7222 7223 4763df WriteProcessMemory 7222->7223 7223->7219 7225 474084 7224->7225 7226 47407d 7224->7226 7227 473ecd 6 API calls 7225->7227 7228 47408f 7227->7228 7229 474000 3 API calls 7228->7229 7230 474095 7229->7230 7231 474130 7230->7231 7232 4740c0 7230->7232 7233 473ecd 6 API calls 7231->7233 7237 473f18 4 API calls 7232->7237 7234 474159 CreateNamedPipeA 7233->7234 7235 474167 Sleep 7234->7235 7236 474188 ConnectNamedPipe 7234->7236 7235->7231 7238 474176 CloseHandle 7235->7238 7240 474195 GetLastError 7236->7240 7249 4741ab 7236->7249 7239 4740da 7237->7239 7238->7236 7241 473f8c 4 API calls 7239->7241 7242 47425e DisconnectNamedPipe 7240->7242 7240->7249 7243 4740ec 7241->7243 7242->7236 7244 474127 CloseHandle 7243->7244 7245 474101 7243->7245 7244->7231 7246 473f18 4 API calls 7245->7246 7247 47411c ExitProcess 7246->7247 7248 473f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7248->7249 7249->7236 7249->7242 7249->7248 7250 473f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7249->7250 7251 47426a CloseHandle CloseHandle 7249->7251 7250->7249 7252 47e318 23 API calls 7251->7252 7253 47427b 7252->7253 7253->7253 7255 47879f 7254->7255 7256 478791 7254->7256 7258 4787bc 7255->7258 7259 47f04e 4 API calls 7255->7259 7257 47f04e 4 API calls 7256->7257 7257->7255 7260 47e819 11 API calls 7258->7260 7259->7258 7261 4787d7 7260->7261 7265 478803 7261->7265 7379 4726b2 gethostbyaddr 7261->7379 7264 4787eb 7264->7265 7267 47e8a1 30 API calls 7264->7267 7270 47e819 11 API calls 7265->7270 7271 4788a0 Sleep 7265->7271 7272 47f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7265->7272 7274 4726b2 2 API calls 7265->7274 7275 47e8a1 30 API calls 7265->7275 7276 478cee 7265->7276 7284 47c4d6 7265->7284 7287 47c4e2 7265->7287 7290 472011 7265->7290 7325 478328 7265->7325 7267->7265 7270->7265 7271->7265 7272->7265 7274->7265 7275->7265 7277 478d02 GetTickCount 7276->7277 7278 478dae 7276->7278 7277->7278 7280 478d19 7277->7280 7278->7265 7279 478da1 GetTickCount 7279->7278 7280->7279 7283 478d89 7280->7283 7384 47a677 7280->7384 7387 47a688 7280->7387 7283->7279 7395 47c2dc 7284->7395 7288 47c2dc 137 API calls 7287->7288 7289 47c4ec 7288->7289 7289->7265 7291 47202e 7290->7291 7292 472020 7290->7292 7294 47204b 7291->7294 7295 47f04e 4 API calls 7291->7295 7293 47f04e 4 API calls 7292->7293 7293->7291 7296 47206e GetTickCount 7294->7296 7299 47f04e 4 API calls 7294->7299 7295->7294 7297 472090 7296->7297 7298 4720db GetTickCount 7296->7298 7301 4720d4 GetTickCount 7297->7301 7305 472684 gethostbyname 7297->7305 7315 4720ce 7297->7315 7733 471978 7297->7733 7302 472132 GetTickCount GetTickCount 7298->7302 7312 4720e7 7298->7312 7300 472068 7299->7300 7300->7296 7301->7298 7304 47f04e 4 API calls 7302->7304 7303 47212b GetTickCount 7303->7302 7306 472159 7304->7306 7305->7297 7308 4721b4 7306->7308 7310 47e854 13 API calls 7306->7310 7309 47f04e 4 API calls 7308->7309 7314 4721d1 7309->7314 7311 47218e 7310->7311 7316 47e819 11 API calls 7311->7316 7312->7303 7317 471978 12 API calls 7312->7317 7318 472125 7312->7318 7723 472ef8 7312->7723 7319 4721f2 7314->7319 7321 47ea84 30 API calls 7314->7321 7315->7301 7320 47219c 7316->7320 7317->7312 7318->7303 7319->7265 7320->7308 7736 471c5f 7320->7736 7322 4721ec 7321->7322 7323 47f04e 4 API calls 7322->7323 7323->7319 7326 477dd6 6 API calls 7325->7326 7327 47833c 7326->7327 7328 476ec3 2 API calls 7327->7328 7352 478340 7327->7352 7329 47834f 7328->7329 7330 47835c 7329->7330 7334 47846b 7329->7334 7331 4773ff 17 API calls 7330->7331 7347 478373 7331->7347 7332 4785df 7335 478626 GetTempPathA 7332->7335 7346 478768 7332->7346 7364 478671 7332->7364 7333 47675c 21 API calls 7333->7332 7336 4784a7 RegOpenKeyExA 7334->7336 7368 478450 7334->7368 7353 478638 7335->7353 7338 47852f 7336->7338 7339 4784c0 RegQueryValueExA 7336->7339 7344 478564 RegOpenKeyExA 7338->7344 7356 4785a5 7338->7356 7341 478521 RegCloseKey 7339->7341 7342 4784dd 7339->7342 7340 4786ad 7343 478762 7340->7343 7345 477e2f 6 API calls 7340->7345 7341->7338 7342->7341 7349 47ebcc 4 API calls 7342->7349 7343->7346 7348 478573 RegSetValueExA RegCloseKey 7344->7348 7344->7356 7357 4786bb 7345->7357 7351 47ec2e codecvt 4 API calls 7346->7351 7346->7352 7347->7352 7358 4783ea RegOpenKeyExA 7347->7358 7347->7368 7348->7356 7355 4784f0 7349->7355 7350 47875b DeleteFileA 7350->7343 7351->7352 7352->7265 7353->7364 7355->7341 7359 4784f8 RegQueryValueExA 7355->7359 7362 47ec2e codecvt 4 API calls 7356->7362 7356->7368 7357->7350 7363 4786e0 lstrcpyA lstrlenA 7357->7363 7360 4783fd RegQueryValueExA 7358->7360 7358->7368 7359->7341 7361 478515 7359->7361 7365 47841e 7360->7365 7366 47842d RegSetValueExA 7360->7366 7367 47ec2e codecvt 4 API calls 7361->7367 7362->7368 7369 477fcf 64 API calls 7363->7369 7808 476ba7 IsBadCodePtr 7364->7808 7365->7366 7370 478447 RegCloseKey 7365->7370 7366->7370 7371 47851d 7367->7371 7368->7332 7368->7333 7372 478719 CreateProcessA 7369->7372 7370->7368 7371->7341 7373 47874f 7372->7373 7374 47873d CloseHandle CloseHandle 7372->7374 7375 477ee6 64 API calls 7373->7375 7374->7346 7376 478754 7375->7376 7377 477ead 6 API calls 7376->7377 7378 47875a 7377->7378 7378->7350 7380 4726cd 7379->7380 7381 4726fb 7379->7381 7382 4726e1 inet_ntoa 7380->7382 7383 4726de 7380->7383 7381->7264 7382->7383 7383->7264 7390 47a63d 7384->7390 7386 47a685 7386->7280 7388 47a63d GetTickCount 7387->7388 7389 47a696 7388->7389 7389->7280 7391 47a645 7390->7391 7392 47a64d 7390->7392 7391->7386 7393 47a66e 7392->7393 7394 47a65e GetTickCount 7392->7394 7393->7386 7394->7393 7412 47a4c7 GetTickCount 7395->7412 7398 47c326 7401 47c337 7398->7401 7402 47c32b GetTickCount 7398->7402 7399 47c300 GetTickCount 7399->7401 7400 47c47a 7403 47c4d2 7400->7403 7404 47c4ab InterlockedIncrement CreateThread 7400->7404 7401->7400 7406 47c363 GetTickCount 7401->7406 7402->7401 7403->7265 7404->7403 7405 47c4cb CloseHandle 7404->7405 7417 47b535 7404->7417 7405->7403 7406->7400 7407 47c373 7406->7407 7408 47c378 GetTickCount 7407->7408 7409 47c37f 7407->7409 7408->7409 7410 47c43b GetTickCount 7409->7410 7411 47c45e 7410->7411 7411->7400 7413 47a4f7 InterlockedExchange 7412->7413 7414 47a4e4 GetTickCount 7413->7414 7415 47a500 7413->7415 7414->7415 7416 47a4ef Sleep 7414->7416 7415->7398 7415->7399 7415->7400 7416->7413 7418 47b566 7417->7418 7419 47ebcc 4 API calls 7418->7419 7420 47b587 7419->7420 7421 47ebcc 4 API calls 7420->7421 7461 47b590 7421->7461 7422 47bdcd InterlockedDecrement 7423 47bde2 7422->7423 7425 47ec2e codecvt 4 API calls 7423->7425 7426 47bdea 7425->7426 7427 47ec2e codecvt 4 API calls 7426->7427 7429 47bdf2 7427->7429 7428 47bdb7 Sleep 7428->7461 7431 47be05 7429->7431 7432 47ec2e codecvt 4 API calls 7429->7432 7430 47bdcc 7430->7422 7432->7431 7433 47ebed 8 API calls 7433->7461 7436 47b6b6 lstrlenA 7436->7461 7437 4730b5 2 API calls 7437->7461 7438 47b6ed lstrcpyA 7490 475ce1 7438->7490 7439 47e819 11 API calls 7439->7461 7442 47b731 lstrlenA 7442->7461 7443 47b71f lstrcmpA 7443->7442 7443->7461 7444 47b772 GetTickCount 7444->7461 7445 47bd49 InterlockedIncrement 7584 47a628 7445->7584 7448 47bc5b InterlockedIncrement 7448->7461 7449 4738f0 6 API calls 7449->7461 7450 47b7ce InterlockedIncrement 7500 47acd7 7450->7500 7453 47b912 GetTickCount 7453->7461 7454 47b826 InterlockedIncrement 7454->7444 7455 47b932 GetTickCount 7456 47bc6d InterlockedIncrement 7455->7456 7455->7461 7456->7461 7457 47bba6 InterlockedIncrement 7457->7461 7460 475ce1 22 API calls 7460->7461 7461->7422 7461->7428 7461->7430 7461->7433 7461->7436 7461->7437 7461->7438 7461->7439 7461->7442 7461->7443 7461->7444 7461->7445 7461->7448 7461->7449 7461->7450 7461->7453 7461->7454 7461->7455 7461->7457 7461->7460 7462 47ba71 wsprintfA 7461->7462 7467 47a7c1 22 API calls 7461->7467 7468 47ab81 lstrcpynA InterlockedIncrement 7461->7468 7469 47ef1e lstrlenA 7461->7469 7470 475ded 12 API calls 7461->7470 7471 47a688 GetTickCount 7461->7471 7472 473e10 7461->7472 7475 473e4f 7461->7475 7478 47384f 7461->7478 7498 47a7a3 inet_ntoa 7461->7498 7505 47abee 7461->7505 7517 471feb GetTickCount 7461->7517 7538 473cfb 7461->7538 7541 47b3c5 7461->7541 7572 47ab81 7461->7572 7518 47a7c1 7462->7518 7467->7461 7468->7461 7469->7461 7470->7461 7471->7461 7473 4730fa 4 API calls 7472->7473 7474 473e1d 7473->7474 7474->7461 7476 4730fa 4 API calls 7475->7476 7477 473e5c 7476->7477 7477->7461 7479 4730fa 4 API calls 7478->7479 7481 473863 7479->7481 7480 4738b2 7480->7461 7481->7480 7482 4738b9 7481->7482 7483 473889 7481->7483 7593 4735f9 7482->7593 7587 473718 7483->7587 7488 473718 6 API calls 7488->7480 7489 4735f9 6 API calls 7489->7480 7491 475cf4 7490->7491 7492 475cec 7490->7492 7494 474bd1 4 API calls 7491->7494 7599 474bd1 GetTickCount 7492->7599 7495 475d02 7494->7495 7604 475472 7495->7604 7499 47a7b9 7498->7499 7499->7461 7501 47f315 12 API calls 7500->7501 7502 47aceb 7501->7502 7503 47acff 7502->7503 7504 47f315 12 API calls 7502->7504 7503->7461 7504->7503 7506 47abfb 7505->7506 7510 47ac65 7506->7510 7667 472f22 7506->7667 7508 47f315 12 API calls 7508->7510 7509 47ac23 7509->7510 7513 472684 gethostbyname 7509->7513 7510->7508 7511 47ac6f 7510->7511 7516 47ac8a 7510->7516 7512 47ab81 2 API calls 7511->7512 7514 47ac81 7512->7514 7513->7509 7675 4738f0 7514->7675 7516->7461 7517->7461 7519 47a7df 7518->7519 7520 47a87d lstrlenA send 7518->7520 7519->7520 7526 47a7fa wsprintfA 7519->7526 7529 47a80a 7519->7529 7530 47a8f2 7519->7530 7521 47a8bf 7520->7521 7522 47a899 7520->7522 7525 47a8c4 send 7521->7525 7521->7530 7524 47a8a5 wsprintfA 7522->7524 7537 47a89e 7522->7537 7523 47a978 recv 7523->7530 7531 47a982 7523->7531 7524->7537 7527 47a8d8 wsprintfA 7525->7527 7525->7530 7526->7529 7527->7537 7528 47a9b0 wsprintfA 7528->7537 7529->7520 7530->7523 7530->7528 7530->7531 7532 4730b5 2 API calls 7531->7532 7531->7537 7533 47ab05 7532->7533 7534 47e819 11 API calls 7533->7534 7535 47ab17 7534->7535 7536 47a7a3 inet_ntoa 7535->7536 7536->7537 7537->7461 7539 4730fa 4 API calls 7538->7539 7540 473d0b 7539->7540 7540->7461 7542 475ce1 22 API calls 7541->7542 7543 47b3e6 7542->7543 7544 475ce1 22 API calls 7543->7544 7545 47b404 7544->7545 7546 47ef7c 3 API calls 7545->7546 7552 47b440 7545->7552 7548 47b42b 7546->7548 7547 47ef7c 3 API calls 7549 47b458 wsprintfA 7547->7549 7550 47ef7c 3 API calls 7548->7550 7551 47ef7c 3 API calls 7549->7551 7550->7552 7553 47b480 7551->7553 7552->7547 7554 47ef7c 3 API calls 7553->7554 7555 47b493 7554->7555 7556 47ef7c 3 API calls 7555->7556 7557 47b4bb 7556->7557 7691 47ad89 GetLocalTime SystemTimeToFileTime 7557->7691 7561 47b4cc 7562 47ef7c 3 API calls 7561->7562 7563 47b4dd 7562->7563 7564 47b211 7 API calls 7563->7564 7565 47b4ec 7564->7565 7566 47ef7c 3 API calls 7565->7566 7567 47b4fd 7566->7567 7568 47b211 7 API calls 7567->7568 7569 47b509 7568->7569 7570 47ef7c 3 API calls 7569->7570 7571 47b51a 7570->7571 7571->7461 7574 47abe9 GetTickCount 7572->7574 7575 47ab8c 7572->7575 7573 47aba8 lstrcpynA 7573->7575 7577 47a51d 7574->7577 7575->7573 7575->7574 7576 47abe1 InterlockedIncrement 7575->7576 7576->7575 7578 47a4c7 4 API calls 7577->7578 7579 47a52c 7578->7579 7580 47a542 GetTickCount 7579->7580 7582 47a539 GetTickCount 7579->7582 7580->7582 7583 47a56c 7582->7583 7583->7461 7585 47a4c7 4 API calls 7584->7585 7586 47a633 7585->7586 7586->7461 7588 47f04e 4 API calls 7587->7588 7590 47372a 7588->7590 7589 473847 7589->7480 7589->7488 7590->7589 7591 4737b3 GetCurrentThreadId 7590->7591 7591->7590 7592 4737c8 GetCurrentThreadId 7591->7592 7592->7590 7594 47f04e 4 API calls 7593->7594 7596 47360c 7594->7596 7595 4736f1 7595->7480 7595->7489 7596->7595 7597 4736da GetCurrentThreadId 7596->7597 7597->7595 7598 4736e5 GetCurrentThreadId 7597->7598 7598->7595 7600 474bff InterlockedExchange 7599->7600 7601 474bec GetTickCount 7600->7601 7602 474c08 7600->7602 7601->7602 7603 474bf7 Sleep 7601->7603 7602->7491 7603->7600 7623 474763 7604->7623 7606 475b58 7633 474699 7606->7633 7609 474763 lstrlenA 7610 475b6e 7609->7610 7654 474f9f 7610->7654 7612 475b79 7612->7461 7614 475549 lstrlenA 7617 47548a 7614->7617 7616 47558d lstrcpynA 7616->7617 7617->7606 7617->7616 7618 474ae6 8 API calls 7617->7618 7619 475a9f lstrcpyA 7617->7619 7620 475935 lstrcpynA 7617->7620 7621 475472 13 API calls 7617->7621 7622 4758e7 lstrcpyA 7617->7622 7627 474ae6 7617->7627 7631 47ef7c lstrlenA lstrlenA lstrlenA 7617->7631 7618->7617 7619->7617 7620->7617 7621->7617 7622->7617 7625 47477a 7623->7625 7624 474859 7624->7617 7625->7624 7626 47480d lstrlenA 7625->7626 7626->7625 7628 474af3 7627->7628 7630 474b03 7627->7630 7629 47ebed 8 API calls 7628->7629 7629->7630 7630->7614 7632 47efb4 7631->7632 7632->7617 7659 4745b3 7633->7659 7636 4745b3 7 API calls 7637 4746c6 7636->7637 7638 4745b3 7 API calls 7637->7638 7639 4746d8 7638->7639 7640 4745b3 7 API calls 7639->7640 7641 4746ea 7640->7641 7642 4745b3 7 API calls 7641->7642 7643 4746ff 7642->7643 7644 4745b3 7 API calls 7643->7644 7645 474711 7644->7645 7646 4745b3 7 API calls 7645->7646 7647 474723 7646->7647 7648 47ef7c 3 API calls 7647->7648 7649 474735 7648->7649 7650 47ef7c 3 API calls 7649->7650 7651 47474a 7650->7651 7652 47ef7c 3 API calls 7651->7652 7653 47475c 7652->7653 7653->7609 7655 474fac 7654->7655 7658 474fb0 7654->7658 7655->7612 7656 474ffd 7656->7612 7657 474fd5 IsBadCodePtr 7657->7658 7658->7656 7658->7657 7660 4745c1 7659->7660 7661 4745c8 7659->7661 7662 47ebcc 4 API calls 7660->7662 7663 47ebcc 4 API calls 7661->7663 7665 4745e1 7661->7665 7662->7661 7663->7665 7664 474691 7664->7636 7665->7664 7666 47ef7c 3 API calls 7665->7666 7666->7665 7682 472d21 GetModuleHandleA 7667->7682 7670 472fcf GetProcessHeap HeapFree 7674 472f44 7670->7674 7671 472f4f 7673 472f6b GetProcessHeap HeapFree 7671->7673 7672 472f85 7672->7670 7672->7672 7673->7674 7674->7509 7676 473900 7675->7676 7680 473980 7675->7680 7677 4730fa 4 API calls 7676->7677 7681 47390a 7677->7681 7678 47391b GetCurrentThreadId 7678->7681 7679 473939 GetCurrentThreadId 7679->7681 7680->7516 7681->7678 7681->7679 7681->7680 7683 472d46 LoadLibraryA 7682->7683 7684 472d5b GetProcAddress 7682->7684 7683->7684 7685 472d54 7683->7685 7684->7685 7686 472d6b DnsQuery_A 7684->7686 7685->7671 7685->7672 7685->7674 7686->7685 7687 472d7d 7686->7687 7687->7685 7688 472d97 GetProcessHeap HeapAlloc 7687->7688 7688->7685 7690 472dac 7688->7690 7689 472db5 lstrcpynA 7689->7690 7690->7687 7690->7689 7692 47adbf 7691->7692 7716 47ad08 gethostname 7692->7716 7695 4730b5 2 API calls 7696 47add3 7695->7696 7697 47a7a3 inet_ntoa 7696->7697 7705 47ade4 7696->7705 7697->7705 7698 47ae85 wsprintfA 7699 47ef7c 3 API calls 7698->7699 7700 47aebb 7699->7700 7702 47ef7c 3 API calls 7700->7702 7701 47ae36 wsprintfA wsprintfA 7703 47ef7c 3 API calls 7701->7703 7704 47aed2 7702->7704 7703->7705 7706 47b211 7704->7706 7705->7698 7705->7701 7707 47b2af GetLocalTime 7706->7707 7708 47b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7706->7708 7709 47b2d2 7707->7709 7708->7709 7710 47b31c GetTimeZoneInformation 7709->7710 7711 47b2d9 SystemTimeToFileTime 7709->7711 7713 47b33a wsprintfA 7710->7713 7712 47b2ec 7711->7712 7714 47b312 FileTimeToSystemTime 7712->7714 7713->7561 7714->7710 7717 47ad71 7716->7717 7721 47ad26 lstrlenA 7716->7721 7719 47ad85 7717->7719 7720 47ad79 lstrcpyA 7717->7720 7719->7695 7720->7719 7721->7717 7722 47ad68 lstrlenA 7721->7722 7722->7717 7724 472d21 7 API calls 7723->7724 7725 472f01 7724->7725 7726 472f06 7725->7726 7727 472f14 7725->7727 7744 472df2 GetModuleHandleA 7726->7744 7729 472684 gethostbyname 7727->7729 7731 472f1d 7729->7731 7731->7312 7732 472f1f 7732->7312 7734 47f428 12 API calls 7733->7734 7735 47198a 7734->7735 7735->7297 7740 471c80 7736->7740 7737 471cc2 wsprintfA 7739 472684 gethostbyname 7737->7739 7738 471d1c 7738->7738 7741 471d47 wsprintfA 7738->7741 7739->7740 7740->7737 7740->7738 7743 471d79 7740->7743 7742 472684 gethostbyname 7741->7742 7742->7743 7743->7308 7745 472e10 LoadLibraryA 7744->7745 7746 472e0b 7744->7746 7747 472e17 7745->7747 7746->7745 7746->7747 7748 472ef1 7747->7748 7749 472e28 GetProcAddress 7747->7749 7748->7727 7748->7732 7749->7748 7750 472e3e GetProcessHeap HeapAlloc 7749->7750 7753 472e62 7750->7753 7751 472ede GetProcessHeap HeapFree 7751->7748 7752 472e7f htons 7752->7753 7753->7748 7753->7751 7753->7752 7754 472ea5 gethostbyname 7753->7754 7756 472ceb 7753->7756 7754->7753 7757 472cf2 7756->7757 7759 472d0e Sleep 7757->7759 7760 472d1c 7757->7760 7761 472a62 GetProcessHeap HeapAlloc 7757->7761 7759->7757 7759->7760 7760->7753 7762 472a92 7761->7762 7763 472a99 socket 7761->7763 7762->7757 7764 472ab4 7763->7764 7765 472cd3 GetProcessHeap HeapFree 7763->7765 7764->7765 7779 472abd 7764->7779 7765->7762 7766 472adb htons 7781 4726ff 7766->7781 7768 472b04 select 7768->7779 7769 472ca4 7770 472cb3 GetProcessHeap HeapFree 7769->7770 7770->7762 7771 472b3f recv 7771->7779 7772 472b66 htons 7772->7769 7772->7779 7773 472b87 htons 7773->7769 7773->7779 7776 472bf3 GetProcessHeap HeapAlloc 7776->7779 7777 472c17 htons 7796 472871 7777->7796 7779->7766 7779->7768 7779->7769 7779->7770 7779->7771 7779->7772 7779->7773 7779->7776 7779->7777 7780 472c4d GetProcessHeap HeapFree 7779->7780 7788 472923 7779->7788 7800 472904 7779->7800 7780->7779 7782 472717 7781->7782 7783 47271d 7781->7783 7784 47ebcc 4 API calls 7782->7784 7785 47272b GetTickCount htons 7783->7785 7784->7783 7786 4727cc htons htons sendto 7785->7786 7787 47278a 7785->7787 7786->7779 7787->7786 7789 472944 7788->7789 7790 47293d 7788->7790 7804 472816 htons 7789->7804 7790->7779 7792 472871 htons 7795 472950 7792->7795 7793 4729bd htons htons htons 7793->7790 7794 4729f6 GetProcessHeap HeapAlloc 7793->7794 7794->7790 7794->7795 7795->7790 7795->7792 7795->7793 7797 4728e3 7796->7797 7798 472889 7796->7798 7797->7779 7798->7797 7798->7798 7799 4728c3 htons 7798->7799 7799->7797 7799->7798 7801 472921 7800->7801 7802 472908 7800->7802 7801->7779 7803 472909 GetProcessHeap HeapFree 7802->7803 7803->7801 7803->7803 7805 47286b 7804->7805 7806 472836 7804->7806 7805->7795 7806->7805 7807 47285c htons 7806->7807 7807->7805 7807->7806 7809 476bc0 7808->7809 7810 476bbc 7808->7810 7811 47ebcc 4 API calls 7809->7811 7813 476bd4 7809->7813 7810->7340 7812 476be4 7811->7812 7812->7813 7814 476c07 CreateFileA 7812->7814 7815 476bfc 7812->7815 7813->7340 7816 476c34 WriteFile 7814->7816 7817 476c2a 7814->7817 7818 47ec2e codecvt 4 API calls 7815->7818 7820 476c5a CloseHandle 7816->7820 7821 476c49 CloseHandle DeleteFileA 7816->7821 7819 47ec2e codecvt 4 API calls 7817->7819 7818->7813 7819->7813 7822 47ec2e codecvt 4 API calls 7820->7822 7821->7817 7822->7813 8117 475029 8122 474a02 8117->8122 8123 474a12 8122->8123 8126 474a18 8122->8126 8124 47ec2e codecvt 4 API calls 8123->8124 8124->8126 8125 474a26 8127 474a34 8125->8127 8129 47ec2e codecvt 4 API calls 8125->8129 8126->8125 8128 47ec2e codecvt 4 API calls 8126->8128 8128->8125 8129->8127 8130 475d34 IsBadWritePtr 8131 475d47 8130->8131 8132 475d4a 8130->8132 8133 475389 12 API calls 8132->8133 8134 475d80 8133->8134 8135 47be31 lstrcmpiA 8136 47be55 lstrcmpiA 8135->8136 8142 47be71 8135->8142 8137 47be61 lstrcmpiA 8136->8137 8136->8142 8140 47bfc8 8137->8140 8137->8142 8138 47bf62 lstrcmpiA 8139 47bf77 lstrcmpiA 8138->8139 8143 47bf70 8138->8143 8141 47bf8c lstrcmpiA 8139->8141 8139->8143 8141->8143 8142->8138 8146 47ebcc 4 API calls 8142->8146 8143->8140 8144 47bfc2 8143->8144 8145 47ec2e codecvt 4 API calls 8143->8145 8147 47ec2e codecvt 4 API calls 8144->8147 8145->8143 8150 47beb6 8146->8150 8147->8140 8148 47bf5a 8148->8138 8149 47ebcc 4 API calls 8149->8150 8150->8138 8150->8140 8150->8148 8150->8149

                                                                                            Executed Functions

                                                                                            Function 0047C913 Relevance: 116.9, APIs: 45, Strings: 21, Instructions: 1397filestringprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0047CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0047CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0047CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0047CCB4
                                                                                            • WriteFile.KERNEL32(0047A4B3,?,-000000E8,?,00000000), ref: 0047CCDC
                                                                                            • CloseHandle.KERNEL32(0047A4B3), ref: 0047CCED
                                                                                            • wsprintfA.USER32 ref: 0047CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0047CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0047CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0047CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0047CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0047CDC4
                                                                                            • CloseHandle.KERNEL32(0047A4B3), ref: 0047CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0047CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0047CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0047D033
                                                                                            • lstrcatA.KERNEL32(?,03900108), ref: 0047D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0047D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0047D171
                                                                                            • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000), ref: 0047D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0047D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0047D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0047D231
                                                                                            • lstrcatA.KERNEL32(?,03900108,?,?,?,?,?,?,?,00000100), ref: 0047D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0047D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0047D2C7
                                                                                            • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0047D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0047D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0047D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0047D372
                                                                                            • lstrcatA.KERNEL32(?,03900108,?,?,?,?,?,?,?,00000100), ref: 0047D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0047D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0047D408
                                                                                            • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0047D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0047D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0047D45B
                                                                                            • CreateProcessA.KERNEL32(?,00480264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0047D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0047D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0047D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0047D513
                                                                                            • closesocket.WS2_32(?), ref: 0047D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0047D577
                                                                                            • ExitProcess.KERNEL32 ref: 0047D583
                                                                                            • wsprintfA.USER32 ref: 0047D81F
                                                                                              • Part of subcall function 0047C65C: send.WS2_32(00000000,?,00000000), ref: 0047C74B
                                                                                            • closesocket.WS2_32(?), ref: 0047DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe$X H$\$\$`4u$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-1287820861
                                                                                            • Opcode ID: e3844fae091719ed826f7818158a2ae2aadabb4ef61bb74b279b42cdd91e11c8
                                                                                            • Instruction ID: 2901c77dd115058153eab57c4eed5e8ae374308cc4fec1217d4d6c9a21907cdb
                                                                                            • Opcode Fuzzy Hash: e3844fae091719ed826f7818158a2ae2aadabb4ef61bb74b279b42cdd91e11c8
                                                                                            • Instruction Fuzzy Hash: CEB2C571D00208AFEB209F64DD89FEE77B8AF08304F1485AFF60DA6251E7785A45CB59
                                                                                            Function 00479A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00479A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00479A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00476511), ref: 00479A8A
                                                                                              • Part of subcall function 0047EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0047EC5E
                                                                                              • Part of subcall function 0047EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0047EC72
                                                                                              • Part of subcall function 0047EC54: GetTickCount.KERNEL32 ref: 0047EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00479AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00479ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00479AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00479B99
                                                                                            • ExitProcess.KERNEL32 ref: 00479C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00479CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00479D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00479D8B
                                                                                            • lstrcatA.KERNEL32(?,0048070C), ref: 00479D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00479DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00479E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00479E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00479EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00479ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00479F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00479F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00479F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00479FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00479FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00479FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0047A038
                                                                                            • lstrcatA.KERNEL32(00000022,00480A34), ref: 0047A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0047A072
                                                                                            • lstrcatA.KERNEL32(00000022,00480A34), ref: 0047A08D
                                                                                            • wsprintfA.USER32 ref: 0047A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0047A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0047A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0047A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0047A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0047A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0047A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0047A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0047A1E5
                                                                                              • Part of subcall function 004799D2: lstrcpyA.KERNEL32(?,?,00000100,004822F8,00000000,?,00479E9D,?,00000022,?,?,?,?,?,?,?), ref: 004799DF
                                                                                              • Part of subcall function 004799D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00479E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00479A3C
                                                                                              • Part of subcall function 004799D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00479E9D,?,00000022,?,?,?), ref: 00479A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0047A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0047A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0047A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0047A400
                                                                                            • DeleteFileA.KERNELBASE(004833D8), ref: 0047A407
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0047405E,00000000,00000000,00000000), ref: 0047A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0047A43A
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0047877E,00000000,00000000,00000000), ref: 0047A469
                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 0047A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0047A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0047A4B7
                                                                                            • Sleep.KERNELBASE(00001A90), ref: 0047A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe$D$P$\$jlxopxf
                                                                                            • API String ID: 2089075347-1873499730
                                                                                            • Opcode ID: d13d5944137c2342fe7b45b79fc0fd1edc865d32b48dda00f0f9985f79cce2f5
                                                                                            • Instruction ID: d36f79320be159004e05fcc9cc7e088db65211d3bfbacb404d06bacd0aec26c0
                                                                                            • Opcode Fuzzy Hash: d13d5944137c2342fe7b45b79fc0fd1edc865d32b48dda00f0f9985f79cce2f5
                                                                                            • Instruction Fuzzy Hash: 2A5294B1C40259AFDB21DFA1DC49EEF77BCAB04304F1489ABF50DA2141D7789E488B69
                                                                                            Function 0047199C Relevance: 36.9, APIs: 14, Strings: 7, Instructions: 106memorylibraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 794 47199c-4719cc LoadLibraryA 796 4719d5-4719fe GetProcAddress * 3 794->796 797 4719ce-4719d0 794->797 799 471a04-471a06 796->799 800 471ab3-471ab6 FreeLibrary 796->800 798 471abf-471ac2 797->798 799->800 801 471a0c-471a0e 799->801 802 471abc 800->802 801->800 803 471a14-471a28 GetBestInterface GetProcessHeap 801->803 804 471abe 802->804 803->802 805 471a2e-471a40 HeapAlloc 803->805 804->798 805->802 806 471a42-471a50 GetAdaptersInfo 805->806 807 471a62-471a67 806->807 808 471a52-471a60 HeapReAlloc 806->808 809 471aa1-471aad FreeLibrary 807->809 810 471a69-471a73 GetAdaptersInfo 807->810 808->807 809->802 812 471aaf-471ab1 809->812 810->809 811 471a75 810->811 813 471a77-471a80 811->813 812->804 814 471a82-471a86 813->814 815 471a8a-471a91 813->815 814->813 816 471a88 814->816 817 471a96-471a9b HeapFree 815->817 818 471a93 815->818 816->817 817->809 818->817
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004719B1
                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00471E9E), ref: 004719BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004719E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004719ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004719F9
                                                                                            • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00471E9E), ref: 00471A1B
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00471E9E), ref: 00471A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00471E9E), ref: 00471A36
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00471E9E,?,?,?,?,00000001,00471E9E), ref: 00471A4A
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00471E9E,?,?,?,?,00000001,00471E9E), ref: 00471A5A
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00471E9E,?,?,?,?,00000001,00471E9E), ref: 00471A6E
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00471E9E), ref: 00471A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00471E9E), ref: 00471AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg$W4u
                                                                                            • API String ID: 293628436-1619806614
                                                                                            • Opcode ID: 5b76512449c27cdf4ba873a3d0c678ccafb4ef8ade812f75bd9b6f951fb63ac8
                                                                                            • Instruction ID: bc67ef2ba9f1707d93e3c39a97a75876efb62ffb72a2c4e0a37ffdc601b95c92
                                                                                            • Opcode Fuzzy Hash: 5b76512449c27cdf4ba873a3d0c678ccafb4ef8ade812f75bd9b6f951fb63ac8
                                                                                            • Instruction Fuzzy Hash: 95317E32D11209AFCB519FE8CC8C8AFBBB9EF44711B24897BE505A2220D7784E448B58
                                                                                            Function 00477A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 699 477a95-477ac2 RegOpenKeyExA 700 477ac4-477ac6 699->700 701 477acb-477ae7 GetUserNameA 699->701 702 477db4-477db6 700->702 703 477da7-477db3 RegCloseKey 701->703 704 477aed-477b1e LookupAccountNameA 701->704 703->702 704->703 705 477b24-477b43 RegGetKeySecurity 704->705 705->703 706 477b49-477b61 GetSecurityDescriptorOwner 705->706 707 477b63-477b72 EqualSid 706->707 708 477bb8-477bd6 GetSecurityDescriptorDacl 706->708 707->708 711 477b74-477b88 LocalAlloc 707->711 709 477da6 708->709 710 477bdc-477be1 708->710 709->703 710->709 713 477be7-477bf2 710->713 711->708 712 477b8a-477b94 InitializeSecurityDescriptor 711->712 714 477b96-477ba4 SetSecurityDescriptorOwner 712->714 715 477bb1-477bb2 LocalFree 712->715 713->709 716 477bf8-477c08 GetAce 713->716 714->715 717 477ba6-477bab RegSetKeySecurity 714->717 715->708 718 477cc6 716->718 719 477c0e-477c1b 716->719 717->715 720 477cc9-477cd3 718->720 721 477c4f-477c52 719->721 722 477c1d-477c2f EqualSid 719->722 720->716 723 477cd9-477cdc 720->723 726 477c54-477c5e 721->726 727 477c5f-477c71 EqualSid 721->727 724 477c36-477c38 722->724 725 477c31-477c34 722->725 723->709 730 477ce2-477ce8 723->730 724->721 731 477c3a-477c4d DeleteAce 724->731 725->722 725->724 726->727 728 477c86 727->728 729 477c73-477c84 727->729 732 477c8b-477c8e 728->732 729->732 733 477d5a-477d6e LocalAlloc 730->733 734 477cea-477cf0 730->734 731->720 735 477c90-477c96 732->735 736 477c9d-477c9f 732->736 733->709 737 477d70-477d7a InitializeSecurityDescriptor 733->737 734->733 738 477cf2-477d0d RegOpenKeyExA 734->738 735->736 739 477ca7-477cc3 736->739 740 477ca1-477ca5 736->740 741 477d9f-477da0 LocalFree 737->741 742 477d7c-477d8a SetSecurityDescriptorDacl 737->742 738->733 743 477d0f-477d16 738->743 739->718 740->718 740->739 741->709 742->741 744 477d8c-477d9a RegSetKeySecurity 742->744 745 477d19-477d1e 743->745 744->741 746 477d9c 744->746 745->745 747 477d20-477d52 call 472544 RegSetValueExA 745->747 746->741 747->733 750 477d54 747->750 750->733
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00477ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00477ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0048070C,?,?,?), ref: 00477B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00477B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00477B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00477B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00477B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00477B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00477B9C
                                                                                            • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00477BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00477BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00477FC9,?,00000000), ref: 00477BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe$D
                                                                                            • API String ID: 2976863881-1525390353
                                                                                            • Opcode ID: 17eb90adeb8a5de7657ab116c102e2b4e48a9c9a41de22e02ff56569fa5047ad
                                                                                            • Instruction ID: 8457144d6baccd9a2a5129ebf9f5453442cdd8bdf6ce1e40e199f65abf4de067
                                                                                            • Opcode Fuzzy Hash: 17eb90adeb8a5de7657ab116c102e2b4e48a9c9a41de22e02ff56569fa5047ad
                                                                                            • Instruction Fuzzy Hash: D9A19371904219AFDF218FA4DC88FEFBBB8FF45304F54846AE509E2250D7399A45CB68
                                                                                            Function 00477809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 751 477809-477837 GetUserNameA 752 477a8e-477a94 751->752 753 47783d-47786e LookupAccountNameA 751->753 753->752 754 477874-4778a2 GetLengthSid GetFileSecurityA 753->754 754->752 755 4778a8-4778c3 GetSecurityDescriptorOwner 754->755 756 4778c5-4778da EqualSid 755->756 757 47791d-47793b GetSecurityDescriptorDacl 755->757 756->757 758 4778dc-4778ed LocalAlloc 756->758 759 477941-477946 757->759 760 477a8d 757->760 758->757 761 4778ef-4778f9 InitializeSecurityDescriptor 758->761 759->760 762 47794c-477955 759->762 760->752 763 477916-477917 LocalFree 761->763 764 4778fb-477909 SetSecurityDescriptorOwner 761->764 762->760 765 47795b-47796b GetAce 762->765 763->757 764->763 766 47790b-477910 SetFileSecurityA 764->766 767 477971-47797e 765->767 768 477a2a 765->768 766->763 769 477980-477992 EqualSid 767->769 770 4779ae-4779b1 767->770 771 477a2d-477a37 768->771 772 477994-477997 769->772 773 477999-47799b 769->773 775 4779b3-4779bd 770->775 776 4779be-4779d0 EqualSid 770->776 771->765 774 477a3d-477a41 771->774 772->769 772->773 773->770 779 47799d-4779ac DeleteAce 773->779 774->760 780 477a43-477a54 LocalAlloc 774->780 775->776 777 4779e5 776->777 778 4779d2-4779e3 776->778 781 4779ea-4779ed 777->781 778->781 779->771 780->760 782 477a56-477a60 InitializeSecurityDescriptor 780->782 785 4779ef-4779f5 781->785 786 4779f8-4779fb 781->786 783 477a86-477a87 LocalFree 782->783 784 477a62-477a71 SetSecurityDescriptorDacl 782->784 783->760 784->783 787 477a73-477a81 SetFileSecurityA 784->787 785->786 788 477a03-477a0e 786->788 789 4779fd-477a01 786->789 787->783 790 477a83 787->790 791 477a10-477a17 788->791 792 477a19-477a24 788->792 789->768 789->788 790->783 793 477a27 791->793 792->793 793->768
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0047782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00477866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00477878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0047789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00477F63,?), ref: 004778B8
                                                                                            • EqualSid.ADVAPI32(?,00477F63), ref: 004778D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004778E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004778F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00477901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00477910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00477917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00477933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00477963
                                                                                            • EqualSid.ADVAPI32(?,00477F63), ref: 0047798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004779A3
                                                                                            • EqualSid.ADVAPI32(?,00477F63), ref: 004779C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00477A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00477A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00477A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00477A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00477A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: 28b8b7358639dc85e922a34e2978c8729487161ad2d56d0d33a8752eeeb08fda
                                                                                            • Instruction ID: 3a96f383de1411e3ad2cefab3319860e121d8184a39c4bc9684214afe67bbc29
                                                                                            • Opcode Fuzzy Hash: 28b8b7358639dc85e922a34e2978c8729487161ad2d56d0d33a8752eeeb08fda
                                                                                            • Instruction Fuzzy Hash: 838171B1D05109ABEB11CFA4DD44FEFBBB8EF09344F54846AE609E2250D7398A45CF68
                                                                                            Function 00478328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 819 478328-47833e call 477dd6 822 478340-478343 819->822 823 478348-478356 call 476ec3 819->823 824 47877b-47877d 822->824 827 47835c-478378 call 4773ff 823->827 828 47846b-478474 823->828 840 478464-478466 827->840 841 47837e-478384 827->841 829 4785c2-4785ce 828->829 830 47847a-478480 828->830 832 478615-478620 829->832 833 4785d0-4785da call 47675c 829->833 830->829 834 478486-4784ba call 472544 RegOpenKeyExA 830->834 838 4786a7-4786b0 call 476ba7 832->838 839 478626-47864c GetTempPathA call 478274 call 47eca5 832->839 843 4785df-4785eb 833->843 849 478543-478571 call 472544 RegOpenKeyExA 834->849 850 4784c0-4784db RegQueryValueExA 834->850 858 4786b6-4786bd call 477e2f 838->858 859 478762 838->859 880 478671-4786a4 call 472544 call 47ef00 call 47ee2a 839->880 881 47864e-47866f call 47eca5 839->881 842 478779-47877a 840->842 841->840 847 47838a-47838d 841->847 842->824 843->832 848 4785ed-4785ef 843->848 847->840 853 478393-478399 847->853 848->832 854 4785f1-4785fa 848->854 874 4785a5-4785b7 call 47ee2a 849->874 875 478573-47857b 849->875 856 478521-47852d RegCloseKey 850->856 857 4784dd-4784e1 850->857 861 47839c-4783a1 853->861 854->832 864 4785fc-47860f call 4724c2 854->864 856->849 862 47852f-478541 call 47eed1 856->862 857->856 866 4784e3-4784e6 857->866 890 4786c3-47873b call 47ee2a * 2 lstrcpyA lstrlenA call 477fcf CreateProcessA 858->890 891 47875b-47875c DeleteFileA 858->891 868 478768-47876b 859->868 861->861 863 4783a3-4783af 861->863 862->849 862->874 871 4783b3-4783ba 863->871 872 4783b1 863->872 864->832 864->868 866->856 876 4784e8-4784f6 call 47ebcc 866->876 878 478776-478778 868->878 879 47876d-478775 call 47ec2e 868->879 884 478450-47845f call 47ee2a 871->884 885 4783c0-4783fb call 472544 RegOpenKeyExA 871->885 872->871 874->829 907 4785b9-4785c1 call 47ec2e 874->907 887 47857e-478583 875->887 876->856 906 4784f8-478513 RegQueryValueExA 876->906 878->842 879->878 880->838 881->880 884->829 885->884 911 4783fd-47841c RegQueryValueExA 885->911 887->887 898 478585-47859f RegSetValueExA RegCloseKey 887->898 927 47874f-47875a call 477ee6 call 477ead 890->927 928 47873d-47874d CloseHandle * 2 890->928 891->859 898->874 906->856 912 478515-47851e call 47ec2e 906->912 907->829 916 47841e-478421 911->916 917 47842d-478441 RegSetValueExA 911->917 912->856 916->917 922 478423-478426 916->922 923 478447-47844a RegCloseKey 917->923 922->917 926 478428-47842b 922->926 923->884 926->917 926->923 927->891 928->868
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004783F3
                                                                                            • RegQueryValueExA.KERNELBASE(00480750,?,00000000,?,00478893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00478414
                                                                                            • RegSetValueExA.KERNELBASE(00480750,?,00000000,00000004,00478893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00478441
                                                                                            • RegCloseKey.ADVAPI32(00480750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0047844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe$localcfg
                                                                                            • API String ID: 237177642-1805313226
                                                                                            • Opcode ID: 8ad00515f67c0a6b3965e447f31f6ff6e407fbd95fab763de7884023439a0978
                                                                                            • Instruction ID: 089b5699910be3b0e75655cd1e1ac37617bebd05a56766a18811e599025131ad
                                                                                            • Opcode Fuzzy Hash: 8ad00515f67c0a6b3965e447f31f6ff6e407fbd95fab763de7884023439a0978
                                                                                            • Instruction Fuzzy Hash: 98C1D7B1D40109BEEB11ABA5DD89EFF7B7CEB05304F10846FF509A2151EB784E449B29
                                                                                            Function 00471D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 933 471d96-471dce call 47ee2a GetVersionExA 936 471de0 933->936 937 471dd0-471dde 933->937 938 471de3-471e14 GetSystemInfo GetModuleHandleA GetProcAddress 936->938 937->938 939 471e16-471e21 GetCurrentProcess 938->939 940 471e24-471e59 call 47e819 * 2 938->940 939->940 945 471e5b-471e77 call 47df70 * 2 940->945 946 471e7a-471ea0 call 47ea84 call 47e819 call 47199c 940->946 945->946 957 471ea2-471ea6 946->957 958 471ea8 946->958 959 471eac-471ec1 call 47e819 957->959 958->959 962 471ec3-471ed3 call 47f04e call 47ea84 959->962 963 471ee0-471ef6 call 47e819 959->963 972 471ed8-471ede 962->972 969 471f14-471f2b call 47e819 963->969 970 471ef8 call 471b71 963->970 976 471f2d call 471bdf 969->976 977 471f49-471f65 call 47e819 969->977 975 471efd-471f11 call 47ea84 970->975 972->963 975->969 982 471f32-471f46 call 47ea84 976->982 985 471f67-471f77 call 47ea84 977->985 986 471f7a-471f8c call 4730b5 977->986 982->977 985->986 992 471f93-471f9a 986->992 993 471f8e-471f91 986->993 995 471fb7 992->995 996 471f9c-471fa3 call 476ec3 992->996 994 471fbb-471fc0 993->994 998 471fc2 994->998 999 471fc9-471fea GetTickCount 994->999 995->994 1001 471fa5-471fac 996->1001 1002 471fae-471fb5 996->1002 998->999 1001->994 1002->994
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00471DC6
                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00471DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00471E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00471E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00471E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00471FC9
                                                                                              • Part of subcall function 00471BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00471C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 7be09c6d556a13f16e410371184e1b3b1a3cf0b46dc772ebdd08ff954b4cda97
                                                                                            • Instruction ID: 70e3e440b62223f9e0f15482a7990ae20a85d4943da666683d16ac0963720c88
                                                                                            • Opcode Fuzzy Hash: 7be09c6d556a13f16e410371184e1b3b1a3cf0b46dc772ebdd08ff954b4cda97
                                                                                            • Instruction Fuzzy Hash: 4B51B6B05043446FE370AF7A8C85FAB7AECEB45708F048D1FF94942252D77DA908876A
                                                                                            Function 004773FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1003 4773ff-477419 1004 47741d-477422 1003->1004 1005 47741b 1003->1005 1006 477426-47742b 1004->1006 1007 477424 1004->1007 1005->1004 1008 477430-477435 1006->1008 1009 47742d 1006->1009 1007->1006 1010 477437 1008->1010 1011 47743a-477481 call 476dc2 call 472544 RegOpenKeyExA 1008->1011 1009->1008 1010->1011 1016 477487-47749d call 47ee2a 1011->1016 1017 4777f9-4777fe call 47ee2a 1011->1017 1023 477703-47770e RegEnumKeyA 1016->1023 1022 477801 1017->1022 1026 477804-477808 1022->1026 1024 477714-47771d RegCloseKey 1023->1024 1025 4774a2-4774b1 call 476cad 1023->1025 1024->1022 1029 4774b7-4774cc call 47f1a5 1025->1029 1030 4776ed-477700 1025->1030 1029->1030 1033 4774d2-4774f8 RegOpenKeyExA 1029->1033 1030->1023 1034 477727-47772a 1033->1034 1035 4774fe-477530 call 472544 RegQueryValueExA 1033->1035 1036 477755-477764 call 47ee2a 1034->1036 1037 47772c-477740 call 47ef00 1034->1037 1035->1034 1043 477536-47753c 1035->1043 1048 4776df-4776e2 1036->1048 1045 477742-477745 RegCloseKey 1037->1045 1046 47774b-47774e 1037->1046 1047 47753f-477544 1043->1047 1045->1046 1050 4777ec-4777f7 RegCloseKey 1046->1050 1047->1047 1049 477546-47754b 1047->1049 1048->1030 1051 4776e4-4776e7 RegCloseKey 1048->1051 1049->1036 1052 477551-47756b call 47ee95 1049->1052 1050->1026 1051->1030 1052->1036 1055 477571-477593 call 472544 call 47ee95 1052->1055 1060 477753 1055->1060 1061 477599-4775a0 1055->1061 1060->1036 1062 4775a2-4775c6 call 47ef00 call 47ed03 1061->1062 1063 4775c8-4775d7 call 47ed03 1061->1063 1069 4775d8-4775da 1062->1069 1063->1069 1071 4775df-477623 call 47ee95 call 472544 call 47ee95 call 47ee2a 1069->1071 1072 4775dc 1069->1072 1081 477626-47762b 1071->1081 1072->1071 1081->1081 1082 47762d-477634 1081->1082 1083 477637-47763c 1082->1083 1083->1083 1084 47763e-477642 1083->1084 1085 477644-477656 call 47ed77 1084->1085 1086 47765c-477673 call 47ed23 1084->1086 1085->1086 1093 477769-47777c call 47ef00 1085->1093 1091 477675-47767e 1086->1091 1092 477680 1086->1092 1094 477683-47768e call 476cad 1091->1094 1092->1094 1098 4777e3-4777e6 RegCloseKey 1093->1098 1100 477694-4776bf call 47f1a5 call 476c96 1094->1100 1101 477722-477725 1094->1101 1098->1050 1107 4776c1-4776c7 1100->1107 1108 4776d8 1100->1108 1102 4776dd 1101->1102 1102->1048 1107->1108 1109 4776c9-4776d2 1107->1109 1108->1102 1109->1108 1110 47777e-477797 GetFileAttributesExA 1109->1110 1111 47779a-47779f 1110->1111 1112 477799 1110->1112 1113 4777a3-4777a8 1111->1113 1114 4777a1 1111->1114 1112->1111 1115 4777c4-4777c8 1113->1115 1116 4777aa-4777c0 call 47ee08 1113->1116 1114->1113 1118 4777d7-4777dc 1115->1118 1119 4777ca-4777d6 call 47ef00 1115->1119 1116->1115 1122 4777e0-4777e2 1118->1122 1123 4777de 1118->1123 1119->1118 1122->1098 1123->1122
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75570F10,00000000), ref: 00477472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75570F10,00000000), ref: 004774F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75570F10,00000000), ref: 00477528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0047764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75570F10,00000000), ref: 004776E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00477706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75570F10,00000000), ref: 00477717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75570F10,00000000), ref: 00477745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75570F10,00000000), ref: 004777EF
                                                                                              • Part of subcall function 0047F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004822F8,000000C8,00477150,?), ref: 0047F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0047778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004777E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 558950c8491d7f04026efe547201c94d1afcb6808862d6cf4fef324747699d81
                                                                                            • Instruction ID: 941587d9a6a1e747b172c411c5301d08d3f955772904c40047dca0c525a7c418
                                                                                            • Opcode Fuzzy Hash: 558950c8491d7f04026efe547201c94d1afcb6808862d6cf4fef324747699d81
                                                                                            • Instruction Fuzzy Hash: FBC1F271904209AFDB219BA5DC45FEF7BB9EF05310F5084ABF508E6190EB389E448B68
                                                                                            Function 0047675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1125 47675c-476778 1126 476784-4767a2 CreateFileA 1125->1126 1127 47677a-47677e SetFileAttributesA 1125->1127 1128 4767b5-4767b8 1126->1128 1129 4767a4-4767b2 CreateFileA 1126->1129 1127->1126 1130 4767c5-4767c9 1128->1130 1131 4767ba-4767bf SetFileAttributesA 1128->1131 1129->1128 1132 476977-476986 1130->1132 1133 4767cf-4767df GetFileSize 1130->1133 1131->1130 1134 4767e5-4767e7 1133->1134 1135 47696b 1133->1135 1134->1135 1137 4767ed-47680b ReadFile 1134->1137 1136 47696e-476971 FindCloseChangeNotification 1135->1136 1136->1132 1137->1135 1138 476811-476824 SetFilePointer 1137->1138 1138->1135 1139 47682a-476842 ReadFile 1138->1139 1139->1135 1140 476848-476861 SetFilePointer 1139->1140 1140->1135 1141 476867-476876 1140->1141 1142 4768d5-4768df 1141->1142 1143 476878-47688f ReadFile 1141->1143 1142->1136 1146 4768e5-4768eb 1142->1146 1144 4768d2 1143->1144 1145 476891-47689e 1143->1145 1144->1142 1147 4768b7-4768ba 1145->1147 1148 4768a0-4768b5 1145->1148 1149 4768f0-4768fe call 47ebcc 1146->1149 1150 4768ed 1146->1150 1151 4768bd-4768c3 1147->1151 1148->1151 1149->1135 1156 476900-47690b SetFilePointer 1149->1156 1150->1149 1154 4768c5 1151->1154 1155 4768c8-4768ce 1151->1155 1154->1155 1155->1143 1157 4768d0 1155->1157 1158 47690d-476920 ReadFile 1156->1158 1159 47695a-476969 call 47ec2e 1156->1159 1157->1142 1158->1159 1160 476922-476958 1158->1160 1159->1136 1160->1136
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75570F10,00000000), ref: 0047677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75570F10,00000000), ref: 0047679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75570F10,00000000), ref: 004767B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75570F10,00000000), ref: 004767BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75570F10,00000000), ref: 004767D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00478244,00000000,?,75570F10,00000000), ref: 00476807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0047681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75570F10,00000000), ref: 0047683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0047685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00478244,00000000,?,75570F10,00000000), ref: 0047688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75570F10,00000000), ref: 00476906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00478244,00000000,?,75570F10,00000000), ref: 0047691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,75570F10,00000000), ref: 00476971
                                                                                              • Part of subcall function 0047EC2E: GetProcessHeap.KERNEL32(00000000,'G,00000000,0047EA27,00000000), ref: 0047EC41
                                                                                              • Part of subcall function 0047EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0047EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: 77b6298f8df2dab931a6f93ef4f27a9556f0313231888b966d858ed9222e98b9
                                                                                            • Instruction ID: d5dfdebcc1c5d1a27be46bafbc27926b96efe761e57af965439eba407820eef6
                                                                                            • Opcode Fuzzy Hash: 77b6298f8df2dab931a6f93ef4f27a9556f0313231888b966d858ed9222e98b9
                                                                                            • Instruction Fuzzy Hash: 05716BB1C0061DEFDF10DFA5CC809EEBBB9FB04314F11856AE519A6290E7349E56CB54
                                                                                            Function 0047F315 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1163 47f315-47f332 1164 47f334-47f336 1163->1164 1165 47f33b-47f372 call 47ee2a htons socket 1163->1165 1166 47f424-47f427 1164->1166 1169 47f374-47f37d 1165->1169 1170 47f382-47f39b ioctlsocket 1165->1170 1169->1166 1171 47f39d 1170->1171 1172 47f3aa-47f3f0 connect select 1170->1172 1176 47f39f-47f3a8 1171->1176 1173 47f3f2-47f401 __WSAFDIsSet 1172->1173 1174 47f421 1172->1174 1173->1176 1177 47f403-47f416 ioctlsocket call 47f26d 1173->1177 1178 47f423 1174->1178 1176->1178 1181 47f41b-47f41f 1177->1181 1178->1166 1181->1178
                                                                                            APIs
                                                                                            • htons.WS2_32(0047CA1D), ref: 0047F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0047F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0047F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: `4u$time_cfg
                                                                                            • API String ID: 311057483-456741473
                                                                                            • Opcode ID: 6d8f3ee2928ec432dc9c69c9b1fed40d3b820e61bbe22d5b8af0f73b5b633d07
                                                                                            • Instruction ID: 112c4f6028108a9c7c0ca11fa7badacb05b29c6e82b6b960ecb90165fb6d9444
                                                                                            • Opcode Fuzzy Hash: 6d8f3ee2928ec432dc9c69c9b1fed40d3b820e61bbe22d5b8af0f73b5b633d07
                                                                                            • Instruction Fuzzy Hash: 4531A072900118ABDB10DFA5DC89DEF7BBCEF48314F10857AF918D3151E7748A498BA9
                                                                                            Function 0047405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1182 47405e-47407b CreateEventA 1183 474084-4740a8 call 473ecd call 474000 1182->1183 1184 47407d-474081 1182->1184 1189 474130-47413e call 47ee2a 1183->1189 1190 4740ae-4740be call 47ee2a 1183->1190 1195 47413f-474165 call 473ecd CreateNamedPipeA 1189->1195 1190->1189 1196 4740c0-4740f1 call 47eca5 call 473f18 call 473f8c 1190->1196 1201 474167-474174 Sleep 1195->1201 1202 474188-474193 ConnectNamedPipe 1195->1202 1213 474127-47412a CloseHandle 1196->1213 1214 4740f3-4740ff 1196->1214 1201->1195 1204 474176-474182 CloseHandle 1201->1204 1206 474195-4741a5 GetLastError 1202->1206 1207 4741ab-4741c0 call 473f8c 1202->1207 1204->1202 1206->1207 1209 47425e-474265 DisconnectNamedPipe 1206->1209 1207->1202 1215 4741c2-4741f2 call 473f18 call 473f8c 1207->1215 1209->1202 1213->1189 1214->1213 1216 474101-474121 call 473f18 ExitProcess 1214->1216 1215->1209 1223 4741f4-474200 1215->1223 1223->1209 1224 474202-474215 call 473f8c 1223->1224 1224->1209 1227 474217-47421b 1224->1227 1227->1209 1228 47421d-474230 call 473f8c 1227->1228 1228->1209 1231 474232-474236 1228->1231 1231->1202 1232 47423c-474251 call 473f18 1231->1232 1235 474253-474259 1232->1235 1236 47426a-474276 CloseHandle * 2 call 47e318 1232->1236 1235->1202 1238 47427b 1236->1238 1238->1238
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00474070
                                                                                            • ExitProcess.KERNEL32 ref: 00474121
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: 0f9c7b60cf26cb16e73eb0a3e2680b7f7382d8bee988cc42bd495b77d4eac063
                                                                                            • Instruction ID: e1b9ef19e649063b4fcb0a37cae3d12e31770fd390ff0925688cb62ac050e6d7
                                                                                            • Opcode Fuzzy Hash: 0f9c7b60cf26cb16e73eb0a3e2680b7f7382d8bee988cc42bd495b77d4eac063
                                                                                            • Instruction Fuzzy Hash: F551B471D00208BADB20ABA19D45FFF7B7CEF55754F00806AF608B6181E7388E45D769
                                                                                            Function 00472D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1239 472d21-472d44 GetModuleHandleA 1240 472d46-472d52 LoadLibraryA 1239->1240 1241 472d5b-472d69 GetProcAddress 1239->1241 1240->1241 1242 472d54-472d56 1240->1242 1241->1242 1243 472d6b-472d7b DnsQuery_A 1241->1243 1244 472dee-472df1 1242->1244 1243->1242 1245 472d7d-472d88 1243->1245 1246 472deb 1245->1246 1247 472d8a-472d8b 1245->1247 1246->1244 1248 472d90-472d95 1247->1248 1249 472d97-472daa GetProcessHeap HeapAlloc 1248->1249 1250 472de2-472de8 1248->1250 1251 472dea 1249->1251 1252 472dac-472dd9 call 47ee2a lstrcpynA 1249->1252 1250->1248 1250->1251 1251->1246 1255 472de0 1252->1255 1256 472ddb-472dde 1252->1256 1255->1250 1256->1250
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,755723A0,?,00000000,00472F01,?,004720FF,00482000), ref: 00472D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00472D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00472D61
                                                                                            • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00472D77
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00472D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00472DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00472DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 233223969-3847274415
                                                                                            • Opcode ID: 20c70c735b4e78b002384f1e02500073e2f4a84ad222854f335c8c22fe4b7de0
                                                                                            • Instruction ID: 77b3ecf01f81b0c2967bd7bcd86d2e7492df460b31997044a0444556289fc8df
                                                                                            • Opcode Fuzzy Hash: 20c70c735b4e78b002384f1e02500073e2f4a84ad222854f335c8c22fe4b7de0
                                                                                            • Instruction Fuzzy Hash: 8E21A471D00226ABCB619F65DD489EFBBB8EF08B50F108426F909F3210D3B4998587D8
                                                                                            Function 004780C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1257 4780c9-4780ed call 476ec3 1260 4780ef call 477ee6 1257->1260 1261 4780f9-478115 call 47704c 1257->1261 1264 4780f4 1260->1264 1266 478225-47822b 1261->1266 1267 47811b-478121 1261->1267 1264->1266 1268 47822d-478233 1266->1268 1269 47826c-478273 1266->1269 1267->1266 1270 478127-47812a 1267->1270 1268->1269 1271 478235-47823f call 47675c 1268->1271 1270->1266 1272 478130-478167 call 472544 RegOpenKeyExA 1270->1272 1275 478244-47824b 1271->1275 1278 478216-478222 call 47ee2a 1272->1278 1279 47816d-47818b RegQueryValueExA 1272->1279 1275->1269 1277 47824d-478269 call 4724c2 call 47ec2e 1275->1277 1277->1269 1278->1266 1282 4781f7-4781fe 1279->1282 1283 47818d-478191 1279->1283 1286 478200-478206 call 47ec2e 1282->1286 1287 47820d-478210 RegCloseKey 1282->1287 1283->1282 1288 478193-478196 1283->1288 1296 47820c 1286->1296 1287->1278 1288->1282 1291 478198-4781a8 call 47ebcc 1288->1291 1291->1287 1297 4781aa-4781c2 RegQueryValueExA 1291->1297 1296->1287 1297->1282 1298 4781c4-4781ca 1297->1298 1299 4781cd-4781d2 1298->1299 1299->1299 1300 4781d4-4781e5 call 47ebcc 1299->1300 1300->1287 1303 4781e7-4781f5 call 47ef00 1300->1303 1303->1296
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 0047815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0047A45F,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 00478187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0047A45F,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 004781BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75570F10,00000000), ref: 00478210
                                                                                              • Part of subcall function 0047675C: SetFileAttributesA.KERNEL32(?,00000080,?,75570F10,00000000), ref: 0047677E
                                                                                              • Part of subcall function 0047675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75570F10,00000000), ref: 0047679A
                                                                                              • Part of subcall function 0047675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75570F10,00000000), ref: 004767B0
                                                                                              • Part of subcall function 0047675C: SetFileAttributesA.KERNEL32(?,00000002,?,75570F10,00000000), ref: 004767BF
                                                                                              • Part of subcall function 0047675C: GetFileSize.KERNEL32(000000FF,00000000,?,75570F10,00000000), ref: 004767D3
                                                                                              • Part of subcall function 0047675C: ReadFile.KERNELBASE(000000FF,?,00000040,00478244,00000000,?,75570F10,00000000), ref: 00476807
                                                                                              • Part of subcall function 0047675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0047681F
                                                                                              • Part of subcall function 0047675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75570F10,00000000), ref: 0047683E
                                                                                              • Part of subcall function 0047675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75570F10,00000000), ref: 0047685C
                                                                                              • Part of subcall function 0047EC2E: GetProcessHeap.KERNEL32(00000000,'G,00000000,0047EA27,00000000), ref: 0047EC41
                                                                                              • Part of subcall function 0047EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0047EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\jlxopxf\ubezyssm.exe
                                                                                            • API String ID: 124786226-680064073
                                                                                            • Opcode ID: e550f7342ca49a0ba525eb9d2c0fd651ac25ae252fb77f7d61224a78fb433857
                                                                                            • Instruction ID: d6cb2d73fe8d7db358d42141507e659187ef626f349f60ae87e30192def2770f
                                                                                            • Opcode Fuzzy Hash: e550f7342ca49a0ba525eb9d2c0fd651ac25ae252fb77f7d61224a78fb433857
                                                                                            • Instruction Fuzzy Hash: 3F41B3B2941108BFEB10EBA59E89DFF776CDB04304F1489AFF509E2112EA785E448B5D
                                                                                            Function 00471AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1306 471ac3-471adc LoadLibraryA 1307 471ae2-471af3 GetProcAddress 1306->1307 1308 471b6b-471b70 1306->1308 1309 471af5-471b01 1307->1309 1310 471b6a 1307->1310 1311 471b1c-471b27 GetAdaptersAddresses 1309->1311 1310->1308 1312 471b03-471b12 call 47ebed 1311->1312 1313 471b29-471b2b 1311->1313 1312->1313 1324 471b14-471b1b 1312->1324 1314 471b2d-471b32 1313->1314 1315 471b5b-471b5e 1313->1315 1317 471b34-471b3b 1314->1317 1318 471b69 1314->1318 1315->1318 1319 471b60-471b68 call 47ec2e 1315->1319 1321 471b54-471b59 1317->1321 1322 471b3d-471b52 1317->1322 1318->1310 1319->1318 1321->1315 1321->1317 1322->1321 1322->1322 1324->1311
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00471AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00471AE9
                                                                                            • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00471B20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 3646706440-1087626847
                                                                                            • Opcode ID: 1a7ec0c9beebdc9b4b63b429667fc99b6a265ea09c1745c4af36598214ee7b5e
                                                                                            • Instruction ID: a0dafcdbfce918990567af4423059987336a3090d4e52281df35ea1312db6a9e
                                                                                            • Opcode Fuzzy Hash: 1a7ec0c9beebdc9b4b63b429667fc99b6a265ea09c1745c4af36598214ee7b5e
                                                                                            • Instruction Fuzzy Hash: AF110D71E01124AFCB11D7A9CD848DEBB79EB44B10B548497E00DE3221E6346E44D788
                                                                                            Function 0047E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1326 47e3ca-47e3ee RegOpenKeyExA 1327 47e3f4-47e3fb 1326->1327 1328 47e528-47e52d 1326->1328 1329 47e3fe-47e403 1327->1329 1329->1329 1330 47e405-47e40f 1329->1330 1331 47e414-47e452 call 47ee08 call 47f1ed RegQueryValueExA 1330->1331 1332 47e411-47e413 1330->1332 1337 47e51d-47e527 RegCloseKey 1331->1337 1338 47e458-47e486 call 47f1ed RegQueryValueExA 1331->1338 1332->1331 1337->1328 1341 47e488-47e48a 1338->1341 1341->1337 1342 47e490-47e4a1 call 47db2e 1341->1342 1342->1337 1345 47e4a3-47e4a6 1342->1345 1346 47e4a9-47e4d3 call 47f1ed RegQueryValueExA 1345->1346 1349 47e4d5-47e4da 1346->1349 1350 47e4e8-47e4ea 1346->1350 1349->1350 1352 47e4dc-47e4e6 1349->1352 1350->1337 1351 47e4ec-47e516 call 472544 call 47e332 1350->1351 1351->1337 1352->1346 1352->1350
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,0047E5F2,00000000,00020119,0047E5F2,004822F8), ref: 0047E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0047E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0047E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0047E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0047E482
                                                                                            • RegQueryValueExA.ADVAPI32(0047E5F2,?,00000000,?,80000001,?), ref: 0047E4CF
                                                                                            • RegCloseKey.ADVAPI32(0047E5F2,?,?,?,?,000000C8,000000E4), ref: 0047E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: 493fa4a3efe3309c2dd0791e9cbb3a82811c6b84c8102055fe5faeb3e4a8153f
                                                                                            • Instruction ID: b336401410952cd036ddd6d701dc1e21300f62823368d7f9dc5f918344b22e4d
                                                                                            • Opcode Fuzzy Hash: 493fa4a3efe3309c2dd0791e9cbb3a82811c6b84c8102055fe5faeb3e4a8153f
                                                                                            • Instruction Fuzzy Hash: 3A4138B2D0021DBFDF119FE9DC81DEEBBB9EB08304F1485AAE914B2150E3359A158B64
                                                                                            Function 0047F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1357 47f26d-47f303 setsockopt * 5
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0047F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0047F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0047F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0047F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0047F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 7292ba08e512c3b8e84f1d0fdffe31a65678d802f296a94dbc90138b31befe7b
                                                                                            • Instruction ID: 71a318ab903c29e6d9918cf85857c2df7fc3fca0b7f85a4d12c9a0d0093dcad5
                                                                                            • Opcode Fuzzy Hash: 7292ba08e512c3b8e84f1d0fdffe31a65678d802f296a94dbc90138b31befe7b
                                                                                            • Instruction Fuzzy Hash: 64110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            Function 00471BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1358 471bdf-471c04 call 471ac3 1360 471c09-471c0b 1358->1360 1361 471c0d-471c1d GetComputerNameA 1360->1361 1362 471c5a-471c5e 1360->1362 1363 471c45-471c57 GetVolumeInformationA 1361->1363 1364 471c1f-471c24 1361->1364 1363->1362 1364->1363 1365 471c26-471c3b 1364->1365 1365->1365 1366 471c3d-471c3f 1365->1366 1366->1363 1367 471c41-471c43 1366->1367 1367->1362
                                                                                            APIs
                                                                                              • Part of subcall function 00471AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00471AD4
                                                                                              • Part of subcall function 00471AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00471AE9
                                                                                              • Part of subcall function 00471AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00471B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00471C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00471C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2794401326-2393279970
                                                                                            • Opcode ID: 12b30fe51dc277768fa78c273cdc0d8758c75d2f99e10a033fc0355070df9d4b
                                                                                            • Instruction ID: 438f2c2b4da0883cb88a798e8bd2b05232ce2c48d7899b90bc2a5f4d57964832
                                                                                            • Opcode Fuzzy Hash: 12b30fe51dc277768fa78c273cdc0d8758c75d2f99e10a033fc0355070df9d4b
                                                                                            • Instruction Fuzzy Hash: 80018072A40118BFEB51DAECCCC59EFBABCAB44745F10447AEB06E2210D2349E4486A5
                                                                                            Function 00472684 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00472693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0047269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$W4u
                                                                                            • API String ID: 1594361348-4149107023
                                                                                            • Opcode ID: a3ca3c3e04adbf1bce3bfbbe2bd71980ee666b26351bb3e611b23266ea2616e9
                                                                                            • Instruction ID: af5ddcad021d96536e8cfbaeb2d04213a9749c917a21a82e89f10a0f6363d8cf
                                                                                            • Opcode Fuzzy Hash: a3ca3c3e04adbf1bce3bfbbe2bd71980ee666b26351bb3e611b23266ea2616e9
                                                                                            • Instruction Fuzzy Hash: F4E0C2302144218FCB509B28F848ACA37E5EF06330F01858BF448C32A0C7B8DC808788
                                                                                            Function 00471B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00471AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00471AD4
                                                                                              • Part of subcall function 00471AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00471AE9
                                                                                              • Part of subcall function 00471AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00471B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00471BA3
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00471EFD,00000000,00000000,00000000,00000000), ref: 00471BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2794401326-1857712256
                                                                                            • Opcode ID: 4e3e3bacb45522643002c5f23c45409416e7cfa1e8025deb57c961d9921c1e7d
                                                                                            • Instruction ID: 80faba16f08a670f3ea94a54e94db5c50a1c43f8b7367a7fe706d4d46b2528d6
                                                                                            • Opcode Fuzzy Hash: 4e3e3bacb45522643002c5f23c45409416e7cfa1e8025deb57c961d9921c1e7d
                                                                                            • Instruction Fuzzy Hash: A2018BB6D00108BFEB109BE9CC819EFFABCAB48754F154566A705E3150D5706E0857A1
                                                                                            Function 0047EC2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0047EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0047EC0A,00000000,80000001,?,0047DB55,7FFF0001), ref: 0047EBAD
                                                                                              • Part of subcall function 0047EBA0: HeapSize.KERNEL32(00000000,?,0047DB55,7FFF0001), ref: 0047EBB4
                                                                                            • GetProcessHeap.KERNEL32(00000000,'G,00000000,0047EA27,00000000), ref: 0047EC41
                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 0047EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$FreeSize
                                                                                            • String ID: 'G
                                                                                            • API String ID: 1305341483-1276045452
                                                                                            • Opcode ID: 0161c789551d16a4bef1a1f23aa9abbc3145bf571dc150b3e4be51d4b7f15201
                                                                                            • Instruction ID: 0288fa894d6c2de1a21163e09608e131679676efa493e6303bbbb93763df7b80
                                                                                            • Opcode Fuzzy Hash: 0161c789551d16a4bef1a1f23aa9abbc3145bf571dc150b3e4be51d4b7f15201
                                                                                            • Instruction Fuzzy Hash: 5DC012324162306BC5912761BC1DFDF6F189F4AB21F0D494EF409A6154C764584047E9
                                                                                            Function 0047E52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0047DD05: GetTickCount.KERNEL32 ref: 0047DD0F
                                                                                              • Part of subcall function 0047DD05: InterlockedExchange.KERNEL32(004836B4,00000001), ref: 0047DD44
                                                                                              • Part of subcall function 0047DD05: GetCurrentThreadId.KERNEL32 ref: 0047DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,75570F10,?,00000000,?,0047A445), ref: 0047E558
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75570F10,?,00000000,?,0047A445), ref: 0047E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,75570F10,?,00000000,?,0047A445), ref: 0047E5B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID:
                                                                                            • API String ID: 3683885500-0
                                                                                            • Opcode ID: 8a32fef483d3cb84df1b1f710c8d523580e91cc3b55368d3d4ee1da5582d4661
                                                                                            • Instruction ID: a30f2a4400421859d98c28583d7700a7d85d5ed0e24a33bee63d8471a8752342
                                                                                            • Opcode Fuzzy Hash: 8a32fef483d3cb84df1b1f710c8d523580e91cc3b55368d3d4ee1da5582d4661
                                                                                            • Instruction Fuzzy Hash: 9F21F8B19402007AE1207A635D06FDF391CDF55B58F104A6FBE0DA51E3E95DE91082FD
                                                                                            Function 0047877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 004788A5
                                                                                              • Part of subcall function 0047F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0047E342,00000000,7568EA50,80000001,00000000,0047E513,?,00000000,00000000,?,000000E4), ref: 0047F089
                                                                                              • Part of subcall function 0047F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0047E342,00000000,7568EA50,80000001,00000000,0047E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0047F093
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$Sleep
                                                                                            • String ID: localcfg$rresolv
                                                                                            • API String ID: 1561729337-486471987
                                                                                            • Opcode ID: 84840fd317149c3e90fb8e8c63ef4f56735e942f38285c304565b853f75b5cbb
                                                                                            • Instruction ID: 13c23e9ba86e841eff22206d4bf47b857609b6400d750656878b2ecba5a8e8cb
                                                                                            • Opcode Fuzzy Hash: 84840fd317149c3e90fb8e8c63ef4f56735e942f38285c304565b853f75b5cbb
                                                                                            • Instruction Fuzzy Hash: 4221B8315883406AF315B7666E47BEE36989B05714FA1882FF70C961C3DEDD454482BF
                                                                                            Function 00474000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004822F8,004742B6,00000000,00000001,004822F8,00000000,?,004798FD), ref: 00474021
                                                                                            • GetLastError.KERNEL32(?,004798FD,00000001,00000100,004822F8,0047A3C7), ref: 0047402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004798FD,00000001,00000100,004822F8,0047A3C7), ref: 00474046
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: ae2e83a6bcad2ff7e661f0d759feb40ca94e0b541a84ac9aef98428f0d582479
                                                                                            • Instruction ID: 416da7b7ff73380dd53926ae3e9d54fcdc6f5940a5b011799e3bb9db0c659c6b
                                                                                            • Opcode Fuzzy Hash: ae2e83a6bcad2ff7e661f0d759feb40ca94e0b541a84ac9aef98428f0d582479
                                                                                            • Instruction Fuzzy Hash: 56F05E322501416AD7710B24AC49BBA72A1DBC3724F258A2AE3A9F21E0C73448859B19
                                                                                            Function 0047DB67 Relevance: 4.5, APIs: 3, Instructions: 32filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentVariableA.KERNEL32(0047DC19,?,00000104), ref: 0047DB7F
                                                                                            • lstrcpyA.KERNEL32(?,004828F8), ref: 0047DBA4
                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0047DBC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2536392590-0
                                                                                            • Opcode ID: 6c79120c4aa9804e7118da0068c498ea5db67d8566787e798230d1a89a51902b
                                                                                            • Instruction ID: 4405726749b4af837d98c8c5951c63c8611e92359f2a2867b25383254fcf45df
                                                                                            • Opcode Fuzzy Hash: 6c79120c4aa9804e7118da0068c498ea5db67d8566787e798230d1a89a51902b
                                                                                            • Instruction Fuzzy Hash: 6DF09070510209ABEF209F64ED49FD93B69AB10308F1045A4BB55A40D0D7F2E549CB18
                                                                                            Function 0047EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0047EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0047EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0047EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: c7fc5b2858a729d24605abaa69643cdf3723a7bdfd740ebffd957825dbda8279
                                                                                            • Instruction ID: bdab478b95d3b9990ea363af5206eb3730bf50f396bbc2691bc73568230117e2
                                                                                            • Opcode Fuzzy Hash: c7fc5b2858a729d24605abaa69643cdf3723a7bdfd740ebffd957825dbda8279
                                                                                            • Instruction Fuzzy Hash: 59E0BFF5820104BFE751EBB4EC4EE7F77BCFB08715F500A64B911D6090EA709A099B64
                                                                                            Function 00471978 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • closesocket.WS2_32(00000000), ref: 00471992
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesocket
                                                                                            • String ID: `4u
                                                                                            • API String ID: 2781271927-6339388
                                                                                            • Opcode ID: 663d84bae553ec76e499f7c8c20f5ddb6312293fbb90d31eb5d61efa24628e7a
                                                                                            • Instruction ID: 1aa5cb9062fe693423af5df91e52dfe0bf3c717552c5b2bb447ab7eb3af99649
                                                                                            • Opcode Fuzzy Hash: 663d84bae553ec76e499f7c8c20f5ddb6312293fbb90d31eb5d61efa24628e7a
                                                                                            • Instruction Fuzzy Hash: FED012B61486316A52512759BC054BFEB9CDF45662711C42FFD4CC0160D638CC428399
                                                                                            Function 004730B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 004730D8
                                                                                            • gethostbyname.WS2_32(?), ref: 004730E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynamegethostname
                                                                                            • String ID:
                                                                                            • API String ID: 3961807697-0
                                                                                            • Opcode ID: e3dc880f061409bb7b6e57772e401157fbfcc85cb207e0e8e5772a2f1ea049bb
                                                                                            • Instruction ID: 8fc0a44aa051a02391bf52365823ea1c512efc1ae86e43906d4cde53bffe359d
                                                                                            • Opcode Fuzzy Hash: e3dc880f061409bb7b6e57772e401157fbfcc85cb207e0e8e5772a2f1ea049bb
                                                                                            • Instruction Fuzzy Hash: 18E065719001199BCB009BA8EC89FCA77ACBB04318F084565F905E3255EA74E9088794
                                                                                            Function 0047EBED Relevance: 3.0, APIs: 2, Instructions: 27memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,0047DB55,7FFF0001), ref: 0047EC13
                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,0047DB55,7FFF0001), ref: 0047EC1A
                                                                                              • Part of subcall function 0047EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0047EBFE,7FFF0001,?,0047DB55,7FFF0001), ref: 0047EBD3
                                                                                              • Part of subcall function 0047EBCC: RtlAllocateHeap.NTDLL(00000000,?,0047DB55,7FFF0001), ref: 0047EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1357844191-0
                                                                                            • Opcode ID: 11bd46f8f55ac12ec3249c88cda30055fae4f213ab9ce3c8b9a869d627c07599
                                                                                            • Instruction ID: f627a273dc965799aa94f5b11bd4a8fcd3a73af703194495f990db4228cf5b14
                                                                                            • Opcode Fuzzy Hash: 11bd46f8f55ac12ec3249c88cda30055fae4f213ab9ce3c8b9a869d627c07599
                                                                                            • Instruction Fuzzy Hash: 44E092320042087ACF412B92EC09ADD3F59DF08375F00C16AF90C48060CB369990D788
                                                                                            Function 0047EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0047EBFE,7FFF0001,?,0047DB55,7FFF0001), ref: 0047EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0047DB55,7FFF0001), ref: 0047EBDA
                                                                                              • Part of subcall function 0047EB74: GetProcessHeap.KERNEL32(00000000,00000000,0047EC28,00000000,?,0047DB55,7FFF0001), ref: 0047EB81
                                                                                              • Part of subcall function 0047EB74: HeapSize.KERNEL32(00000000,?,0047DB55,7FFF0001), ref: 0047EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ffc1a3832983ea90069ce3d01e12d7c9503c8f083b85e3f1ca1a59bf4e7d66b5
                                                                                            • Instruction ID: 5320d1ecffe15cf8530675479150dc53bdf6ddf7c498177e5e04bf545b192744
                                                                                            • Opcode Fuzzy Hash: ffc1a3832983ea90069ce3d01e12d7c9503c8f083b85e3f1ca1a59bf4e7d66b5
                                                                                            • Instruction Fuzzy Hash: 6BC08C332082206BC68127A5BC0CEDE3E98EF087B2F08496EF609C2160CB35484087AA
                                                                                            Function 0047F43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • recv.WS2_32(000000C8,?,00000000,0047CA44), ref: 0047F476
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: recv
                                                                                            • String ID:
                                                                                            • API String ID: 1507349165-0
                                                                                            • Opcode ID: 90c73950946add28e7b8bde8afd9a666ef753ba456a1113e605abce505cca08b
                                                                                            • Instruction ID: 7c8f994d94c4f9972ed638fc3c73902d6a8d974e47911c9fed84083557cd3b45
                                                                                            • Opcode Fuzzy Hash: 90c73950946add28e7b8bde8afd9a666ef753ba456a1113e605abce505cca08b
                                                                                            • Instruction Fuzzy Hash: 62F08C3220054AAB9B119E9ADC84CEB3BAEFB993207044532FA08D3110D631E8298BB4
                                                                                            Function 0047DD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0047DDB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 1586166983-0
                                                                                            • Opcode ID: f6fd1934a367eaa0acb9f1e71454c56972848b656c2fa9f5b19d51b3b7b9c778
                                                                                            • Instruction ID: abdafc38f1f0d651e07d94bf907ce9225f4aa9bc7b6da1cc6b4180b6cff00b3d
                                                                                            • Opcode Fuzzy Hash: f6fd1934a367eaa0acb9f1e71454c56972848b656c2fa9f5b19d51b3b7b9c778
                                                                                            • Instruction Fuzzy Hash: 8FF05836A202028FCB308E64998469BB7F8EF86325B14883FE25D92250D738DC49CB19

                                                                                            Non-executed Functions

                                                                                            Function 0047637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00479816,EntryPoint), ref: 0047638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00479816,EntryPoint), ref: 004763A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004763CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004763EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: a2bfa4e602d76a08145a432c98f079942da7c44ca715ae9c803c8638f1902c3f
                                                                                            • Instruction ID: 5be7e835dc835a7c03bc5ef9bb5ef71f90bd28b4ccce97496a8e2463920aef84
                                                                                            • Opcode Fuzzy Hash: a2bfa4e602d76a08145a432c98f079942da7c44ca715ae9c803c8638f1902c3f
                                                                                            • Instruction Fuzzy Hash: 721191B2600219BFDB519F65DC49FDB3BA8EF047A4F118469F908E6290D671DD00CBA8
                                                                                            Function 00471000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00471839,00479646), ref: 00471012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004710C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004710E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00471101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00471121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00471140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00471160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00471180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0047119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004711BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004711DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004711FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0047121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 8a474ca733a2b8c2d8597d2eb89e09d9028c7007d453f1a6c599ea7199662988
                                                                                            • Instruction ID: dbe9307e1418f413b85b8c69db1a5edd674ff888a1cd1c526c65f8c637907742
                                                                                            • Opcode Fuzzy Hash: 8a474ca733a2b8c2d8597d2eb89e09d9028c7007d453f1a6c599ea7199662988
                                                                                            • Instruction Fuzzy Hash: 55514DB1502641AAC7209F6CEC44B9E36B86748B22F154B7BD524D22F0D7F8CE82CB5D
                                                                                            Function 0047B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0047B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0047B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0047B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0047B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0047B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0047B329
                                                                                            • wsprintfA.USER32 ref: 0047B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: d008ba5a16c1d91b202eab36d38e8adc12cec190ecb3680dd8957d084392ee2e
                                                                                            • Instruction ID: 5d03db125c1fac50380a606095b182f738c96edbf3489847fa216ad309b3cf12
                                                                                            • Opcode Fuzzy Hash: d008ba5a16c1d91b202eab36d38e8adc12cec190ecb3680dd8957d084392ee2e
                                                                                            • Instruction Fuzzy Hash: 4D5153B1D1021CAACF58EFD5D8885EEBBB9FF48304F10896BE515B6150D3784A8DCB98
                                                                                            Function 00476511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: f1606bd093cfb48008e4acae962c4f43da0c5137f9097c5b607b776d2ed92270
                                                                                            • Instruction ID: bd30fa04109874dc7bf262c21cb72775bd2e39ff0135fd05d7c8360b8c00a8cf
                                                                                            • Opcode Fuzzy Hash: f1606bd093cfb48008e4acae962c4f43da0c5137f9097c5b607b776d2ed92270
                                                                                            • Instruction Fuzzy Hash: 38617E72950208AFDB60AFB4DC45FEE77E9FF08300F24846AF96CD2161EA7599448F64
                                                                                            Function 0047A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0047A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0047A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0047A893
                                                                                            • wsprintfA.USER32 ref: 0047A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0047A8D2
                                                                                            • wsprintfA.USER32 ref: 0047A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0047A97C
                                                                                            • wsprintfA.USER32 ref: 0047A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: 48c12ba0ebb6aaea980e23edac174875039e8bce6737b4c845113f269a4858bb
                                                                                            • Instruction ID: d11d68f7b70877e7066325b69d7ccf917f316f969f8067db6311f8495d53395e
                                                                                            • Opcode Fuzzy Hash: 48c12ba0ebb6aaea980e23edac174875039e8bce6737b4c845113f269a4858bb
                                                                                            • Instruction Fuzzy Hash: 32A14A71904305AADF209B58DC85FEF3769EB80304F24C86BFA0D66190EA3D9D69875F
                                                                                            Function 00472A62 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 194networkmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7556F380), ref: 00472A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7556F380), ref: 00472A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00472AA0
                                                                                            • htons.WS2_32(00000000), ref: 00472ADB
                                                                                            • select.WS2_32 ref: 00472B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00472B4A
                                                                                            • htons.WS2_32(?), ref: 00472B71
                                                                                            • htons.WS2_32(?), ref: 00472B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00472BFB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID: `4u
                                                                                            • API String ID: 1639031587-6339388
                                                                                            • Opcode ID: dd538b1f31f2e73e7b450dea9bee43b79d390a300f91991b6a2078e5a1317050
                                                                                            • Instruction ID: 5f2aecf10795523bf89e0f9887ae1d9188165a266af96ab781771e42202c0780
                                                                                            • Opcode Fuzzy Hash: dd538b1f31f2e73e7b450dea9bee43b79d390a300f91991b6a2078e5a1317050
                                                                                            • Instruction Fuzzy Hash: 3D61F2719043049FC3219F61DE08BAFBBE8FB58750F04881EF98997250D7F8D8448BAA
                                                                                            Function 00471280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0047139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00471571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDv$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-868794581
                                                                                            • Opcode ID: 058ba627ea86aed500c40a8a104fd99b9f561fa269d2c587b522ebfa136e3942
                                                                                            • Instruction ID: 01c080f284f227b94874aeac6da6d18f1ecdf21611d155f1473bee8a1eff9e40
                                                                                            • Opcode Fuzzy Hash: 058ba627ea86aed500c40a8a104fd99b9f561fa269d2c587b522ebfa136e3942
                                                                                            • Instruction Fuzzy Hash: F6F18EB55083419FD324DF68C888BABB7E4FB88704F108D2EF59A97360D7789944CB5A
                                                                                            Function 00472DF2 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,755723A0,?,000DBBA0,?,00000000,00472F0F,?,004720FF,00482000), ref: 00472E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00472F0F,?,004720FF,00482000), ref: 00472E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00472E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00472F0F,?,004720FF,00482000), ref: 00472E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00472F0F,?,004720FF,00482000), ref: 00472E4F
                                                                                            • htons.WS2_32(00000035), ref: 00472E88
                                                                                            • inet_addr.WS2_32(?), ref: 00472E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00472EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00472F0F,?,004720FF,00482000), ref: 00472EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00472F0F,?,004720FF,00482000), ref: 00472EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll$W4u
                                                                                            • API String ID: 929413710-1050870963
                                                                                            • Opcode ID: f1882fa3cc5afbf5f2605651fbcfdece5adee8c5abecb699a5490187ed9b8d84
                                                                                            • Instruction ID: 59872f714588a67fa4adaa8424e8074dedb86c87e38219cf34943e4c303b6c65
                                                                                            • Opcode Fuzzy Hash: f1882fa3cc5afbf5f2605651fbcfdece5adee8c5abecb699a5490187ed9b8d84
                                                                                            • Instruction Fuzzy Hash: 7131F631900209ABDB519BB89D48AEF77B8AF04720F14852AF918E3390D7B8CD418B5C
                                                                                            Function 0047704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75570F10,?,75570F10,00000000), ref: 004770C2
                                                                                            • RegEnumValueA.ADVAPI32(75570F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75570F10,00000000), ref: 0047719E
                                                                                            • RegCloseKey.ADVAPI32(75570F10,?,75570F10,00000000), ref: 004771B2
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00477208
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00477291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004772C2
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 004772D0
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 00477314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0047738D
                                                                                            • RegCloseKey.ADVAPI32(75570F10), ref: 004773D8
                                                                                              • Part of subcall function 0047F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004822F8,000000C8,00477150,?), ref: 0047F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 8d959129c54cc3a081a46c860dcb22c1efac151185084e2f96fce75074e18f14
                                                                                            • Instruction ID: 73b9b974c402f4339dc6e7ec252c026f2404723dba30465d4aa0e5148eb7f5ef
                                                                                            • Opcode Fuzzy Hash: 8d959129c54cc3a081a46c860dcb22c1efac151185084e2f96fce75074e18f14
                                                                                            • Instruction Fuzzy Hash: 5EB1D471804209BEDF149FA1DC45BEF77B8EF04304F5089ABF508E2191EB799A84CB68
                                                                                            Function 0047AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0047AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0047ADA6
                                                                                              • Part of subcall function 0047AD08: gethostname.WS2_32(?,00000080), ref: 0047AD1C
                                                                                              • Part of subcall function 0047AD08: lstrlenA.KERNEL32(00000000), ref: 0047AD60
                                                                                              • Part of subcall function 0047AD08: lstrlenA.KERNEL32(00000000), ref: 0047AD69
                                                                                              • Part of subcall function 0047AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0047AD7F
                                                                                              • Part of subcall function 004730B5: gethostname.WS2_32(?,00000080), ref: 004730D8
                                                                                              • Part of subcall function 004730B5: gethostbyname.WS2_32(?), ref: 004730E2
                                                                                            • wsprintfA.USER32 ref: 0047AEA5
                                                                                              • Part of subcall function 0047A7A3: inet_ntoa.WS2_32(?), ref: 0047A7A9
                                                                                            • wsprintfA.USER32 ref: 0047AE4F
                                                                                            • wsprintfA.USER32 ref: 0047AE5E
                                                                                              • Part of subcall function 0047EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0047EF92
                                                                                              • Part of subcall function 0047EF7C: lstrlenA.KERNEL32(?), ref: 0047EF99
                                                                                              • Part of subcall function 0047EF7C: lstrlenA.KERNEL32(00000000), ref: 0047EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: a6e2834a3d9338f0cfd1492ef23b775db810187dad77081dae929f42eae6eea9
                                                                                            • Instruction ID: c335b2f13dd78eccbbb5a11242e40895fe0e0f466ae0b124c237ada4cb2c8956
                                                                                            • Opcode Fuzzy Hash: a6e2834a3d9338f0cfd1492ef23b775db810187dad77081dae929f42eae6eea9
                                                                                            • Instruction Fuzzy Hash: A04153B280020C6BDF25EFA1CC45EEF37ADFF48314F14495BF91992151E635E9188B55
                                                                                            Function 00479326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00479DD7,?,00000022,?,?,00000000,00000001), ref: 00479340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00479DD7,?,00000022,?,?,00000000,00000001), ref: 0047936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00479DD7,?,00000022,?,?,00000000,00000001), ref: 00479375
                                                                                            • wsprintfA.USER32 ref: 004793CE
                                                                                            • wsprintfA.USER32 ref: 0047940C
                                                                                            • wsprintfA.USER32 ref: 0047948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004794F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00479526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00479571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: ce94ba33169548a8ed661dc0c3471461296492be6588a40bab3789f6b965bd8e
                                                                                            • Instruction ID: 1777676af6c49455d6a04c479aa96e04909203a7bbfac45336f845abb5645186
                                                                                            • Opcode Fuzzy Hash: ce94ba33169548a8ed661dc0c3471461296492be6588a40bab3789f6b965bd8e
                                                                                            • Instruction Fuzzy Hash: 4EA181B2940208AFEB21DFA1CD45FDF3BACEB04744F20852BFA1992151D779D944CBA9
                                                                                            Function 0047B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0047B467
                                                                                              • Part of subcall function 0047EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0047EF92
                                                                                              • Part of subcall function 0047EF7C: lstrlenA.KERNEL32(?), ref: 0047EF99
                                                                                              • Part of subcall function 0047EF7C: lstrlenA.KERNEL32(00000000), ref: 0047EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: ac7b1cf3f4a6178b3b4dc0a5dc99f4213c2ae05b81740e8b6414d51474dfe101
                                                                                            • Instruction ID: 5eed14e510c4cd109018c7d309f81d4811750ed916698a03424335692d5e46ba
                                                                                            • Opcode Fuzzy Hash: ac7b1cf3f4a6178b3b4dc0a5dc99f4213c2ae05b81740e8b6414d51474dfe101
                                                                                            • Instruction Fuzzy Hash: 554172B254011C7EDF01BEA6CCC2DFF7B6CEF4935CB14451AF908A2142DB78A91887A9
                                                                                            Function 00472011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00472078
                                                                                            • GetTickCount.KERNEL32 ref: 004720D4
                                                                                            • GetTickCount.KERNEL32 ref: 004720DB
                                                                                            • GetTickCount.KERNEL32 ref: 0047212B
                                                                                            • GetTickCount.KERNEL32 ref: 00472132
                                                                                            • GetTickCount.KERNEL32 ref: 00472142
                                                                                              • Part of subcall function 0047F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0047E342,00000000,7568EA50,80000001,00000000,0047E513,?,00000000,00000000,?,000000E4), ref: 0047F089
                                                                                              • Part of subcall function 0047F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0047E342,00000000,7568EA50,80000001,00000000,0047E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0047F093
                                                                                              • Part of subcall function 0047E854: lstrcpyA.KERNEL32(00000001,?,?,0047D8DF,00000001,localcfg,except_info,00100000,00480264), ref: 0047E88B
                                                                                              • Part of subcall function 0047E854: lstrlenA.KERNEL32(00000001,?,0047D8DF,00000001,localcfg,except_info,00100000,00480264), ref: 0047E899
                                                                                              • Part of subcall function 00471C5F: wsprintfA.USER32 ref: 00471CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: acd911679b932ffc76e9a1a3550d3c13f896edb542255bff2f962c44879750cb
                                                                                            • Instruction ID: d3c81f3928c5d4dde5fe6f41c4b6bb5ffac1c9a5225c75cfdd8336b769040eeb
                                                                                            • Opcode Fuzzy Hash: acd911679b932ffc76e9a1a3550d3c13f896edb542255bff2f962c44879750cb
                                                                                            • Instruction Fuzzy Hash: 5751F3719003855ED728EB25EF45B9A3BD4FB01318F10886FEB09962A2DBF89448C72D
                                                                                            Function 0047C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0047A4C7: GetTickCount.KERNEL32 ref: 0047A4D1
                                                                                              • Part of subcall function 0047A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0047A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0047C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0047C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0047C363
                                                                                            • GetTickCount.KERNEL32 ref: 0047C378
                                                                                            • GetTickCount.KERNEL32 ref: 0047C44D
                                                                                            • InterlockedIncrement.KERNEL32(0047C4E4), ref: 0047C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0047B535,00000000,?,0047C4E0), ref: 0047C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0047C4E0,00483588,00478810), ref: 0047C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: 56a18421d5d138ff414b3b096aec7fa148bffc1b390092d33fbec1ab068bb2a6
                                                                                            • Instruction ID: e7fdc6fe2bc883137a2d293ef4a58ae176bb3d8d06ab13e33e5f326a474e7036
                                                                                            • Opcode Fuzzy Hash: 56a18421d5d138ff414b3b096aec7fa148bffc1b390092d33fbec1ab068bb2a6
                                                                                            • Instruction Fuzzy Hash: F7515AB1A00B418FD7648F6AC6D456ABBE9FB48304B509D3FE58BC7A90D778F8448B14
                                                                                            Function 0047BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0047BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0047BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0047BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0047BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0047BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0047BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: d5ada36c6120a52c20b5bf7e0795bf3933ad3181f54b3006e8e1164340c5224d
                                                                                            • Instruction ID: 8ba4377186a2ec48e7a0225240b1d288a5bbf435fa2f8c115b3075d67ad2f756
                                                                                            • Opcode Fuzzy Hash: d5ada36c6120a52c20b5bf7e0795bf3933ad3181f54b3006e8e1164340c5224d
                                                                                            • Instruction Fuzzy Hash: D0519F31A00216AEDB119F65CD40BDE7BA9EF04748F14C46BE849EB351E738E9458FD8
                                                                                            Function 00476A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75568A60,?,?,?,?,00479A60,?,?,00479E9D), ref: 00476A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00479E9D,00479A60,?,?,?,004822F8,?,?,?,00479A60,?,?,00479E9D), ref: 00476ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00479A60,?,?,00479E9D), ref: 00476B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00479A60,?,?,00479E9D), ref: 00476B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00479A60,?,?,00479E9D), ref: 00476B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00479A60,?,?,00479E9D), ref: 00476B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00479A60,?,?,00479E9D), ref: 00476B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00479A60,?,?,00479E9D), ref: 00476B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00479A60,?,?,00479E9D,?,?,?,?,?,00479E9D,?,00000022,?), ref: 00476B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: be21564a887e3f4b61fcd1c6bea27518eaa4275719aadb7e8e3b043d1a6627e5
                                                                                            • Instruction ID: 0049a6073c63a08be38a5d42da3d0be4c58222fc000dc973d5f89098eed8b2f1
                                                                                            • Opcode Fuzzy Hash: be21564a887e3f4b61fcd1c6bea27518eaa4275719aadb7e8e3b043d1a6627e5
                                                                                            • Instruction Fuzzy Hash: 923123B290010DBFCB019FA09D44ADF7BBAEF4A300F15887BE619E3211D734A9459F69
                                                                                            Function 00476F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0047D7C3), ref: 00476F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0047D7C3), ref: 00476FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00476FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0047701F
                                                                                            • wsprintfA.USER32 ref: 00477036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: e185b4367d9fe26862458f65dabdfc37bfa210c4c61a762abb9c976946544991
                                                                                            • Instruction ID: ff9c4238994f284948f490e47f767fa69f93f9eedd676858b119641f91207f14
                                                                                            • Opcode Fuzzy Hash: e185b4367d9fe26862458f65dabdfc37bfa210c4c61a762abb9c976946544991
                                                                                            • Instruction Fuzzy Hash: 47313E72500108ABDB01DFA5D849ADF7BBCEF04314F14C56AF909DB201EA39D6088B98
                                                                                            Function 00476CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004822F8,000000E4,00476DDC,000000C8), ref: 00476CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00476CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00476D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00476D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: b2262163de09c3fc555ea7f2e53e6aad3bf1567c87bba031a45e62c42c6ae4a5
                                                                                            • Instruction ID: 33701ba82f2de626a12cfc60a40cc3ccbf9ca2acf72d2710cf8cdf0c6d8c11a8
                                                                                            • Opcode Fuzzy Hash: b2262163de09c3fc555ea7f2e53e6aad3bf1567c87bba031a45e62c42c6ae4a5
                                                                                            • Instruction Fuzzy Hash: 35213731750A4039F77167324D89FFF2E8E9F12714F09889AF80CA6281D6DD884983AD
                                                                                            Function 0047977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00479947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004822F8), ref: 004797B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004822F8), ref: 004797EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004822F8), ref: 004797F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004822F8), ref: 00479831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004822F8), ref: 0047984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,004822F8), ref: 0047985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: cc21270c9f7039f9aaf8cc256c724bf42cab13a46e57438aea26a378f23b50a6
                                                                                            • Instruction ID: bd79ccd4e2bba8f006fe01733c0666858a34805c781ea2759edf212dda4545e8
                                                                                            • Opcode Fuzzy Hash: cc21270c9f7039f9aaf8cc256c724bf42cab13a46e57438aea26a378f23b50a6
                                                                                            • Instruction Fuzzy Hash: FD218B71911219BBDB119FA1DC49EEF7BBCEF09760F004466BA1CE1150EB359A44CBA8
                                                                                            Function 0047E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0047DD05: GetTickCount.KERNEL32 ref: 0047DD0F
                                                                                              • Part of subcall function 0047DD05: InterlockedExchange.KERNEL32(004836B4,00000001), ref: 0047DD44
                                                                                              • Part of subcall function 0047DD05: GetCurrentThreadId.KERNEL32 ref: 0047DD53
                                                                                              • Part of subcall function 0047DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0047DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00471E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0047EAAA,?,?), ref: 0047E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0047EAAA,?,?,00000001,?,00471E84,?), ref: 0047E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0047EAAA,?,?,00000001,?,00471E84,?,0000000A), ref: 0047E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0047EAAA,?,?,00000001,?,00471E84,?), ref: 0047E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 41fa33d76dffa818fbc77189caef9d63d398a25fa5c134dbd5ce23a04a60ffa0
                                                                                            • Instruction ID: 7a4059d6177eb2001c9da0b7b2b217bd2e54a7b5a9fc0271f359d590a8e51ee9
                                                                                            • Opcode Fuzzy Hash: 41fa33d76dffa818fbc77189caef9d63d398a25fa5c134dbd5ce23a04a60ffa0
                                                                                            • Instruction Fuzzy Hash: D2514072D00209AFCB11EFA9C985DEEB7F9FF48308F14466EE409A7211D778EA158B54
                                                                                            Function 00476BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 30b1e8f0d8214c6b44f2851de8b5f0fae3f58fcff66a94e45e6dbd82f55186ba
                                                                                            • Instruction ID: 8871e8cfbc2ab05f0339105dc5886e8033007f0485a00536862c18de7a1900cb
                                                                                            • Opcode Fuzzy Hash: 30b1e8f0d8214c6b44f2851de8b5f0fae3f58fcff66a94e45e6dbd82f55186ba
                                                                                            • Instruction Fuzzy Hash: 6A21D176100505FFDB125B61FD49EDF3BADDB06764B21892AF506E1091EB349A00977C
                                                                                            Function 00479064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004822F8), ref: 0047907B
                                                                                            • wsprintfA.USER32 ref: 004790E9
                                                                                            • CreateFileA.KERNEL32(004822F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0047910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00479122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0047912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00479134
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: bae86584aaed77b942dd1315248a439ddeab655290a56e5074ae2b2980c81b55
                                                                                            • Instruction ID: e2bf5865220db0145bb0836bf99308183defde9a795daddb21b2a1d7914f88e7
                                                                                            • Opcode Fuzzy Hash: bae86584aaed77b942dd1315248a439ddeab655290a56e5074ae2b2980c81b55
                                                                                            • Instruction Fuzzy Hash: D51105B66000107EE7646723EC0EFEF366DCBC9704F00C56ABB0AA1051EA744A0597A8
                                                                                            Function 0047DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0047DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0047DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0047DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75570F10,?,00000000,0047E538,?,75570F10,?,00000000,?,0047A445), ref: 0047DD3B
                                                                                            • InterlockedExchange.KERNEL32(004836B4,00000001), ref: 0047DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0047DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 036cf73b696f68dc925447e141621f8a388c4774ed001d1009554ed0924df67e
                                                                                            • Instruction ID: fa539534674e64c345c8113a00200f218d91bccf86eaa4792048107900824788
                                                                                            • Opcode Fuzzy Hash: 036cf73b696f68dc925447e141621f8a388c4774ed001d1009554ed0924df67e
                                                                                            • Instruction Fuzzy Hash: A4F02E32524200AFC3A05F68FC84B6D3BB4FF01B12F10883EE60DE2220D32850498F6E
                                                                                            Function 0047AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0047AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0047AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0047AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0047AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 44e202605d980a248ce766439a719ba3d09ffde778ae56b98ef3965be1d3ad0b
                                                                                            • Instruction ID: a1d076a9eaea9969fffdece68291c5797c7fcdea15e30211eea29e7c1996e7b6
                                                                                            • Opcode Fuzzy Hash: 44e202605d980a248ce766439a719ba3d09ffde778ae56b98ef3965be1d3ad0b
                                                                                            • Instruction Fuzzy Hash: 2B0149208441895DDF3106289844BEE3F6B5BD770AF10C05BE8C8D7612E65C9897839F
                                                                                            Function 00474280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004798FD,00000001,00000100,004822F8,0047A3C7), ref: 00474290
                                                                                            • CloseHandle.KERNEL32(0047A3C7), ref: 004743AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004743AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 1127580f45fa0cc661fb29f6f057b9719fe144804c5f3d0d108206df0f091808
                                                                                            • Instruction ID: 33114a894b7c22d0c27424732062c5ad6ec182f18c24c505da0d83a10e2ab673
                                                                                            • Opcode Fuzzy Hash: 1127580f45fa0cc661fb29f6f057b9719fe144804c5f3d0d108206df0f091808
                                                                                            • Instruction Fuzzy Hash: 9841A371D00209BADB109FA2CD85FEF7FBCEF40365F10855AF518A6191D7388A45DB64
                                                                                            Function 00476069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004764CF,00000000), ref: 0047609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004764CF,00000000), ref: 004760C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0047614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0047619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: b5bb673848c3ef6cbd18f773021ac5bb579558f26cf5bca28aee343e7d703f0f
                                                                                            • Instruction ID: 5f0c4d4f531c28d2ac37589447e070a508019b79cfa2165badfb5f911474c897
                                                                                            • Opcode Fuzzy Hash: b5bb673848c3ef6cbd18f773021ac5bb579558f26cf5bca28aee343e7d703f0f
                                                                                            • Instruction Fuzzy Hash: C041BF71A00506AFDB10CF58C888BAAB7BAEF04354F66C16AE809D7391D738ED45CB84
                                                                                            Function 00472923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 74f0e9ec7c3b669205565ab8ccaac2f6623c4547cac78ff1700a91a76f1a4f10
                                                                                            • Instruction ID: 39f71e7fae29ee244fef51278cd48077d910fad31472e32da2223d99f45f71ec
                                                                                            • Opcode Fuzzy Hash: 74f0e9ec7c3b669205565ab8ccaac2f6623c4547cac78ff1700a91a76f1a4f10
                                                                                            • Instruction Fuzzy Hash: BB319371A00719ABCB109FA6CD81AFEB7F4FF48715F10885BF549E6241E3B8DA418B58
                                                                                            Function 004726FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0047272E
                                                                                            • htons.WS2_32(00000001), ref: 00472752
                                                                                            • htons.WS2_32(0000000F), ref: 004727D5
                                                                                            • htons.WS2_32(00000001), ref: 004727E3
                                                                                            • sendto.WS2_32(?,00482BF8,00000009,00000000,00000010,00000010), ref: 00472802
                                                                                              • Part of subcall function 0047EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0047EBFE,7FFF0001,?,0047DB55,7FFF0001), ref: 0047EBD3
                                                                                              • Part of subcall function 0047EBCC: RtlAllocateHeap.NTDLL(00000000,?,0047DB55,7FFF0001), ref: 0047EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: aba95b600c3037531f079f30675deb829d235ff6b26e67932ecc36d02b131b4d
                                                                                            • Instruction ID: dbe85e74d97c303747231be5594cd6b1d33e6039073d306ad39257588cc4d924
                                                                                            • Opcode Fuzzy Hash: aba95b600c3037531f079f30675deb829d235ff6b26e67932ecc36d02b131b4d
                                                                                            • Instruction Fuzzy Hash: 52314E342413829FD7148F74DD40DAA7764FF19318B15847EDC598B322D6B6E842D718
                                                                                            Function 00479145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004822F8), ref: 0047915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00479166
                                                                                            • CharToOemA.USER32(?,?), ref: 00479174
                                                                                            • wsprintfA.USER32 ref: 004791A9
                                                                                              • Part of subcall function 00479064: GetTempPathA.KERNEL32(00000400,?,00000000,004822F8), ref: 0047907B
                                                                                              • Part of subcall function 00479064: wsprintfA.USER32 ref: 004790E9
                                                                                              • Part of subcall function 00479064: CreateFileA.KERNEL32(004822F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0047910E
                                                                                              • Part of subcall function 00479064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00479122
                                                                                              • Part of subcall function 00479064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0047912D
                                                                                              • Part of subcall function 00479064: CloseHandle.KERNEL32(00000000), ref: 00479134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004791E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: fd80108e70d93732e2561ffd8a0beba3a907ebdc9fd12c72c79d9a90eeb25e0a
                                                                                            • Instruction ID: b342aed5cec56fef5abbe008c9aadeedd8154bf377614de7603d0900a63e0746
                                                                                            • Opcode Fuzzy Hash: fd80108e70d93732e2561ffd8a0beba3a907ebdc9fd12c72c79d9a90eeb25e0a
                                                                                            • Instruction Fuzzy Hash: 1C0192F68001187BD760A7619D8DEDF377CDB85711F0004A6BB09E2040DAB49A888F74
                                                                                            Function 00472419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00472491,?,?,?,0047E844,-00000030,?,?,?,00000001), ref: 00472429
                                                                                            • lstrlenA.KERNEL32(?,?,00472491,?,?,?,0047E844,-00000030,?,?,?,00000001,00471E3D,00000001,localcfg,lid_file_upd), ref: 0047243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00472452
                                                                                            • lstrlenA.KERNEL32(?,?,00472491,?,?,?,0047E844,-00000030,?,?,?,00000001,00471E3D,00000001,localcfg,lid_file_upd), ref: 00472467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: 7d209d5964a2babf267020d811bac0823d71b1e2653e51a74b3046549e523081
                                                                                            • Instruction ID: 08f1501207e68d22098f302c83d30d1f01efca42c2e622242acaf11b91c176e8
                                                                                            • Opcode Fuzzy Hash: 7d209d5964a2babf267020d811bac0823d71b1e2653e51a74b3046549e523081
                                                                                            • Instruction Fuzzy Hash: 7E011632600218AF8F11EF69DD808DE7BA9EF45394B01C42AE859A7211E374EA448B98
                                                                                            Function 00476EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00476F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*pG), ref: 00476F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00476F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *pG
                                                                                            • API String ID: 3429775523-219985889
                                                                                            • Opcode ID: 1d848716a4dddb59691780c3c6ed80c25f9e32df064fa23b78e15df0f12074f2
                                                                                            • Instruction ID: c2043f1e3b342454537786318647386e1a24b093d088922ef051e41dce8500ee
                                                                                            • Opcode Fuzzy Hash: 1d848716a4dddb59691780c3c6ed80c25f9e32df064fa23b78e15df0f12074f2
                                                                                            • Instruction Fuzzy Hash: BD012171910608AFDB10DFE5ED85AAE7BB9FB04304F10887EE605E2152E7749948DB18
                                                                                            Function 00471C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 94ff60a6bd85a3e8b48985c5a1d8ec5f95ea90d312d91afa23bb526bf3716368
                                                                                            • Instruction ID: 1e2881dbffcb2d27fea161af0bf9f7f4a9e3fbb85494596d569f6adf1a4fd72f
                                                                                            • Opcode Fuzzy Hash: 94ff60a6bd85a3e8b48985c5a1d8ec5f95ea90d312d91afa23bb526bf3716368
                                                                                            • Instruction Fuzzy Hash: 4341BE729042989FDB31DF798D44BEE3BE89F49310F244556FD68D3252D638EA04CBA4
                                                                                            Function 0047E654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0047DD05: GetTickCount.KERNEL32 ref: 0047DD0F
                                                                                              • Part of subcall function 0047DD05: InterlockedExchange.KERNEL32(004836B4,00000001), ref: 0047DD44
                                                                                              • Part of subcall function 0047DD05: GetCurrentThreadId.KERNEL32 ref: 0047DD53
                                                                                            • lstrcmpA.KERNEL32(75570F18,00000000,?,75570F10,00000000,?,00475EC1), ref: 0047E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75570F10,00000000,?,00475EC1), ref: 0047E6E9
                                                                                            • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75570F10,00000000,?,00475EC1), ref: 0047E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: 89ABCDEF
                                                                                            • API String ID: 3343386518-71641322
                                                                                            • Opcode ID: fa39805e81fd04862bcf4f0b034dd5687cc27a6ae09c7a8231b34fd900cd7490
                                                                                            • Instruction ID: 5913194babb2fc8c4280586d6528db48bf682d85653fa8c7df48e72d5bd6639f
                                                                                            • Opcode Fuzzy Hash: fa39805e81fd04862bcf4f0b034dd5687cc27a6ae09c7a8231b34fd900cd7490
                                                                                            • Instruction Fuzzy Hash: 6431D231900301DBCB358F66D8847DB37E4AF29724F50CAAFE5598B650E778E884CB89
                                                                                            Function 0047E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0047E2A3,00000000,00000000,00000000,00020106,00000000,0047E2A3,00000000,000000E4), ref: 0047E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0047E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004822F8), ref: 0047E127
                                                                                            • RegDeleteValueA.ADVAPI32(0047E2A3,?,?,?,?,?,000000C8,004822F8), ref: 0047E158
                                                                                            • RegCloseKey.ADVAPI32(0047E2A3,?,?,?,?,000000C8,004822F8,?,?,?,?,?,?,?,?,0047E2A3), ref: 0047E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 22d166fcc093099837535c8e8996520133381d5d7d8fa7fa58f4247bdf7e27a6
                                                                                            • Instruction ID: ffdef05c9f589174715997aca448e39f244b58fe7eeef582201c53c489c89415
                                                                                            • Opcode Fuzzy Hash: 22d166fcc093099837535c8e8996520133381d5d7d8fa7fa58f4247bdf7e27a6
                                                                                            • Instruction Fuzzy Hash: 3E21A571A00219BBDF209FA6DC89EDF7F79EF09754F0081B6F908E6150E6718A14DB94
                                                                                            Function 00473F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0047A3C7,00000000,00000000,000007D0,00000001), ref: 00473F44
                                                                                            • GetLastError.KERNEL32 ref: 00473F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00473F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00473F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 6bff2abb4c574d5fe6c5c8dac407c44cdcc555e82c55639255d65c796f411628
                                                                                            • Instruction ID: ce3aba0542c2d8f496d4204ba4f1f47db0cf5282734030081d817b3eebf17871
                                                                                            • Opcode Fuzzy Hash: 6bff2abb4c574d5fe6c5c8dac407c44cdcc555e82c55639255d65c796f411628
                                                                                            • Instruction Fuzzy Hash: 96010C72911109ABDF01DF90ED44BEF7B7CEB04396F104426FA05E2150D734DA159BB6
                                                                                            Function 00473F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0047A3C7,00000000,00000000,000007D0,00000001), ref: 00473FB8
                                                                                            • GetLastError.KERNEL32 ref: 00473FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00473FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00473FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 28c54907a1be8214630481bb1188186e53b297b90a969d6383cc29cbb75554f3
                                                                                            • Instruction ID: 8927d915d5c451c6d14f9c00e96e9f24ce013d1568300cbdb480fbfdd8f2baa1
                                                                                            • Opcode Fuzzy Hash: 28c54907a1be8214630481bb1188186e53b297b90a969d6383cc29cbb75554f3
                                                                                            • Instruction Fuzzy Hash: 0D01297292110AABDF01DF90ED45BEF3B7CEB04356F108426F906E2050D734DA149BB6
                                                                                            Function 0047A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0047A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0047A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0047C2E9,0047C4E0,00000000,localcfg,?,0047C4E0,00483588,00478810), ref: 0047A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0047A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: e8d8f0840f66fd8a645b1a123ecdd5c3318ba3e59365865d896efa0af944f954
                                                                                            • Instruction ID: 76912af7e363b6c62b2f6076c8ca66f65239f021683ab7b5cf83b24cdcfcb62e
                                                                                            • Opcode Fuzzy Hash: e8d8f0840f66fd8a645b1a123ecdd5c3318ba3e59365865d896efa0af944f954
                                                                                            • Instruction Fuzzy Hash: 79E026332002046BC6001BB5BD84FAF3388AB8A761F154436FB08D3240C65AA85547BF
                                                                                            Function 00474E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00474E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00474EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00474EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00474EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 0dda5647bf2461ffe50c480452975b4e3eb6bb8eeabdf770c730bcd2ef9682fc
                                                                                            • Instruction ID: 8379fed3c7d7e40a50d7b45654467b5e2ba364a9cb8b9ed3bef26f8d40bb5a45
                                                                                            • Opcode Fuzzy Hash: 0dda5647bf2461ffe50c480452975b4e3eb6bb8eeabdf770c730bcd2ef9682fc
                                                                                            • Instruction Fuzzy Hash: 35E086333112145BD61027B9BD84FBA6689AB97371F110936E70DD2180D75A984646BA
                                                                                            Function 00474BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00474BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00474BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,0081B114,004750F2), ref: 00474BF9
                                                                                            • InterlockedExchange.KERNEL32(0081B108,00000001), ref: 00474C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 0cca2d58e38932a40d227421a023102e3b79a2982015fcef0ceccd94cd6f7c95
                                                                                            • Instruction ID: 08482bbc3f25540a1c649f3c417cf646b5d572b2ed790ca1f43014b27c308d33
                                                                                            • Opcode Fuzzy Hash: 0cca2d58e38932a40d227421a023102e3b79a2982015fcef0ceccd94cd6f7c95
                                                                                            • Instruction Fuzzy Hash: DCE026332012141BC70013B56D80FAA7398DB86361F024837F70CC2150C65AE84142BA
                                                                                            Function 004730FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00473103
                                                                                            • GetTickCount.KERNEL32 ref: 0047310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0047311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00473128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 68a85d8febe39f04c753e0fffff1198c9ddf3f0c91a446b31b20aa391075f108
                                                                                            • Instruction ID: f510af0544df2713334b767b05aa187b770a39e849e9b81bde535aba2fe03724
                                                                                            • Opcode Fuzzy Hash: 68a85d8febe39f04c753e0fffff1198c9ddf3f0c91a446b31b20aa391075f108
                                                                                            • Instruction Fuzzy Hash: 85E02B32310215AFDB406F75BE84BCE6B9ADF85763F11483BF309D61A0C5544D059B7A
                                                                                            Function 00476987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00479A60,?,?,00000000,00000000,00479A60,?,00000000), ref: 004769F9
                                                                                            • WriteFile.KERNEL32(00479A60,?,00479A60,00000000,00000000), ref: 00476A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,kG
                                                                                            • API String ID: 3934441357-2695299273
                                                                                            • Opcode ID: bd9450b60983889b9392b47b8b6233b599d0ffc3db64f05e3a44fc1d5bff5708
                                                                                            • Instruction ID: 907c881ea20139efde69fd68dc86b310b15cd421f62306de3e2e12f4e22bc873
                                                                                            • Opcode Fuzzy Hash: bd9450b60983889b9392b47b8b6233b599d0ffc3db64f05e3a44fc1d5bff5708
                                                                                            • Instruction Fuzzy Hash: 46315E72600609EFDB14CF69DD84BEA77F5EB04315F11846AE805E7200D374EE54CBA5
                                                                                            Function 00478CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: dd2c99fc132c612239e03d2a1dd88646e90a2e6ec32bdfe6b980423c423bdca2
                                                                                            • Instruction ID: cf281ac1abe6b5e8612c7b799a7383b2e188ffef1e6e594c379578b825a43ae7
                                                                                            • Opcode Fuzzy Hash: dd2c99fc132c612239e03d2a1dd88646e90a2e6ec32bdfe6b980423c423bdca2
                                                                                            • Instruction Fuzzy Hash: 8321F032610201AFCB308F64DC996DEBBB9EB21711B29846FD808D7291CF28ED008759
                                                                                            Function 0047BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0047C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 0457a1487b5b68cfea8ba4ef99b60148bc9648d676f19594eb1055729ea4c8a8
                                                                                            • Instruction ID: ecd4a2e81b696a21c74ca58d016a147375c64c3655a77d754db080114c89ecc0
                                                                                            • Opcode Fuzzy Hash: 0457a1487b5b68cfea8ba4ef99b60148bc9648d676f19594eb1055729ea4c8a8
                                                                                            • Instruction Fuzzy Hash: 71119A72100100FFDB429BA9DD44E567FA6FF88318B34859CF6188E166D633D867DB50
                                                                                            Function 004738F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004730FA: GetTickCount.KERNEL32 ref: 00473103
                                                                                              • Part of subcall function 004730FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00473128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00473929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00473939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: 2e6b54fe803aaf7ad9c5fc36c99dffab2a3b316d42678ff4512d1c2c165de3ff
                                                                                            • Instruction ID: 52337622a95f25bccb2dec4f62a8c718aad539ba616c1aa2e42a6496bf64157f
                                                                                            • Opcode Fuzzy Hash: 2e6b54fe803aaf7ad9c5fc36c99dffab2a3b316d42678ff4512d1c2c165de3ff
                                                                                            • Instruction Fuzzy Hash: ED111CB1900215EFD720DF16D541A9DF3F4FB04716F10895EE94897251C7B4AA80DFA8
                                                                                            Function 0047AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0047BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0047ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00483640), ref: 0047ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 4fe6e5fdeb0e38d67f3a3589730f72b8cff14954509f50a603cd6b5ccbb828f8
                                                                                            • Instruction ID: 362118851f7d05c1c1a32f9ec4d48e99a4dbf4d8b60f3cd59b0551e6a93b0405
                                                                                            • Opcode Fuzzy Hash: 4fe6e5fdeb0e38d67f3a3589730f72b8cff14954509f50a603cd6b5ccbb828f8
                                                                                            • Instruction Fuzzy Hash: 1201F5315083C4AFDB21CF2CD881F8A7BA5AF95314F14888AF6845B303C374E954CB96
                                                                                            Function 004726B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004726C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004726E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: 138fb69cd6a02b2ab275ad8cda4fe8aa997fd57b7f9d3afbf677b96655206771
                                                                                            • Instruction ID: f5b555a52f258dd8d38512178f94f0c174d30705bdfbb058cb5615d6641a3268
                                                                                            • Opcode Fuzzy Hash: 138fb69cd6a02b2ab275ad8cda4fe8aa997fd57b7f9d3afbf677b96655206771
                                                                                            • Instruction Fuzzy Hash: 77F082321582097BEB006FA5ED09ADA379CEF08350F108867FA0CCA0A0DBB5D940979C
                                                                                            Function 0047EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0047EB54,_alldiv,0047F0B7,80000001,00000000,00989680,00000000,?,?,?,0047E342,00000000,7568EA50,80000001,00000000), ref: 0047EAF2
                                                                                            • GetProcAddress.KERNEL32(773F0000,00000000), ref: 0047EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: 9ab894b55bc8d557e59379c5d8d68030b4dcb76fd54efdc020833699e1ccc979
                                                                                            • Instruction ID: 7d20867008dccbe6494ad286f557373ea93386b59704022c83e4cb9ac74a7edb
                                                                                            • Opcode Fuzzy Hash: 9ab894b55bc8d557e59379c5d8d68030b4dcb76fd54efdc020833699e1ccc979
                                                                                            • Instruction Fuzzy Hash: 5AD0C734610302678F61DF699D0ED4E7A986F54B01B408C6AB80AE1620E738D448D70C
                                                                                            Function 00472F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00472D21: GetModuleHandleA.KERNEL32(00000000,755723A0,?,00000000,00472F01,?,004720FF,00482000), ref: 00472D3A
                                                                                              • Part of subcall function 00472D21: LoadLibraryA.KERNEL32(?), ref: 00472D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00472F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00472F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.2647907430.0000000000470000.00000040.00000400.00020000.00000000.sdmp, Offset: 00470000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_470000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 7024b28fbba46ba277ad450532ea81f57e4218bc82b77444d10d5200bb2ffb53
                                                                                            • Instruction ID: 61865f333913c732c976c7ea18fcc229ba3693c77728e8ce78d0f5cbdc747007
                                                                                            • Opcode Fuzzy Hash: 7024b28fbba46ba277ad450532ea81f57e4218bc82b77444d10d5200bb2ffb53
                                                                                            • Instruction Fuzzy Hash: A851D27190024A9FCF01DF64DC889FAB775FF19304F14856AEC9AD7210E7369A19DB88