Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fdnoqmpv.exe

Overview

General Information

Sample name:fdnoqmpv.exe
Analysis ID:1488273
MD5:a5b50eaa46c9477e60d39778fa662926
SHA1:ed043f86af11c291b3e508d14fe1c4232aab1842
SHA256:f4d0a30894abd66615326caa634eeb082e8cc4ced56dab62e9219ac2c28294ca
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • fdnoqmpv.exe (PID: 4536 cmdline: "C:\Users\user\Desktop\fdnoqmpv.exe" MD5: A5B50EAA46C9477E60D39778FA662926)
    • cmd.exe (PID: 6528 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\miqllcjz\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2952 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\fzzrueiu.exe" C:\Windows\SysWOW64\miqllcjz\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4440 cmdline: "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6368 cmdline: "C:\Windows\System32\sc.exe" description miqllcjz "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1784 cmdline: "C:\Windows\System32\sc.exe" start miqllcjz MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 2584 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 6156 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • fzzrueiu.exe (PID: 2640 cmdline: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d"C:\Users\user\Desktop\fdnoqmpv.exe" MD5: 1E259F74EE370BB24432817021F14FAD)
    • svchost.exe (PID: 1672 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 3292 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 452 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 1276 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 892 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4536 -ip 4536 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5676 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2640 -ip 2640 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
    • 0xed10:$s2: loader_id
    • 0xed40:$s3: start_srv
    • 0xed70:$s4: lid_file_upd
    • 0xed64:$s5: localcfg
    • 0xf494:$s6: Incorrect respons
    • 0xf574:$s7: mx connect error
    • 0xf4f0:$s8: Error sending command (sent = %d/%d)
    • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000000.00000002.2136944010.0000000002B19000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x4f7a:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.2.fdnoqmpv.exe.2ac0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.fdnoqmpv.exe.2ac0e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.3.fdnoqmpv.exe.2ae0000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.3.fdnoqmpv.exe.2ae0000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.fzzrueiu.exe.2b50e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 39 entries

      System Summary

      barindex
      Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d"C:\Users\user\Desktop\fdnoqmpv.exe", ParentImage: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe, ParentProcessId: 2640, ParentProcessName: fzzrueiu.exe, ProcessCommandLine: svchost.exe, ProcessId: 1672, ProcessName: svchost.exe
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\fdnoqmpv.exe", ParentImage: C:\Users\user\Desktop\fdnoqmpv.exe, ParentProcessId: 4536, ParentProcessName: fdnoqmpv.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 4440, ProcessName: sc.exe
      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.42.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 1672, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d"C:\Users\user\Desktop\fdnoqmpv.exe", ParentImage: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe, ParentProcessId: 2640, ParentProcessName: fzzrueiu.exe, ProcessCommandLine: svchost.exe, ProcessId: 1672, ProcessName: svchost.exe
      Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1672, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\miqllcjz
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\fdnoqmpv.exe", ParentImage: C:\Users\user\Desktop\fdnoqmpv.exe, ParentProcessId: 4536, ParentProcessName: fdnoqmpv.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 4440, ProcessName: sc.exe
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 1276, ProcessName: svchost.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
      Source: jotunheim.name:443Avira URL Cloud: Label: malware
      Source: 0.2.fdnoqmpv.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
      Source: fdnoqmpv.exeReversingLabs: Detection: 47%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
      Source: C:\Users\user\AppData\Local\Temp\fzzrueiu.exeJoe Sandbox ML: detected
      Source: fdnoqmpv.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\fdnoqmpv.exeUnpacked PE file: 0.2.fdnoqmpv.exe.400000.0.unpack
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeUnpacked PE file: 12.2.fzzrueiu.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\fdnoqmpv.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Change of critical system settings

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\miqllcjzJump to behavior

      Networking

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.94 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.206.27 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
      Source: Malware configuration extractorURLs: vanaheim.cn:443
      Source: Malware configuration extractorURLs: jotunheim.name:443
      Source: Joe Sandbox ViewIP Address: 52.101.42.0 52.101.42.0
      Source: Joe Sandbox ViewIP Address: 67.195.228.94 67.195.228.94
      Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
      Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
      Source: Joe Sandbox ViewASN Name: RETN-ASEU RETN-ASEU
      Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
      Source: global trafficTCP traffic: 192.168.2.5:49706 -> 52.101.42.0:25
      Source: global trafficTCP traffic: 192.168.2.5:61066 -> 67.195.228.94:25
      Source: global trafficTCP traffic: 192.168.2.5:61067 -> 74.125.206.27:25
      Source: global trafficTCP traffic: 192.168.2.5:61070 -> 94.100.180.31:25
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
      Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
      Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
      Source: global trafficDNS traffic detected: DNS query: yahoo.com
      Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
      Source: global trafficDNS traffic detected: DNS query: google.com
      Source: global trafficDNS traffic detected: DNS query: smtp.google.com
      Source: global trafficDNS traffic detected: DNS query: mail.ru
      Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61073
      Source: unknownNetwork traffic detected: HTTP traffic on port 61068 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
      Source: unknownNetwork traffic detected: HTTP traffic on port 61073 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61068

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.2ac0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.3.fzzrueiu.exe.3160000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.fdnoqmpv.exe.2ae0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.2b50e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.31a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.31a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.svchost.exe.580000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.svchost.exe.580000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: fdnoqmpv.exe PID: 4536, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: fzzrueiu.exe PID: 2640, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1672, type: MEMORYSTR

      System Summary

      barindex
      Source: 0.2.fdnoqmpv.exe.2ac0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.fdnoqmpv.exe.2ac0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.3.fdnoqmpv.exe.2ae0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.3.fdnoqmpv.exe.2ae0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 12.2.fzzrueiu.exe.2b50e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 12.2.fzzrueiu.exe.2b50e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 12.3.fzzrueiu.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 12.3.fzzrueiu.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.fdnoqmpv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.fdnoqmpv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.fdnoqmpv.exe.2ac0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.fdnoqmpv.exe.2ac0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 12.3.fzzrueiu.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 12.3.fzzrueiu.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 12.2.fzzrueiu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 12.2.fzzrueiu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.fdnoqmpv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.fdnoqmpv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.3.fdnoqmpv.exe.2ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.3.fdnoqmpv.exe.2ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 12.2.fzzrueiu.exe.2b50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 12.2.fzzrueiu.exe.2b50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 12.2.fzzrueiu.exe.31a0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 12.2.fzzrueiu.exe.31a0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 12.2.fzzrueiu.exe.31a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 12.2.fzzrueiu.exe.31a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 18.2.svchost.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 18.2.svchost.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 18.2.svchost.exe.580000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 18.2.svchost.exe.580000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 12.2.fzzrueiu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 12.2.fzzrueiu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000000.00000002.2136944010.0000000002B19000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0000000C.00000002.2152720884.0000000002B82000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\miqllcjz\Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_0040C9130_2_0040C913
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeCode function: 12_2_0040C91312_2_0040C913
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_0058C91318_2_0058C913
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: String function: 02AC27AB appears 35 times
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: String function: 0040EE2A appears 40 times
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: String function: 00402544 appears 53 times
      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4536 -ip 4536
      Source: fdnoqmpv.exe, 00000000.00000000.2072668625.000000000282C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesOdilesigo: vs fdnoqmpv.exe
      Source: fdnoqmpv.exe, 00000000.00000002.2136968604.0000000002B7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOdilesigo: vs fdnoqmpv.exe
      Source: fdnoqmpv.exeBinary or memory string: OriginalFilenamesOdilesigo: vs fdnoqmpv.exe
      Source: 0.2.fdnoqmpv.exe.2ac0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.fdnoqmpv.exe.2ac0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.3.fdnoqmpv.exe.2ae0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.3.fdnoqmpv.exe.2ae0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 12.2.fzzrueiu.exe.2b50e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 12.2.fzzrueiu.exe.2b50e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 12.3.fzzrueiu.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 12.3.fzzrueiu.exe.3160000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.fdnoqmpv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.fdnoqmpv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.fdnoqmpv.exe.2ac0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.fdnoqmpv.exe.2ac0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 12.3.fzzrueiu.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 12.3.fzzrueiu.exe.3160000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 12.2.fzzrueiu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 12.2.fzzrueiu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.fdnoqmpv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.fdnoqmpv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.3.fdnoqmpv.exe.2ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.3.fdnoqmpv.exe.2ae0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 12.2.fzzrueiu.exe.2b50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 12.2.fzzrueiu.exe.2b50e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 12.2.fzzrueiu.exe.31a0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 12.2.fzzrueiu.exe.31a0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 12.2.fzzrueiu.exe.31a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 12.2.fzzrueiu.exe.31a0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 18.2.svchost.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 18.2.svchost.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 18.2.svchost.exe.580000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 18.2.svchost.exe.580000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 12.2.fzzrueiu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 12.2.fzzrueiu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000000.00000002.2136944010.0000000002B19000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0000000C.00000002.2152720884.0000000002B82000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: classification engineClassification label: mal100.troj.evad.winEXE@31/3@9/5
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_02B1DFA8 CreateToolhelp32Snapshot,Module32First,0_2_02B1DFA8
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_00589A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,18_2_00589A6B
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:892:64:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5676:64:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:892:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
      Source: C:\Users\user\Desktop\fdnoqmpv.exeFile created: C:\Users\user\AppData\Local\Temp\fzzrueiu.exeJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: fdnoqmpv.exeReversingLabs: Detection: 47%
      Source: C:\Users\user\Desktop\fdnoqmpv.exeFile read: C:\Users\user\Desktop\fdnoqmpv.exeJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-15053
      Source: unknownProcess created: C:\Users\user\Desktop\fdnoqmpv.exe "C:\Users\user\Desktop\fdnoqmpv.exe"
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\miqllcjz\
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\fzzrueiu.exe" C:\Windows\SysWOW64\miqllcjz\
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support"
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description miqllcjz "wifi internet conection"
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start miqllcjz
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d"C:\Users\user\Desktop\fdnoqmpv.exe"
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4536 -ip 4536
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 652
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
      Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2640 -ip 2640
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 452
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\miqllcjz\Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\fzzrueiu.exe" C:\Windows\SysWOW64\miqllcjz\Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description miqllcjz "wifi internet conection"Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start miqllcjzJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4536 -ip 4536Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 652Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2640 -ip 2640Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 452Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: fdnoqmpv.exeStatic file information: File size 13641216 > 1048576
      Source: C:\Users\user\Desktop\fdnoqmpv.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\fdnoqmpv.exeUnpacked PE file: 0.2.fdnoqmpv.exe.400000.0.unpack .text:ER;.data:W;.xevaj:R;.zac:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeUnpacked PE file: 12.2.fzzrueiu.exe.400000.0.unpack .text:ER;.data:W;.xevaj:R;.zac:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
      Source: C:\Users\user\Desktop\fdnoqmpv.exeUnpacked PE file: 0.2.fdnoqmpv.exe.400000.0.unpack
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeUnpacked PE file: 12.2.fzzrueiu.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_02B21290 push 0000002Bh; iretd 0_2_02B21296
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeCode function: 12_2_02B8A520 push 0000002Bh; iretd 12_2_02B8A526

      Persistence and Installation Behavior

      barindex
      Source: unknownExecutable created and started: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe
      Source: C:\Users\user\Desktop\fdnoqmpv.exeFile created: C:\Users\user\AppData\Local\Temp\fzzrueiu.exeJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe (copy)Jump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe (copy)Jump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\miqllcjzJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support"

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\fdnoqmpv.exeJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,18_2_0058199C
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-15921
      Source: C:\Users\user\Desktop\fdnoqmpv.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15294
      Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_18-6457
      Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_18-6139
      Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_18-7321
      Source: C:\Users\user\Desktop\fdnoqmpv.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15286
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15428
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-15068
      Source: C:\Users\user\Desktop\fdnoqmpv.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14857
      Source: C:\Users\user\Desktop\fdnoqmpv.exeAPI coverage: 5.4 %
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeAPI coverage: 3.9 %
      Source: C:\Windows\SysWOW64\svchost.exe TID: 2820Thread sleep count: 33 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 2820Thread sleep time: -33000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
      Source: svchost.exe, 00000012.00000002.3312771989.0000000002C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_18-6430

      Anti Debugging

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_18-7490
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-16445
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_02AC0D90 mov eax, dword ptr fs:[00000030h]0_2_02AC0D90
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_02AC092B mov eax, dword ptr fs:[00000030h]0_2_02AC092B
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_02B1D885 push dword ptr fs:[00000030h]0_2_02B1D885
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeCode function: 12_2_02B50D90 mov eax, dword ptr fs:[00000030h]12_2_02B50D90
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeCode function: 12_2_02B5092B mov eax, dword ptr fs:[00000030h]12_2_02B5092B
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeCode function: 12_2_02B86B15 push dword ptr fs:[00000030h]12_2_02B86B15
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_00589A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,18_2_00589A6B

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.94 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.206.27 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.42.0 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 580000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 580000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 580000Jump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2952008Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\miqllcjz\Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\fzzrueiu.exe" C:\Windows\SysWOW64\miqllcjz\Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description miqllcjz "wifi internet conection"Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start miqllcjzJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4536 -ip 4536Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 652Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2640 -ip 2640Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 452Jump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
      Source: C:\Users\user\Desktop\fdnoqmpv.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Source: C:\Users\user\Desktop\fdnoqmpv.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.2ac0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.3.fzzrueiu.exe.3160000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.fdnoqmpv.exe.2ae0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.2b50e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.31a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.31a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.svchost.exe.580000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.svchost.exe.580000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: fdnoqmpv.exe PID: 4536, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: fzzrueiu.exe PID: 2640, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1672, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.2ac0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.3.fzzrueiu.exe.3160000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.fdnoqmpv.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.fdnoqmpv.exe.2ae0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.2b50e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.31a0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.31a0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.svchost.exe.580000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.svchost.exe.580000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.fzzrueiu.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: fdnoqmpv.exe PID: 4536, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: fzzrueiu.exe PID: 2640, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1672, type: MEMORYSTR
      Source: C:\Users\user\Desktop\fdnoqmpv.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
      Source: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 18_2_005888B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,18_2_005888B0
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure1
      Valid Accounts
      41
      Native API
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      3
      Disable or Modify Tools
      OS Credential Dumping2
      System Time Discovery
      Remote Services1
      Archive Collected Data
      1
      Ingress Tool Transfer
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Command and Scripting Interpreter
      1
      Valid Accounts
      1
      Valid Accounts
      1
      Deobfuscate/Decode Files or Information
      LSASS Memory1
      Account Discovery
      Remote Desktop ProtocolData from Removable Media12
      Encrypted Channel
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts3
      Service Execution
      14
      Windows Service
      1
      Access Token Manipulation
      2
      Obfuscated Files or Information
      Security Account Manager1
      File and Directory Discovery
      SMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
      Windows Service
      2
      Software Packing
      NTDS15
      System Information Discovery
      Distributed Component Object ModelInput Capture112
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
      Process Injection
      1
      DLL Side-Loading
      LSA Secrets111
      Security Software Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      File Deletion
      Cached Domain Credentials11
      Virtualization/Sandbox Evasion
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
      Masquerading
      DCSync1
      Process Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Valid Accounts
      Proc Filesystem1
      System Owner/User Discovery
      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
      Virtualization/Sandbox Evasion
      /etc/passwd and /etc/shadow1
      System Network Configuration Discovery
      Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      Access Token Manipulation
      Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
      Process Injection
      Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488273 Sample: fdnoqmpv.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 vanaheim.cn 2->59 61 6 other IPs or domains 2->61 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 9 other signatures 2->77 8 fzzrueiu.exe 2->8         started        11 fdnoqmpv.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        signatures3 process4 file5 79 Detected unpacking (changes PE section rights) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 83 Found API chain indicative of debugger detection 8->83 89 3 other signatures 8->89 16 svchost.exe 1 8->16         started        20 WerFault.exe 2 8->20         started        49 C:\Users\user\AppData\Local\...\fzzrueiu.exe, PE32 11->49 dropped 85 Uses netsh to modify the Windows network and firewall settings 11->85 87 Modifies the windows firewall 11->87 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        33 4 other processes 11->33 29 WerFault.exe 2 14->29         started        31 WerFault.exe 2 14->31         started        signatures6 process7 dnsIp8 51 mta5.am0.yahoodns.net 67.195.228.94, 25 YAHOO-GQ1US United States 16->51 53 vanaheim.cn 213.226.112.95, 443, 49707, 61068 RETN-ASEU Russian Federation 16->53 55 3 other IPs or domains 16->55 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Found API chain indicative of debugger detection 16->65 67 Deletes itself after installation 16->67 69 Adds extensions / path to Windows Defender exclusion list (Registry) 16->69 47 C:\Windows\SysWOW64\...\fzzrueiu.exe (copy), PE32 22->47 dropped 35 conhost.exe 22->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      fdnoqmpv.exe47%ReversingLabsWin32.Trojan.BotX
      fdnoqmpv.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\fzzrueiu.exe100%Joe Sandbox ML
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      vanaheim.cn:443100%Avira URL Cloudphishing
      jotunheim.name:443100%Avira URL Cloudmalware
      NameIPActiveMaliciousAntivirus DetectionReputation
      mxs.mail.ru
      94.100.180.31
      truetrue
        unknown
        mta5.am0.yahoodns.net
        67.195.228.94
        truetrue
          unknown
          microsoft-com.mail.protection.outlook.com
          52.101.42.0
          truetrue
            unknown
            vanaheim.cn
            213.226.112.95
            truetrue
              unknown
              smtp.google.com
              74.125.206.27
              truefalse
                unknown
                google.com
                unknown
                unknowntrue
                  unknown
                  yahoo.com
                  unknown
                  unknowntrue
                    unknown
                    mail.ru
                    unknown
                    unknowntrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      vanaheim.cn:443true
                      • Avira URL Cloud: phishing
                      unknown
                      jotunheim.name:443true
                      • Avira URL Cloud: malware
                      unknown
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      52.101.42.0
                      microsoft-com.mail.protection.outlook.comUnited States
                      8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                      67.195.228.94
                      mta5.am0.yahoodns.netUnited States
                      36647YAHOO-GQ1UStrue
                      213.226.112.95
                      vanaheim.cnRussian Federation
                      9002RETN-ASEUtrue
                      74.125.206.27
                      smtp.google.comUnited States
                      15169GOOGLEUSfalse
                      94.100.180.31
                      mxs.mail.ruRussian Federation
                      47764MAILRU-ASMailRuRUtrue
                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1488273
                      Start date and time:2024-08-05 19:50:10 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 22s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:23
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:fdnoqmpv.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@31/3@9/5
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 62
                      • Number of non-executed functions: 260
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.70.246.20, 20.236.44.162, 20.231.239.246, 20.76.201.171
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: fdnoqmpv.exe
                      TimeTypeDescription
                      13:51:54API Interceptor6x Sleep call for process: svchost.exe modified
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      52.101.42.0 .exeGet hashmaliciousUnknownBrowse
                        Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                            DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                              L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                file.exeGet hashmaliciousTofseeBrowse
                                  sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                    U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                      bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                        t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                          67.195.228.94AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                            dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                              SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                file.exeGet hashmaliciousPhorpiexBrowse
                                                  WtRLqa6ZXn.exeGet hashmaliciousUnknownBrowse
                                                    newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                      gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                        file.exeGet hashmaliciousTofseeBrowse
                                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                            l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                              213.226.112.95SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                  ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                    rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                      94.100.180.31rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                        setup.exeGet hashmaliciousTofseeBrowse
                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                            SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                              vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    .exeGet hashmaliciousUnknownBrowse
                                                                                      ydbWyoxHsd.exeGet hashmaliciousUnknownBrowse
                                                                                        Readme.exeGet hashmaliciousUnknownBrowse
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          mxs.mail.ruSGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                                                          • 94.100.180.31
                                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          mta5.am0.yahoodns.netSecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.72
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.204.73
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.110
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 98.136.96.74
                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.77
                                                                                          newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.204.77
                                                                                          file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.228.110
                                                                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                          • 67.195.228.109
                                                                                          microsoft-com.mail.protection.outlook.comSGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 52.101.40.26
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.54.36
                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          RETN-ASEUSGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          http://baghoorg.xyzGet hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.153
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 139.45.197.236
                                                                                          LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 139.45.197.236
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          https://ky.codzika.xyz/pubg/Get hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.250
                                                                                          https://plcr.com.ng/atm.php?user=21003&ref=21003Get hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.237
                                                                                          http://becast.onionlive.workers.devGet hashmaliciousUnknownBrowse
                                                                                          • 139.45.197.236
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUShttps://www.google.com/aclk?sa=l&ai=DChcSEwiOgc__s96HAxWtIa0GHQSaKnoYABAAGgJwdg&co=1&ase=2&gclid=Cj0KCQjw8MG1BhCoARIsAHxSiQnsGgXsF9N-CTUdvkZ2OgloHU2xKGwSfDGxLDHi9ENt3nSRslGk5Z4aAjQUEALw_wcB&sig=AOD64_30gJrlZCnbDWmeAyph6Mlb_4IJhA&q&nis=4&adurl&ved=2ahUKEwjassj_s96HAxXDLkQIHVr9KdQQ0Qx6BAgtEAEGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          ATT78758.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.246.60
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          BWISE Solution #24-2000091.pdfGet hashmaliciousUnknownBrowse
                                                                                          • 52.146.76.30
                                                                                          https://www.templatent.com/eur/53d926b2-0373-4a76-8641-e3f5488f632d/768e4d81-78b7-4fd9-a857-c5bae5c87179/8806a07c-707c-445d-b36c-c08aabe89fc9/login?id=eHZ4eG45M1NGWG40b2QvVmpHbE5UdUJZSWtJNTkrbE9YcjlKZERpV1VUZ3Zlbk5sM3MwTWYzMjJ0ZWpYb2VpekdKaCtMclNhd3hFRDdtd2VKSi9HM3M2bDFHRkdDd0YrdW1DNWlqTFQwc1BRd0Y5Q0lDZ0tLdys2RHVCZ2NXemVQUDdZa0laUFJlbFJsTnlkdWZsUHR4SnVUV2pZN3QyNkJXaDJSeEdWN3JJT2hHaUYwd2xqMmJ4Y05kSSsxU0ppVkc5QURXSkJKUlMxNEgvT0FIWUQvWGZFZHBvbFdhcVBXRzQxWnJ3M0RwMElNQkpsaWtXWGRMV3Y1ZHNmREVCMkxVa05HeW1qb1BSRkMrSmxpNS80Z2FWaGtJZWthYXZ6WWtaeGNIWjU5VitKZ1Vzd1pHN0VyOTJqTDFvZUYvTURlWUdvRysxd0dZZjgySXduSXM2enIwWDlmWWsxcTk2L1BvV1dGZERCcUxHazluS0kwRU9oK3lKKzJPeFU1NDRVN2N2ZVhPRHRDb3k2c1ZyTkdlR2YyUT09Get hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          https://grace-barr.filemail.com/t/Fc9Dus5dGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 52.98.241.162
                                                                                          001original.emlGet hashmaliciousUnknownBrowse
                                                                                          • 104.208.16.91
                                                                                          Saic Benefits_Enrollment.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.246.60
                                                                                          FW Quote.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 52.109.76.243
                                                                                          https://thehackernews.com/2024/08/new-android-trojan-blankbot-targets.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          YAHOO-GQ1USSGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.106
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.228.84
                                                                                          botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.137.77.194
                                                                                          qD7cj0t7Ag.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 98.137.186.234
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.94
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          https://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                                          • 98.137.11.164
                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.94
                                                                                          GK9sEyIS4f.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.136.201.234
                                                                                          n6UMcur8v3.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.137.238.181
                                                                                          MAILRU-ASMailRuRUSGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          SecuriteInfo.com.Trojan.Crypt.28917.30010.exeGet hashmaliciousUnknownBrowse
                                                                                          • 5.61.236.163
                                                                                          IISz6QDXkY.elfGet hashmaliciousMiraiBrowse
                                                                                          • 5.61.23.77
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          7Y18r(123).exeGet hashmaliciousUnknownBrowse
                                                                                          • 94.100.180.106
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          SecuriteInfo.com.W32.Kryptik.CI.tr.21358.1519.exeGet hashmaliciousUnknownBrowse
                                                                                          • 5.61.236.163
                                                                                          botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                          • 79.137.247.12
                                                                                          No context
                                                                                          No context
                                                                                          Process:C:\Users\user\Desktop\fdnoqmpv.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):15099904
                                                                                          Entropy (8bit):4.713881987206198
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:jIbasG14OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOn:jItG1
                                                                                          MD5:1E259F74EE370BB24432817021F14FAD
                                                                                          SHA1:82C7502372954A04546255CC50AC9BEF7B3BB6B8
                                                                                          SHA-256:601EB53BE38724E5FE61B937451CC81FC2F41CB7D0C5C08159176CC4689C8538
                                                                                          SHA-512:045B982383E99BF1B3FD6CEE116E5B5A90832B0E07A90FCAA9A8DE037CEA7B18C68E1E64374E443F8F80DF995CD9CB6AF134DA2719027BED166AEA1EF7DD0AA3
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d......................A......[............@..........................`C.....Ta.........................................P.....B.............................................................A..@............................................text...0........................... ..`.data...T.?......|..................@....xevaj........B......0..............@..@.zac..........B......4..............@....rsrc........B..0...8..............@..@........................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):15099904
                                                                                          Entropy (8bit):4.713881987206198
                                                                                          Encrypted:false
                                                                                          SSDEEP:24576:jIbasG14OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOn:jItG1
                                                                                          MD5:1E259F74EE370BB24432817021F14FAD
                                                                                          SHA1:82C7502372954A04546255CC50AC9BEF7B3BB6B8
                                                                                          SHA-256:601EB53BE38724E5FE61B937451CC81FC2F41CB7D0C5C08159176CC4689C8538
                                                                                          SHA-512:045B982383E99BF1B3FD6CEE116E5B5A90832B0E07A90FCAA9A8DE037CEA7B18C68E1E64374E443F8F80DF995CD9CB6AF134DA2719027BED166AEA1EF7DD0AA3
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d......................A......[............@..........................`C.....Ta.........................................P.....B.............................................................A..@............................................text...0........................... ..`.data...T.?......|..................@....xevaj........B......0..............@..@.zac..........B......4..............@....rsrc........B..0...8..............@..@........................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3773
                                                                                          Entropy (8bit):4.7109073551842435
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                          MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                          Malicious:false
                                                                                          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):4.715914873275824
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:fdnoqmpv.exe
                                                                                          File size:13'641'216 bytes
                                                                                          MD5:a5b50eaa46c9477e60d39778fa662926
                                                                                          SHA1:ed043f86af11c291b3e508d14fe1c4232aab1842
                                                                                          SHA256:f4d0a30894abd66615326caa634eeb082e8cc4ced56dab62e9219ac2c28294ca
                                                                                          SHA512:c5234a621effaaafb46f07542a8ab0991cc580b18555b13e082dfb9a18e19a3fa372cd522a13fbafcad39ad343ca526ccc14ff3e8ccc3dede6e7fca4ed51106f
                                                                                          SSDEEP:24576:8IbasG14OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOm:8ItG1
                                                                                          TLSH:A7D6E4503AEDD499E6F24B745974F3ED212BBCABB864825F36643F0B3831746284172E
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d...................
                                                                                          Icon Hash:cd4d3d2e4e054d07
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Aug 5, 2024 19:51:12.672811031 CEST4970625192.168.2.552.101.42.0
                                                                                          Aug 5, 2024 19:51:13.683248043 CEST4970625192.168.2.552.101.42.0
                                                                                          Aug 5, 2024 19:51:15.683248997 CEST4970625192.168.2.552.101.42.0
                                                                                          Aug 5, 2024 19:51:15.840814114 CEST49707443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:51:15.840851068 CEST44349707213.226.112.95192.168.2.5
                                                                                          Aug 5, 2024 19:51:15.840926886 CEST49707443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:51:19.698844910 CEST4970625192.168.2.552.101.42.0
                                                                                          Aug 5, 2024 19:51:27.698860884 CEST4970625192.168.2.552.101.42.0
                                                                                          Aug 5, 2024 19:51:32.702044964 CEST6106625192.168.2.567.195.228.94
                                                                                          Aug 5, 2024 19:51:33.714534044 CEST6106625192.168.2.567.195.228.94
                                                                                          Aug 5, 2024 19:51:35.730117083 CEST6106625192.168.2.567.195.228.94
                                                                                          Aug 5, 2024 19:51:39.730127096 CEST6106625192.168.2.567.195.228.94
                                                                                          Aug 5, 2024 19:51:47.730103970 CEST6106625192.168.2.567.195.228.94
                                                                                          Aug 5, 2024 19:51:52.736903906 CEST6106725192.168.2.574.125.206.27
                                                                                          Aug 5, 2024 19:51:53.745750904 CEST6106725192.168.2.574.125.206.27
                                                                                          Aug 5, 2024 19:51:55.745731115 CEST6106725192.168.2.574.125.206.27
                                                                                          Aug 5, 2024 19:51:55.855467081 CEST49707443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:51:55.855520010 CEST44349707213.226.112.95192.168.2.5
                                                                                          Aug 5, 2024 19:51:55.855571032 CEST49707443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:51:55.965598106 CEST61068443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:51:55.965665102 CEST44361068213.226.112.95192.168.2.5
                                                                                          Aug 5, 2024 19:51:55.965753078 CEST61068443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:51:59.745760918 CEST6106725192.168.2.574.125.206.27
                                                                                          Aug 5, 2024 19:52:07.745790958 CEST6106725192.168.2.574.125.206.27
                                                                                          Aug 5, 2024 19:52:12.799495935 CEST6107025192.168.2.594.100.180.31
                                                                                          Aug 5, 2024 19:52:13.808324099 CEST6107025192.168.2.594.100.180.31
                                                                                          Aug 5, 2024 19:52:15.823954105 CEST6107025192.168.2.594.100.180.31
                                                                                          Aug 5, 2024 19:52:19.839556932 CEST6107025192.168.2.594.100.180.31
                                                                                          Aug 5, 2024 19:52:27.855207920 CEST6107025192.168.2.594.100.180.31
                                                                                          Aug 5, 2024 19:52:35.964783907 CEST61068443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:52:35.964864016 CEST44361068213.226.112.95192.168.2.5
                                                                                          Aug 5, 2024 19:52:35.964973927 CEST61068443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:52:36.074995995 CEST61073443192.168.2.5213.226.112.95
                                                                                          Aug 5, 2024 19:52:36.075041056 CEST44361073213.226.112.95192.168.2.5
                                                                                          Aug 5, 2024 19:52:36.075154066 CEST61073443192.168.2.5213.226.112.95
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Aug 5, 2024 19:51:12.634207010 CEST6039853192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:51:12.669277906 CEST53603981.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:51:15.591161013 CEST5961153192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:51:15.839437008 CEST53596111.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:51:24.116043091 CEST53653501.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:51:32.683901072 CEST6232453192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:51:32.692687988 CEST53623241.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:51:32.693479061 CEST6077053192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST53607701.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:51:52.715020895 CEST6403953192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:51:52.727070093 CEST53640391.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:51:52.727668047 CEST5443253192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:51:52.736361027 CEST53544321.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:52:12.730691910 CEST5456353192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:52:12.740214109 CEST53545631.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:52:12.741060019 CEST5636353192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:52:12.798780918 CEST53563631.1.1.1192.168.2.5
                                                                                          Aug 5, 2024 19:53:09.145962000 CEST5246553192.168.2.51.1.1.1
                                                                                          Aug 5, 2024 19:53:09.154371023 CEST53524651.1.1.1192.168.2.5
                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Aug 5, 2024 19:51:12.634207010 CEST192.168.2.51.1.1.10x20aeStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:15.591161013 CEST192.168.2.51.1.1.10x709eStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.683901072 CEST192.168.2.51.1.1.10xfd9Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.693479061 CEST192.168.2.51.1.1.10x4689Standard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:52.715020895 CEST192.168.2.51.1.1.10xd14Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:52.727668047 CEST192.168.2.51.1.1.10xbd07Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:52:12.730691910 CEST192.168.2.51.1.1.10x4367Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:52:12.741060019 CEST192.168.2.51.1.1.10x9b02Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:53:09.145962000 CEST192.168.2.51.1.1.10xeb14Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Aug 5, 2024 19:51:12.669277906 CEST1.1.1.1192.168.2.50x20aeNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:12.669277906 CEST1.1.1.1192.168.2.50x20aeNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:12.669277906 CEST1.1.1.1192.168.2.50x20aeNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:12.669277906 CEST1.1.1.1192.168.2.50x20aeNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:15.839437008 CEST1.1.1.1192.168.2.50x709eNo error (0)vanaheim.cn213.226.112.95A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.692687988 CEST1.1.1.1192.168.2.50xfd9No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.692687988 CEST1.1.1.1192.168.2.50xfd9No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.692687988 CEST1.1.1.1192.168.2.50xfd9No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST1.1.1.1192.168.2.50x4689No error (0)mta5.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST1.1.1.1192.168.2.50x4689No error (0)mta5.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST1.1.1.1192.168.2.50x4689No error (0)mta5.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST1.1.1.1192.168.2.50x4689No error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST1.1.1.1192.168.2.50x4689No error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST1.1.1.1192.168.2.50x4689No error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST1.1.1.1192.168.2.50x4689No error (0)mta5.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:32.701368093 CEST1.1.1.1192.168.2.50x4689No error (0)mta5.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:52.727070093 CEST1.1.1.1192.168.2.50xd14No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:52.736361027 CEST1.1.1.1192.168.2.50xbd07No error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:52.736361027 CEST1.1.1.1192.168.2.50xbd07No error (0)smtp.google.com64.233.184.27A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:52.736361027 CEST1.1.1.1192.168.2.50xbd07No error (0)smtp.google.com64.233.167.27A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:52.736361027 CEST1.1.1.1192.168.2.50xbd07No error (0)smtp.google.com64.233.167.26A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:51:52.736361027 CEST1.1.1.1192.168.2.50xbd07No error (0)smtp.google.com74.125.206.26A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:52:12.740214109 CEST1.1.1.1192.168.2.50x4367No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Aug 5, 2024 19:52:12.798780918 CEST1.1.1.1192.168.2.50x9b02No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:52:12.798780918 CEST1.1.1.1192.168.2.50x9b02No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:53:09.154371023 CEST1.1.1.1192.168.2.50xeb14No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:53:09.154371023 CEST1.1.1.1192.168.2.50xeb14No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:53:09.154371023 CEST1.1.1.1192.168.2.50xeb14No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Aug 5, 2024 19:53:09.154371023 CEST1.1.1.1192.168.2.50xeb14No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false

                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:13:51:03
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Users\user\Desktop\fdnoqmpv.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\fdnoqmpv.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:13'641'216 bytes
                                                                                          MD5 hash:A5B50EAA46C9477E60D39778FA662926
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2136944010.0000000002B19000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2096852918.0000000002AE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:2
                                                                                          Start time:13:51:06
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\miqllcjz\
                                                                                          Imagebase:0x790000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:3
                                                                                          Start time:13:51:06
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:4
                                                                                          Start time:13:51:07
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\fzzrueiu.exe" C:\Windows\SysWOW64\miqllcjz\
                                                                                          Imagebase:0x790000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:5
                                                                                          Start time:13:51:07
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:6
                                                                                          Start time:13:51:07
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" create miqllcjz binPath= "C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d\"C:\Users\user\Desktop\fdnoqmpv.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                          Imagebase:0xa00000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:7
                                                                                          Start time:13:51:07
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:8
                                                                                          Start time:13:51:08
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" description miqllcjz "wifi internet conection"
                                                                                          Imagebase:0xa00000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:9
                                                                                          Start time:13:51:08
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:10
                                                                                          Start time:13:51:08
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" start miqllcjz
                                                                                          Imagebase:0xa00000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:11
                                                                                          Start time:13:51:08
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:12
                                                                                          Start time:13:51:09
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe /d"C:\Users\user\Desktop\fdnoqmpv.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:15'099'904 bytes
                                                                                          MD5 hash:1E259F74EE370BB24432817021F14FAD
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2149627295.0000000003160000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2152851858.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2152720884.0000000002B82000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:13
                                                                                          Start time:13:51:09
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                          Imagebase:0x1080000
                                                                                          File size:82'432 bytes
                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:14
                                                                                          Start time:13:51:09
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                          Imagebase:0x7ff7e52b0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          Target ID:15
                                                                                          Start time:13:51:09
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:16
                                                                                          Start time:13:51:09
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4536 -ip 4536
                                                                                          Imagebase:0xa30000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:17
                                                                                          Start time:13:51:09
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 652
                                                                                          Imagebase:0xa30000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:18
                                                                                          Start time:13:51:11
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:svchost.exe
                                                                                          Imagebase:0x600000
                                                                                          File size:46'504 bytes
                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Has exited:false

                                                                                          Target ID:19
                                                                                          Start time:13:51:11
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2640 -ip 2640
                                                                                          Imagebase:0xa30000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Target ID:20
                                                                                          Start time:13:51:11
                                                                                          Start date:05/08/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 452
                                                                                          Imagebase:0xa30000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.6%
                                                                                            Dynamic/Decrypted Code Coverage:31%
                                                                                            Signature Coverage:25.4%
                                                                                            Total number of Nodes:1562
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 14826 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14944 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14826->14944 14828 409a95 14829 409aa3 GetModuleHandleA GetModuleFileNameA 14828->14829 14909 40a3c7 14828->14909 14839 409ac4 14829->14839 14830 40a41c CreateThread WSAStartup 15113 40e52e 14830->15113 15991 40405e CreateEventA 14830->15991 14832 409afd GetCommandLineA 14841 409b22 14832->14841 14833 40a406 DeleteFileA 14834 40a40d 14833->14834 14833->14909 14834->14830 14835 40a445 15132 40eaaf 14835->15132 14837 40a3ed GetLastError 14837->14834 14840 40a3f8 Sleep 14837->14840 14838 40a44d 15136 401d96 14838->15136 14839->14832 14840->14833 14845 409c0c 14841->14845 14851 409b47 14841->14851 14843 40a457 15184 4080c9 14843->15184 14945 4096aa 14845->14945 14856 409b96 lstrlenA 14851->14856 14861 409b58 14851->14861 14852 40a1d2 14862 40a1e3 GetCommandLineA 14852->14862 14853 409c39 14857 40a167 GetModuleHandleA GetModuleFileNameA 14853->14857 14951 404280 CreateEventA 14853->14951 14856->14861 14859 409c05 ExitProcess 14857->14859 14860 40a189 14857->14860 14860->14859 14869 40a1b2 GetDriveTypeA 14860->14869 14861->14859 14867 40675c 21 API calls 14861->14867 14888 40a205 14862->14888 14870 409be3 14867->14870 14869->14859 14871 40a1c5 14869->14871 14870->14859 15050 406a60 CreateFileA 14870->15050 15094 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14871->15094 14877 40a491 14878 40a49f GetTickCount 14877->14878 14880 40a4be Sleep 14877->14880 14887 40a4b7 GetTickCount 14877->14887 15230 40c913 14877->15230 14878->14877 14878->14880 14880->14877 14882 409ca0 GetTempPathA 14883 409e3e 14882->14883 14884 409cba 14882->14884 14891 409e6b GetEnvironmentVariableA 14883->14891 14893 409e04 14883->14893 15006 4099d2 lstrcpyA 14884->15006 14887->14880 14892 40a285 lstrlenA 14888->14892 14900 40a239 14888->14900 14891->14893 14894 409e7d 14891->14894 14892->14900 15089 40ec2e 14893->15089 14895 4099d2 16 API calls 14894->14895 14897 409e9d 14895->14897 14897->14893 14902 409eb0 lstrcpyA lstrlenA 14897->14902 14898 409d5f 15069 406cc9 14898->15069 15102 406ec3 14900->15102 14901 40a3c2 15106 4098f2 14901->15106 14903 409ef4 14902->14903 14906 406dc2 6 API calls 14903->14906 14911 409f03 14903->14911 14906->14911 14907 40a39d StartServiceCtrlDispatcherA 14907->14901 14909->14830 14909->14833 14909->14834 14909->14837 14910 40a35f 14910->14901 14910->14910 14914 40a37b 14910->14914 14913 409f32 RegOpenKeyExA 14911->14913 14912 409cf6 15013 409326 14912->15013 14915 409f48 RegSetValueExA RegCloseKey 14913->14915 14918 409f70 14913->14918 14914->14907 14915->14918 14924 409f9d GetModuleHandleA GetModuleFileNameA 14918->14924 14919 409e0c DeleteFileA 14919->14883 14920 409dde GetFileAttributesExA 14920->14919 14922 409df7 14920->14922 14922->14893 14923 409dff 14922->14923 15079 4096ff 14923->15079 14926 409fc2 14924->14926 14927 40a093 14924->14927 14926->14927 14933 409ff1 GetDriveTypeA 14926->14933 14928 40a103 CreateProcessA 14927->14928 14929 40a0a4 wsprintfA 14927->14929 14930 40a13a 14928->14930 14931 40a12a DeleteFileA 14928->14931 15085 402544 14929->15085 14930->14893 14937 4096ff 3 API calls 14930->14937 14931->14930 14933->14927 14935 40a00d 14933->14935 14939 40a02d lstrcatA 14935->14939 14937->14893 14940 40a046 14939->14940 14941 40a052 lstrcatA 14940->14941 14942 40a064 lstrcatA 14940->14942 14941->14942 14942->14927 14943 40a081 lstrcatA 14942->14943 14943->14927 14944->14828 14946 4096b9 14945->14946 15333 4073ff 14946->15333 14948 4096e2 14949 4096f7 14948->14949 15353 40704c 14948->15353 14949->14852 14949->14853 14952 4042a5 14951->14952 14953 40429d 14951->14953 15378 403ecd 14952->15378 14953->14857 14978 40675c 14953->14978 14955 4042b0 15382 404000 14955->15382 14958 4043c1 CloseHandle 14958->14953 14959 4042ce 15388 403f18 WriteFile 14959->15388 14964 4043ba CloseHandle 14964->14958 14965 404318 14966 403f18 4 API calls 14965->14966 14967 404331 14966->14967 14968 403f18 4 API calls 14967->14968 14969 40434a 14968->14969 15396 40ebcc GetProcessHeap RtlAllocateHeap 14969->15396 14972 403f18 4 API calls 14973 404389 14972->14973 14974 40ec2e codecvt 4 API calls 14973->14974 14975 40438f 14974->14975 14976 403f8c 4 API calls 14975->14976 14977 40439f CloseHandle CloseHandle 14976->14977 14977->14953 14979 406784 CreateFileA 14978->14979 14980 40677a SetFileAttributesA 14978->14980 14981 4067a4 CreateFileA 14979->14981 14982 4067b5 14979->14982 14980->14979 14981->14982 14983 4067c5 14982->14983 14984 4067ba SetFileAttributesA 14982->14984 14985 406977 14983->14985 14986 4067cf GetFileSize 14983->14986 14984->14983 14985->14857 14985->14882 14985->14883 14987 4067e5 14986->14987 15005 406965 14986->15005 14988 4067ed ReadFile 14987->14988 14987->15005 14990 406811 SetFilePointer 14988->14990 14988->15005 14989 40696e FindCloseChangeNotification 14989->14985 14991 40682a ReadFile 14990->14991 14990->15005 14992 406848 SetFilePointer 14991->14992 14991->15005 14993 406867 14992->14993 14992->15005 14994 4068d5 14993->14994 14995 406878 ReadFile 14993->14995 14994->14989 14997 40ebcc 4 API calls 14994->14997 14996 4068d0 14995->14996 14999 406891 14995->14999 14996->14994 14998 4068f8 14997->14998 15000 406900 SetFilePointer 14998->15000 14998->15005 14999->14995 14999->14996 15001 40695a 15000->15001 15002 40690d ReadFile 15000->15002 15004 40ec2e codecvt 4 API calls 15001->15004 15002->15001 15003 406922 15002->15003 15003->14989 15004->15005 15005->14989 15007 4099eb 15006->15007 15008 409a2f lstrcatA 15007->15008 15009 40ee2a 15008->15009 15010 409a4b lstrcatA 15009->15010 15011 406a60 13 API calls 15010->15011 15012 409a60 15011->15012 15012->14883 15012->14912 15063 406dc2 15012->15063 15402 401910 15013->15402 15016 40934a GetModuleHandleA GetModuleFileNameA 15018 40937f 15016->15018 15019 4093a4 15018->15019 15020 4093d9 15018->15020 15021 4093c3 wsprintfA 15019->15021 15022 409401 wsprintfA 15020->15022 15024 409415 15021->15024 15022->15024 15023 4094a0 15404 406edd 15023->15404 15024->15023 15027 406cc9 5 API calls 15024->15027 15026 4094ac 15028 40962f 15026->15028 15029 4094e8 RegOpenKeyExA 15026->15029 15033 409439 15027->15033 15034 409646 15028->15034 15432 401820 15028->15432 15031 409502 15029->15031 15032 4094fb 15029->15032 15037 40951f RegQueryValueExA 15031->15037 15032->15028 15036 40958a 15032->15036 15417 40ef1e lstrlenA 15033->15417 15043 4095d6 15034->15043 15412 4091eb 15034->15412 15036->15034 15039 409593 15036->15039 15040 409530 15037->15040 15041 409539 15037->15041 15039->15043 15419 40f0e4 15039->15419 15044 40956e RegCloseKey 15040->15044 15045 409556 RegQueryValueExA 15041->15045 15042 409462 15046 40947e wsprintfA 15042->15046 15043->14919 15043->14920 15044->15032 15045->15040 15045->15044 15046->15023 15048 4095bb 15048->15043 15426 4018e0 15048->15426 15051 406b8c GetLastError 15050->15051 15052 406a8f GetDiskFreeSpaceA 15050->15052 15053 406b86 15051->15053 15054 406ac5 15052->15054 15062 406ad7 15052->15062 15053->14859 15480 40eb0e 15054->15480 15058 406b56 FindCloseChangeNotification 15058->15053 15061 406b65 GetLastError CloseHandle 15058->15061 15059 406b36 GetLastError CloseHandle 15060 406b7f DeleteFileA 15059->15060 15060->15053 15061->15060 15474 406987 15062->15474 15064 406dd7 15063->15064 15068 406e24 15063->15068 15065 406cc9 5 API calls 15064->15065 15066 406ddc 15065->15066 15066->15066 15067 406e02 GetVolumeInformationA 15066->15067 15066->15068 15067->15068 15068->14898 15070 406cdc GetModuleHandleA GetProcAddress 15069->15070 15071 406dbe lstrcpyA lstrcatA lstrcatA 15069->15071 15072 406d12 GetSystemDirectoryA 15070->15072 15075 406cfd 15070->15075 15071->14912 15073 406d27 GetWindowsDirectoryA 15072->15073 15074 406d1e 15072->15074 15076 406d42 15073->15076 15074->15073 15077 406d8b 15074->15077 15075->15072 15075->15077 15078 40ef1e lstrlenA 15076->15078 15077->15071 15078->15077 15080 402544 15079->15080 15081 40972d RegOpenKeyExA 15080->15081 15082 409740 15081->15082 15083 409765 15081->15083 15084 40974f RegDeleteValueA RegCloseKey 15082->15084 15083->14893 15084->15083 15086 402554 lstrcatA 15085->15086 15087 40ee2a 15086->15087 15088 40a0ec lstrcatA 15087->15088 15088->14928 15090 40ec37 15089->15090 15091 40a15d 15089->15091 15488 40eba0 15090->15488 15091->14857 15091->14859 15095 402544 15094->15095 15096 40919e wsprintfA 15095->15096 15097 4091bb 15096->15097 15491 409064 GetTempPathA 15097->15491 15100 4091d5 ShellExecuteA 15101 4091e7 15100->15101 15101->14859 15103 406ed5 15102->15103 15104 406ecc 15102->15104 15103->14910 15105 406e36 2 API calls 15104->15105 15105->15103 15107 4098f6 15106->15107 15108 404280 30 API calls 15107->15108 15109 409904 Sleep 15107->15109 15110 409915 15107->15110 15108->15107 15109->15107 15109->15110 15112 409947 15110->15112 15498 40977c 15110->15498 15112->14909 15520 40dd05 GetTickCount 15113->15520 15115 40e538 15527 40dbcf 15115->15527 15117 40e544 15118 40e555 GetFileSize 15117->15118 15122 40e5b8 15117->15122 15119 40e5b1 CloseHandle 15118->15119 15120 40e566 15118->15120 15119->15122 15537 40db2e 15120->15537 15546 40e3ca RegOpenKeyExA 15122->15546 15124 40e576 ReadFile 15124->15119 15126 40e58d 15124->15126 15541 40e332 15126->15541 15129 40e5f2 15130 40e3ca 19 API calls 15129->15130 15131 40e629 15129->15131 15130->15131 15131->14835 15133 40eabe 15132->15133 15135 40eaba 15132->15135 15134 40dd05 6 API calls 15133->15134 15133->15135 15134->15135 15135->14838 15137 40ee2a 15136->15137 15138 401db4 GetVersionExA 15137->15138 15139 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15138->15139 15141 401e24 15139->15141 15142 401e16 GetCurrentProcess 15139->15142 15599 40e819 15141->15599 15142->15141 15144 401e3d 15145 40e819 11 API calls 15144->15145 15146 401e4e 15145->15146 15147 401e77 15146->15147 15606 40df70 15146->15606 15615 40ea84 15147->15615 15150 401e6c 15152 40df70 12 API calls 15150->15152 15152->15147 15153 40e819 11 API calls 15154 401e93 15153->15154 15619 40199c inet_addr LoadLibraryA 15154->15619 15157 40e819 11 API calls 15158 401eb9 15157->15158 15159 40f04e 4 API calls 15158->15159 15166 401ed8 15158->15166 15161 401ec9 15159->15161 15160 40e819 11 API calls 15162 401eee 15160->15162 15163 40ea84 30 API calls 15161->15163 15164 401f0a 15162->15164 15632 401b71 15162->15632 15163->15166 15165 40e819 11 API calls 15164->15165 15168 401f23 15165->15168 15166->15160 15171 401f3f 15168->15171 15636 401bdf 15168->15636 15169 401efd 15170 40ea84 30 API calls 15169->15170 15170->15164 15173 40e819 11 API calls 15171->15173 15175 401f5e 15173->15175 15177 401f77 15175->15177 15179 40ea84 30 API calls 15175->15179 15176 40ea84 30 API calls 15176->15171 15643 4030b5 15177->15643 15179->15177 15181 406ec3 2 API calls 15183 401f8e GetTickCount 15181->15183 15183->14843 15185 406ec3 2 API calls 15184->15185 15186 4080eb 15185->15186 15187 4080f9 15186->15187 15188 4080ef 15186->15188 15190 40704c 16 API calls 15187->15190 15691 407ee6 15188->15691 15191 408110 15190->15191 15192 4080f4 15191->15192 15194 408156 RegOpenKeyExA 15191->15194 15193 40675c 21 API calls 15192->15193 15202 408269 CreateThread 15192->15202 15198 408244 15193->15198 15194->15192 15195 40816d RegQueryValueExA 15194->15195 15196 4081f7 15195->15196 15197 40818d 15195->15197 15199 40820d RegCloseKey 15196->15199 15201 40ec2e codecvt 4 API calls 15196->15201 15197->15196 15203 40ebcc 4 API calls 15197->15203 15200 40ec2e codecvt 4 API calls 15198->15200 15198->15202 15199->15192 15200->15202 15208 4081dd 15201->15208 15209 405e6c 15202->15209 16020 40877e 15202->16020 15204 4081a0 15203->15204 15204->15199 15205 4081aa RegQueryValueExA 15204->15205 15205->15196 15206 4081c4 15205->15206 15207 40ebcc 4 API calls 15206->15207 15207->15208 15208->15199 15759 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15209->15759 15211 405e71 15760 40e654 15211->15760 15213 405ec1 15214 403132 15213->15214 15215 40df70 12 API calls 15214->15215 15216 40313b 15215->15216 15217 40c125 15216->15217 15771 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15217->15771 15219 40c12d 15220 40e654 13 API calls 15219->15220 15221 40c2bd 15220->15221 15222 40e654 13 API calls 15221->15222 15223 40c2c9 15222->15223 15224 40e654 13 API calls 15223->15224 15225 40a47a 15224->15225 15226 408db1 15225->15226 15227 408dbc 15226->15227 15228 40e654 13 API calls 15227->15228 15229 408dec Sleep 15228->15229 15229->14877 15231 40c92f 15230->15231 15232 40c93c 15231->15232 15772 40c517 15231->15772 15234 40ca2b 15232->15234 15235 40e819 11 API calls 15232->15235 15234->14877 15236 40c96a 15235->15236 15237 40e819 11 API calls 15236->15237 15238 40c97d 15237->15238 15239 40e819 11 API calls 15238->15239 15240 40c990 15239->15240 15241 40c9aa 15240->15241 15242 40ebcc 4 API calls 15240->15242 15241->15234 15789 402684 15241->15789 15242->15241 15247 40ca26 15796 40c8aa 15247->15796 15250 40ca44 15251 40ca4b closesocket 15250->15251 15252 40ca83 15250->15252 15251->15247 15253 40ea84 30 API calls 15252->15253 15254 40caac 15253->15254 15255 40f04e 4 API calls 15254->15255 15256 40cab2 15255->15256 15257 40ea84 30 API calls 15256->15257 15258 40caca 15257->15258 15259 40ea84 30 API calls 15258->15259 15260 40cad9 15259->15260 15804 40c65c 15260->15804 15263 40cb60 closesocket 15263->15234 15265 40dad2 closesocket 15266 40e318 23 API calls 15265->15266 15266->15234 15267 40df4c 20 API calls 15294 40cb70 15267->15294 15272 40e654 13 API calls 15272->15294 15278 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15278->15294 15279 40ea84 30 API calls 15279->15294 15280 40d569 closesocket Sleep 15851 40e318 15280->15851 15281 40d815 wsprintfA 15281->15294 15282 40cc1c GetTempPathA 15282->15294 15283 407ead 6 API calls 15283->15294 15284 40c517 23 API calls 15284->15294 15286 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15286->15294 15287 40e8a1 30 API calls 15287->15294 15288 40d582 ExitProcess 15289 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15289->15294 15290 40cfe3 GetSystemDirectoryA 15290->15294 15291 40cfad GetEnvironmentVariableA 15291->15294 15292 40675c 21 API calls 15292->15294 15293 40d027 GetSystemDirectoryA 15293->15294 15294->15265 15294->15267 15294->15272 15294->15278 15294->15279 15294->15280 15294->15281 15294->15282 15294->15283 15294->15284 15294->15286 15294->15287 15294->15289 15294->15290 15294->15291 15294->15292 15294->15293 15295 40d105 lstrcatA 15294->15295 15296 40ef1e lstrlenA 15294->15296 15297 40cc9f CreateFileA 15294->15297 15299 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15294->15299 15300 40d15b CreateFileA 15294->15300 15305 40d149 SetFileAttributesA 15294->15305 15306 40d36e GetEnvironmentVariableA 15294->15306 15307 40d1bf SetFileAttributesA 15294->15307 15309 40d22d GetEnvironmentVariableA 15294->15309 15310 40d3af lstrcatA 15294->15310 15312 40d3f2 CreateFileA 15294->15312 15314 407fcf 64 API calls 15294->15314 15320 40d4b1 CreateProcessA 15294->15320 15321 40d3e0 SetFileAttributesA 15294->15321 15322 40d26e lstrcatA 15294->15322 15325 40d2b1 CreateFileA 15294->15325 15326 407ee6 64 API calls 15294->15326 15327 40d452 SetFileAttributesA 15294->15327 15330 40d29f SetFileAttributesA 15294->15330 15332 40d31d SetFileAttributesA 15294->15332 15812 40c75d 15294->15812 15824 407e2f 15294->15824 15846 407ead 15294->15846 15856 4031d0 15294->15856 15873 403c09 15294->15873 15883 403a00 15294->15883 15887 40e7b4 15294->15887 15890 40c06c 15294->15890 15896 406f5f GetUserNameA 15294->15896 15907 40e854 15294->15907 15917 407dd6 15294->15917 15295->15294 15296->15294 15297->15294 15298 40ccc6 WriteFile 15297->15298 15302 40cdcc CloseHandle 15298->15302 15303 40cced CloseHandle 15298->15303 15299->15294 15300->15294 15301 40d182 WriteFile CloseHandle 15300->15301 15301->15294 15302->15294 15308 40cd2f 15303->15308 15304 40cd16 wsprintfA 15304->15308 15305->15300 15306->15294 15307->15294 15308->15304 15833 407fcf 15308->15833 15309->15294 15310->15294 15310->15312 15312->15294 15315 40d415 WriteFile CloseHandle 15312->15315 15314->15294 15315->15294 15316 40cd81 WaitForSingleObject CloseHandle CloseHandle 15318 40f04e 4 API calls 15316->15318 15317 40cda5 15319 407ee6 64 API calls 15317->15319 15318->15317 15323 40cdbd DeleteFileA 15319->15323 15320->15294 15324 40d4e8 CloseHandle CloseHandle 15320->15324 15321->15312 15322->15294 15322->15325 15323->15294 15324->15294 15325->15294 15328 40d2d8 WriteFile CloseHandle 15325->15328 15326->15294 15327->15294 15328->15294 15330->15325 15332->15294 15334 40741b 15333->15334 15335 406dc2 6 API calls 15334->15335 15336 40743f 15335->15336 15337 407469 RegOpenKeyExA 15336->15337 15338 4077f9 15337->15338 15349 407487 ___ascii_stricmp 15337->15349 15338->14948 15339 407703 RegEnumKeyA 15340 407714 RegCloseKey 15339->15340 15339->15349 15340->15338 15341 40f1a5 lstrlenA 15341->15349 15342 4074d2 RegOpenKeyExA 15342->15349 15343 40772c 15345 407742 RegCloseKey 15343->15345 15346 40774b 15343->15346 15344 407521 RegQueryValueExA 15344->15349 15345->15346 15347 4077ec RegCloseKey 15346->15347 15347->15338 15348 4076e4 RegCloseKey 15348->15349 15349->15339 15349->15341 15349->15342 15349->15343 15349->15344 15349->15348 15351 40777e GetFileAttributesExA 15349->15351 15352 407769 15349->15352 15350 4077e3 RegCloseKey 15350->15347 15351->15352 15352->15350 15354 407073 15353->15354 15355 4070b9 RegOpenKeyExA 15354->15355 15356 4070d0 15355->15356 15370 4071b8 15355->15370 15357 406dc2 6 API calls 15356->15357 15360 4070d5 15357->15360 15358 40719b RegEnumValueA 15359 4071af RegCloseKey 15358->15359 15358->15360 15359->15370 15360->15358 15362 4071d0 15360->15362 15376 40f1a5 lstrlenA 15360->15376 15363 407205 RegCloseKey 15362->15363 15364 407227 15362->15364 15363->15370 15365 4072b8 ___ascii_stricmp 15364->15365 15366 40728e RegCloseKey 15364->15366 15367 4072cd RegCloseKey 15365->15367 15368 4072dd 15365->15368 15366->15370 15367->15370 15369 407311 RegCloseKey 15368->15369 15372 407335 15368->15372 15369->15370 15370->14949 15371 4073d5 RegCloseKey 15373 4073e4 15371->15373 15372->15371 15374 40737e GetFileAttributesExA 15372->15374 15375 407397 15372->15375 15374->15375 15375->15371 15377 40f1c3 15376->15377 15377->15360 15379 403ee2 15378->15379 15380 403edc 15378->15380 15379->14955 15381 406dc2 6 API calls 15380->15381 15381->15379 15383 40400b CreateFileA 15382->15383 15384 40402c GetLastError 15383->15384 15385 404052 15383->15385 15384->15385 15386 404037 15384->15386 15385->14953 15385->14958 15385->14959 15386->15385 15387 404041 Sleep 15386->15387 15387->15383 15387->15385 15389 403f4e GetLastError 15388->15389 15391 403f7c 15388->15391 15390 403f5b WaitForSingleObject GetOverlappedResult 15389->15390 15389->15391 15390->15391 15392 403f8c ReadFile 15391->15392 15393 403ff0 15392->15393 15394 403fc2 GetLastError 15392->15394 15393->14964 15393->14965 15394->15393 15395 403fcf WaitForSingleObject GetOverlappedResult 15394->15395 15395->15393 15399 40eb74 15396->15399 15400 40eb7b GetProcessHeap HeapSize 15399->15400 15401 404350 15399->15401 15400->15401 15401->14972 15403 401924 GetVersionExA 15402->15403 15403->15016 15405 406f55 15404->15405 15406 406eef AllocateAndInitializeSid 15404->15406 15405->15026 15407 406f44 15406->15407 15408 406f1c CheckTokenMembership 15406->15408 15407->15405 15438 406e36 GetUserNameW 15407->15438 15409 406f3b FreeSid 15408->15409 15410 406f2e 15408->15410 15409->15407 15410->15409 15413 40920e 15412->15413 15416 409308 15412->15416 15413->15413 15414 4092f1 Sleep 15413->15414 15415 4092bf ShellExecuteA 15413->15415 15413->15416 15414->15413 15415->15413 15415->15416 15416->15043 15418 40ef32 15417->15418 15418->15042 15420 40f0f1 15419->15420 15421 40f0ed 15419->15421 15422 40f119 15420->15422 15423 40f0fa lstrlenA SysAllocStringByteLen 15420->15423 15421->15048 15425 40f11c MultiByteToWideChar 15422->15425 15424 40f117 15423->15424 15423->15425 15424->15048 15425->15424 15427 401820 17 API calls 15426->15427 15428 4018f2 15427->15428 15429 4018f9 15428->15429 15441 401280 15428->15441 15429->15043 15431 401908 15431->15043 15453 401000 15432->15453 15434 401839 15435 401851 GetCurrentProcess 15434->15435 15436 40183d 15434->15436 15437 401864 15435->15437 15436->15034 15437->15034 15439 406e5f LookupAccountNameW 15438->15439 15440 406e97 15438->15440 15439->15440 15440->15405 15442 4012e1 15441->15442 15443 4016f9 GetLastError 15442->15443 15444 4013a8 15442->15444 15445 401699 15443->15445 15444->15445 15446 401570 lstrlenW 15444->15446 15447 4015be GetStartupInfoW 15444->15447 15448 4015ff CreateProcessWithLogonW 15444->15448 15452 401668 CloseHandle 15444->15452 15445->15431 15446->15444 15447->15444 15449 4016bf GetLastError 15448->15449 15450 40163f WaitForSingleObject 15448->15450 15449->15445 15450->15444 15451 401659 CloseHandle 15450->15451 15451->15444 15452->15444 15454 40100d LoadLibraryA 15453->15454 15461 401023 15453->15461 15455 401021 15454->15455 15454->15461 15455->15434 15456 4010b5 GetProcAddress 15457 4010d1 GetProcAddress 15456->15457 15458 40127b 15456->15458 15457->15458 15459 4010f0 GetProcAddress 15457->15459 15458->15434 15459->15458 15460 401110 GetProcAddress 15459->15460 15460->15458 15462 401130 GetProcAddress 15460->15462 15461->15456 15473 4010ae 15461->15473 15462->15458 15463 40114f GetProcAddress 15462->15463 15463->15458 15464 40116f GetProcAddress 15463->15464 15464->15458 15465 40118f GetProcAddress 15464->15465 15465->15458 15466 4011ae GetProcAddress 15465->15466 15466->15458 15467 4011ce GetProcAddress 15466->15467 15467->15458 15468 4011ee GetProcAddress 15467->15468 15468->15458 15469 401209 GetProcAddress 15468->15469 15469->15458 15470 401225 GetProcAddress 15469->15470 15470->15458 15471 401241 GetProcAddress 15470->15471 15471->15458 15472 40125c GetProcAddress 15471->15472 15472->15458 15473->15434 15476 4069b9 WriteFile 15474->15476 15477 406a3c 15476->15477 15478 4069ff 15476->15478 15477->15058 15477->15059 15478->15477 15479 406a10 WriteFile 15478->15479 15479->15477 15479->15478 15481 40eb17 15480->15481 15482 40eb21 15480->15482 15484 40eae4 15481->15484 15482->15062 15485 40eb02 GetProcAddress 15484->15485 15486 40eaed LoadLibraryA 15484->15486 15485->15482 15486->15485 15487 40eb01 15486->15487 15487->15482 15489 40eba7 GetProcessHeap HeapSize 15488->15489 15490 40ebbf GetProcessHeap HeapFree 15488->15490 15489->15490 15490->15091 15492 40908d 15491->15492 15493 4090e2 wsprintfA 15492->15493 15494 40ee2a 15493->15494 15495 4090fd CreateFileA 15494->15495 15496 40911a lstrlenA WriteFile CloseHandle 15495->15496 15497 40913f 15495->15497 15496->15497 15497->15100 15497->15101 15499 40ee2a 15498->15499 15500 409794 CreateProcessA 15499->15500 15501 4097c2 15500->15501 15502 4097bb 15500->15502 15503 4097d4 GetThreadContext 15501->15503 15502->15112 15504 409801 15503->15504 15505 4097f5 15503->15505 15512 40637c 15504->15512 15506 4097f6 TerminateProcess 15505->15506 15506->15502 15508 409816 15508->15506 15509 40981e WriteProcessMemory 15508->15509 15509->15505 15510 40983b SetThreadContext 15509->15510 15510->15505 15511 409858 ResumeThread 15510->15511 15511->15502 15513 406386 15512->15513 15514 40638a GetModuleHandleA VirtualAlloc 15512->15514 15513->15508 15515 4063f5 15514->15515 15516 4063b6 15514->15516 15515->15508 15517 4063be VirtualAllocEx 15516->15517 15517->15515 15518 4063d6 15517->15518 15519 4063df WriteProcessMemory 15518->15519 15519->15515 15521 40dd41 InterlockedExchange 15520->15521 15522 40dd20 GetCurrentThreadId 15521->15522 15526 40dd4a 15521->15526 15523 40dd53 GetCurrentThreadId 15522->15523 15524 40dd2e GetTickCount 15522->15524 15523->15115 15525 40dd39 Sleep 15524->15525 15524->15526 15525->15521 15526->15523 15528 40dbf0 15527->15528 15560 40db67 GetEnvironmentVariableA 15528->15560 15530 40dc19 15531 40dcda 15530->15531 15532 40db67 3 API calls 15530->15532 15531->15117 15533 40dc5c 15532->15533 15533->15531 15534 40db67 3 API calls 15533->15534 15535 40dc9b 15534->15535 15535->15531 15536 40db67 3 API calls 15535->15536 15536->15531 15538 40db3a 15537->15538 15540 40db55 15537->15540 15564 40ebed 15538->15564 15540->15119 15540->15124 15573 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15541->15573 15543 40e3be 15543->15119 15544 40e342 15544->15543 15576 40de24 15544->15576 15547 40e528 15546->15547 15548 40e3f4 15546->15548 15547->15129 15549 40e434 RegQueryValueExA 15548->15549 15550 40e458 15549->15550 15551 40e51d RegCloseKey 15549->15551 15552 40e46e RegQueryValueExA 15550->15552 15551->15547 15552->15550 15553 40e488 15552->15553 15553->15551 15554 40db2e 8 API calls 15553->15554 15555 40e499 15554->15555 15555->15551 15556 40e4b9 RegQueryValueExA 15555->15556 15557 40e4e8 15555->15557 15556->15555 15556->15557 15557->15551 15558 40e332 14 API calls 15557->15558 15559 40e513 15558->15559 15559->15551 15561 40db89 lstrcpyA CreateFileA 15560->15561 15562 40dbca 15560->15562 15561->15530 15562->15530 15565 40ec01 15564->15565 15566 40ebf6 15564->15566 15568 40eba0 codecvt 2 API calls 15565->15568 15567 40ebcc 4 API calls 15566->15567 15569 40ebfe 15567->15569 15570 40ec0a GetProcessHeap HeapReAlloc 15568->15570 15569->15540 15571 40eb74 2 API calls 15570->15571 15572 40ec28 15571->15572 15572->15540 15587 40eb41 15573->15587 15577 40de3a 15576->15577 15584 40de4e 15577->15584 15591 40dd84 15577->15591 15580 40ebed 8 API calls 15582 40def6 15580->15582 15581 40de9e 15581->15580 15581->15584 15582->15584 15586 40ddcf lstrcmpA 15582->15586 15583 40de76 15595 40ddcf 15583->15595 15584->15544 15586->15584 15588 40eb4a 15587->15588 15590 40eb54 15587->15590 15589 40eae4 2 API calls 15588->15589 15589->15590 15590->15544 15592 40ddc5 15591->15592 15593 40dd96 15591->15593 15592->15581 15592->15583 15593->15592 15594 40ddad lstrcmpiA 15593->15594 15594->15592 15594->15593 15596 40dddd 15595->15596 15598 40de20 15595->15598 15597 40ddfa lstrcmpA 15596->15597 15596->15598 15597->15596 15598->15584 15600 40dd05 6 API calls 15599->15600 15601 40e821 15600->15601 15602 40dd84 lstrcmpiA 15601->15602 15603 40e82c 15602->15603 15604 40e844 15603->15604 15647 402480 15603->15647 15604->15144 15607 40dd05 6 API calls 15606->15607 15608 40df7c 15607->15608 15609 40dd84 lstrcmpiA 15608->15609 15610 40df89 15609->15610 15611 40ddcf lstrcmpA 15610->15611 15612 40ec2e codecvt 4 API calls 15610->15612 15613 40dd84 lstrcmpiA 15610->15613 15614 40dfc4 15610->15614 15611->15610 15612->15610 15613->15610 15614->15150 15616 40ea98 15615->15616 15656 40e8a1 15616->15656 15618 401e84 15618->15153 15620 4019d5 GetProcAddress GetProcAddress GetProcAddress 15619->15620 15623 4019ce 15619->15623 15621 401ab3 FreeLibrary 15620->15621 15622 401a04 15620->15622 15621->15623 15622->15621 15624 401a14 GetProcessHeap 15622->15624 15623->15157 15624->15623 15626 401a2e HeapAlloc 15624->15626 15626->15623 15627 401a42 15626->15627 15628 401a62 15627->15628 15629 401a52 HeapReAlloc 15627->15629 15630 401aa1 FreeLibrary 15628->15630 15631 401a96 HeapFree 15628->15631 15629->15628 15630->15623 15631->15630 15684 401ac3 LoadLibraryA 15632->15684 15635 401bcf 15635->15169 15637 401ac3 12 API calls 15636->15637 15638 401c09 15637->15638 15639 401c0d GetComputerNameA 15638->15639 15642 401c41 15638->15642 15640 401c45 GetVolumeInformationA 15639->15640 15641 401c1f 15639->15641 15640->15642 15641->15640 15641->15642 15642->15176 15644 40ee2a 15643->15644 15645 4030d0 gethostname gethostbyname 15644->15645 15646 401f82 15645->15646 15646->15181 15646->15183 15650 402419 lstrlenA 15647->15650 15649 402491 15649->15604 15651 40243d lstrlenA 15650->15651 15652 402474 15650->15652 15653 402464 lstrlenA 15651->15653 15654 40244e lstrcmpiA 15651->15654 15652->15649 15653->15651 15653->15652 15654->15653 15655 40245c 15654->15655 15655->15652 15655->15653 15657 40dd05 6 API calls 15656->15657 15658 40e8b4 15657->15658 15659 40dd84 lstrcmpiA 15658->15659 15660 40e8c0 15659->15660 15661 40e8c8 lstrcpynA 15660->15661 15671 40e90a 15660->15671 15662 40e8f5 15661->15662 15677 40df4c 15662->15677 15663 402419 4 API calls 15664 40e926 lstrlenA lstrlenA 15663->15664 15666 40e96a 15664->15666 15667 40e94c lstrlenA 15664->15667 15670 40ebcc 4 API calls 15666->15670 15672 40ea27 15666->15672 15667->15666 15668 40e901 15669 40dd84 lstrcmpiA 15668->15669 15669->15671 15673 40e98f 15670->15673 15671->15663 15671->15672 15672->15618 15673->15672 15674 40df4c 20 API calls 15673->15674 15675 40ea1e 15674->15675 15676 40ec2e codecvt 4 API calls 15675->15676 15676->15672 15678 40dd05 6 API calls 15677->15678 15679 40df51 15678->15679 15680 40f04e 4 API calls 15679->15680 15681 40df58 15680->15681 15682 40de24 10 API calls 15681->15682 15683 40df63 15682->15683 15683->15668 15685 401ae2 GetProcAddress 15684->15685 15690 401b68 GetComputerNameA GetVolumeInformationA 15684->15690 15686 401af5 15685->15686 15685->15690 15687 40ebed 8 API calls 15686->15687 15689 401b29 15686->15689 15687->15686 15688 40ec2e codecvt 4 API calls 15688->15690 15689->15688 15689->15689 15689->15690 15690->15635 15692 406ec3 2 API calls 15691->15692 15693 407ef4 15692->15693 15694 407fc9 15693->15694 15695 4073ff 17 API calls 15693->15695 15694->15192 15696 407f16 15695->15696 15696->15694 15704 407809 GetUserNameA 15696->15704 15698 407f63 15698->15694 15699 40ef1e lstrlenA 15698->15699 15700 407fa6 15699->15700 15701 40ef1e lstrlenA 15700->15701 15702 407fb7 15701->15702 15728 407a95 RegOpenKeyExA 15702->15728 15705 40783d LookupAccountNameA 15704->15705 15706 407a8d 15704->15706 15705->15706 15707 407874 GetLengthSid GetFileSecurityA 15705->15707 15706->15698 15707->15706 15708 4078a8 GetSecurityDescriptorOwner 15707->15708 15709 4078c5 EqualSid 15708->15709 15710 40791d GetSecurityDescriptorDacl 15708->15710 15709->15710 15712 4078dc LocalAlloc 15709->15712 15710->15706 15711 407941 15710->15711 15711->15706 15714 40795b GetAce 15711->15714 15718 407980 EqualSid 15711->15718 15719 407a3d 15711->15719 15720 4079be EqualSid 15711->15720 15721 40799d DeleteAce 15711->15721 15712->15710 15713 4078ef InitializeSecurityDescriptor 15712->15713 15715 407916 LocalFree 15713->15715 15716 4078fb SetSecurityDescriptorOwner 15713->15716 15714->15711 15715->15710 15716->15715 15717 40790b SetFileSecurityA 15716->15717 15717->15715 15718->15711 15719->15706 15722 407a43 LocalAlloc 15719->15722 15720->15711 15721->15711 15722->15706 15723 407a56 InitializeSecurityDescriptor 15722->15723 15724 407a62 SetSecurityDescriptorDacl 15723->15724 15725 407a86 LocalFree 15723->15725 15724->15725 15726 407a73 SetFileSecurityA 15724->15726 15725->15706 15726->15725 15727 407a83 15726->15727 15727->15725 15729 407ac4 15728->15729 15730 407acb GetUserNameA 15728->15730 15729->15694 15731 407da7 RegCloseKey 15730->15731 15732 407aed LookupAccountNameA 15730->15732 15731->15729 15732->15731 15733 407b24 RegGetKeySecurity 15732->15733 15733->15731 15734 407b49 GetSecurityDescriptorOwner 15733->15734 15735 407b63 EqualSid 15734->15735 15736 407bb8 GetSecurityDescriptorDacl 15734->15736 15735->15736 15737 407b74 LocalAlloc 15735->15737 15738 407da6 15736->15738 15744 407bdc 15736->15744 15737->15736 15739 407b8a InitializeSecurityDescriptor 15737->15739 15738->15731 15740 407bb1 LocalFree 15739->15740 15741 407b96 SetSecurityDescriptorOwner 15739->15741 15740->15736 15741->15740 15743 407ba6 RegSetKeySecurity 15741->15743 15742 407bf8 GetAce 15742->15744 15743->15740 15744->15738 15744->15742 15745 407c1d EqualSid 15744->15745 15746 407c5f EqualSid 15744->15746 15747 407cd9 15744->15747 15748 407c3a DeleteAce 15744->15748 15745->15744 15746->15744 15747->15738 15749 407d5a LocalAlloc 15747->15749 15750 407cf2 RegOpenKeyExA 15747->15750 15748->15744 15749->15738 15751 407d70 InitializeSecurityDescriptor 15749->15751 15750->15749 15756 407d0f 15750->15756 15752 407d7c SetSecurityDescriptorDacl 15751->15752 15753 407d9f LocalFree 15751->15753 15752->15753 15754 407d8c RegSetKeySecurity 15752->15754 15753->15738 15754->15753 15755 407d9c 15754->15755 15755->15753 15757 407d43 RegSetValueExA 15756->15757 15757->15749 15758 407d54 15757->15758 15758->15749 15759->15211 15761 40dd05 6 API calls 15760->15761 15765 40e65f 15761->15765 15762 40e6a5 15763 40ebcc 4 API calls 15762->15763 15767 40e6f5 15762->15767 15764 40e6b0 15763->15764 15764->15767 15768 40e6b7 15764->15768 15770 40e6e0 lstrcpynA 15764->15770 15765->15762 15766 40e68c lstrcmpA 15765->15766 15766->15765 15767->15768 15769 40e71d lstrcmpA 15767->15769 15768->15213 15769->15767 15770->15767 15771->15219 15773 40c525 15772->15773 15774 40c532 15772->15774 15773->15774 15776 40ec2e codecvt 4 API calls 15773->15776 15775 40c548 15774->15775 15924 40e7ff 15774->15924 15778 40e7ff lstrcmpiA 15775->15778 15786 40c54f 15775->15786 15776->15774 15779 40c615 15778->15779 15780 40ebcc 4 API calls 15779->15780 15779->15786 15780->15786 15781 40c5d1 15784 40ebcc 4 API calls 15781->15784 15783 40e819 11 API calls 15785 40c5b7 15783->15785 15784->15786 15787 40f04e 4 API calls 15785->15787 15786->15232 15788 40c5bf 15787->15788 15788->15775 15788->15781 15790 402692 inet_addr 15789->15790 15791 40268e 15789->15791 15790->15791 15792 40269e gethostbyname 15790->15792 15793 40f428 15791->15793 15792->15791 15927 40f315 15793->15927 15798 40c8d2 15796->15798 15797 40c907 15797->15234 15798->15797 15799 40c517 23 API calls 15798->15799 15799->15797 15800 40f43e 15801 40f473 recv 15800->15801 15802 40f47c 15801->15802 15803 40f458 15801->15803 15802->15250 15803->15801 15803->15802 15805 40c670 15804->15805 15806 40c67d 15804->15806 15807 40ebcc 4 API calls 15805->15807 15808 40ebcc 4 API calls 15806->15808 15810 40c699 15806->15810 15807->15806 15808->15810 15809 40c6f3 15809->15263 15809->15294 15810->15809 15811 40c73c send 15810->15811 15811->15809 15813 40c770 15812->15813 15814 40c77d 15812->15814 15815 40ebcc 4 API calls 15813->15815 15816 40ebcc 4 API calls 15814->15816 15818 40c799 15814->15818 15815->15814 15816->15818 15817 40c7b5 15820 40f43e recv 15817->15820 15818->15817 15819 40ebcc 4 API calls 15818->15819 15819->15817 15821 40c7cb 15820->15821 15822 40f43e recv 15821->15822 15823 40c7d3 15821->15823 15822->15823 15823->15294 15940 407db7 15824->15940 15827 407e70 15829 407e96 15827->15829 15830 40f04e 4 API calls 15827->15830 15828 40f04e 4 API calls 15831 407e4c 15828->15831 15829->15294 15830->15829 15831->15827 15832 40f04e 4 API calls 15831->15832 15832->15827 15834 406ec3 2 API calls 15833->15834 15835 407fdd 15834->15835 15836 4073ff 17 API calls 15835->15836 15845 4080c2 CreateProcessA 15835->15845 15837 407fff 15836->15837 15838 407809 21 API calls 15837->15838 15837->15845 15839 40804d 15838->15839 15840 40ef1e lstrlenA 15839->15840 15839->15845 15841 40809e 15840->15841 15842 40ef1e lstrlenA 15841->15842 15843 4080af 15842->15843 15844 407a95 24 API calls 15843->15844 15844->15845 15845->15316 15845->15317 15847 407db7 2 API calls 15846->15847 15848 407eb8 15847->15848 15849 40f04e 4 API calls 15848->15849 15850 407ece DeleteFileA 15849->15850 15850->15294 15852 40dd05 6 API calls 15851->15852 15853 40e31d 15852->15853 15944 40e177 15853->15944 15855 40e326 15855->15288 15857 4031f3 15856->15857 15867 4031ec 15856->15867 15858 40ebcc 4 API calls 15857->15858 15866 4031fc 15858->15866 15859 403459 15862 40f04e 4 API calls 15859->15862 15860 40349d 15861 40ec2e codecvt 4 API calls 15860->15861 15861->15867 15863 40345f 15862->15863 15865 4030fa 4 API calls 15863->15865 15864 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15864->15866 15865->15867 15866->15864 15866->15867 15868 40344d 15866->15868 15871 403141 lstrcmpiA 15866->15871 15872 40344b 15866->15872 15970 4030fa GetTickCount 15866->15970 15867->15294 15869 40ec2e codecvt 4 API calls 15868->15869 15869->15872 15871->15866 15872->15859 15872->15860 15874 4030fa 4 API calls 15873->15874 15875 403c1a 15874->15875 15876 403ce6 15875->15876 15975 403a72 15875->15975 15876->15294 15879 403a72 9 API calls 15881 403c5e 15879->15881 15880 403a72 9 API calls 15880->15881 15881->15876 15881->15880 15882 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15881->15882 15882->15881 15884 403a10 15883->15884 15885 4030fa 4 API calls 15884->15885 15886 403a1a 15885->15886 15886->15294 15888 40dd05 6 API calls 15887->15888 15889 40e7be 15888->15889 15889->15294 15891 40c105 15890->15891 15892 40c07e wsprintfA 15890->15892 15891->15294 15984 40bfce GetTickCount wsprintfA 15892->15984 15894 40c0ef 15985 40bfce GetTickCount wsprintfA 15894->15985 15897 407047 15896->15897 15898 406f88 LookupAccountNameA 15896->15898 15897->15294 15900 407025 15898->15900 15901 406fcb 15898->15901 15902 406edd 5 API calls 15900->15902 15903 406fdb ConvertSidToStringSidA 15901->15903 15904 40702a wsprintfA 15902->15904 15903->15900 15905 406ff1 15903->15905 15904->15897 15906 407013 LocalFree 15905->15906 15906->15900 15908 40dd05 6 API calls 15907->15908 15909 40e85c 15908->15909 15910 40dd84 lstrcmpiA 15909->15910 15911 40e867 15910->15911 15912 40e885 lstrcpyA 15911->15912 15986 4024a5 15911->15986 15989 40dd69 15912->15989 15918 407db7 2 API calls 15917->15918 15919 407de1 15918->15919 15920 407e16 15919->15920 15921 40f04e 4 API calls 15919->15921 15920->15294 15922 407df2 15921->15922 15922->15920 15923 40f04e 4 API calls 15922->15923 15923->15920 15925 40dd84 lstrcmpiA 15924->15925 15926 40c58e 15925->15926 15926->15775 15926->15781 15926->15783 15928 40f33b 15927->15928 15929 40ca1d 15927->15929 15930 40f347 htons socket 15928->15930 15929->15247 15929->15800 15931 40f382 ioctlsocket 15930->15931 15932 40f374 closesocket 15930->15932 15933 40f3aa connect select 15931->15933 15934 40f39d 15931->15934 15932->15929 15933->15929 15936 40f3f2 __WSAFDIsSet 15933->15936 15935 40f39f closesocket 15934->15935 15935->15929 15936->15935 15937 40f403 ioctlsocket 15936->15937 15939 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15937->15939 15939->15929 15941 407dc8 InterlockedExchange 15940->15941 15942 407dc0 Sleep 15941->15942 15943 407dd4 15941->15943 15942->15941 15943->15827 15943->15828 15945 40e184 15944->15945 15946 40e2e4 15945->15946 15947 40e223 15945->15947 15960 40dfe2 15945->15960 15946->15855 15947->15946 15949 40dfe2 8 API calls 15947->15949 15953 40e23c 15949->15953 15950 40e1be 15950->15947 15951 40dbcf 3 API calls 15950->15951 15954 40e1d6 15951->15954 15952 40e21a CloseHandle 15952->15947 15953->15946 15964 40e095 RegCreateKeyExA 15953->15964 15954->15947 15954->15952 15955 40e1f9 WriteFile 15954->15955 15955->15952 15957 40e213 15955->15957 15957->15952 15958 40e2a3 15958->15946 15959 40e095 4 API calls 15958->15959 15959->15946 15961 40dffc 15960->15961 15963 40e024 15960->15963 15962 40db2e 8 API calls 15961->15962 15961->15963 15962->15963 15963->15950 15965 40e172 15964->15965 15966 40e0c0 15964->15966 15965->15958 15967 40e13d 15966->15967 15969 40e115 RegSetValueExA 15966->15969 15968 40e14e RegDeleteValueA RegCloseKey 15967->15968 15968->15965 15969->15966 15969->15967 15971 403122 InterlockedExchange 15970->15971 15972 40312e 15971->15972 15973 40310f GetTickCount 15971->15973 15972->15866 15973->15972 15974 40311a Sleep 15973->15974 15974->15971 15976 40f04e 4 API calls 15975->15976 15983 403a83 15976->15983 15977 403ac1 15977->15876 15977->15879 15978 403be6 15979 40ec2e codecvt 4 API calls 15978->15979 15979->15977 15980 403bc0 15980->15978 15982 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15980->15982 15981 403b66 lstrlenA 15981->15977 15981->15983 15982->15980 15983->15977 15983->15980 15983->15981 15984->15894 15985->15891 15987 402419 4 API calls 15986->15987 15988 4024b6 15987->15988 15988->15912 15990 40dd79 lstrlenA 15989->15990 15990->15294 15992 404084 15991->15992 15993 40407d 15991->15993 15994 403ecd 6 API calls 15992->15994 15995 40408f 15994->15995 15996 404000 3 API calls 15995->15996 15998 404095 15996->15998 15997 404130 15999 403ecd 6 API calls 15997->15999 15998->15997 16003 403f18 4 API calls 15998->16003 16000 404159 CreateNamedPipeA 15999->16000 16001 404167 Sleep 16000->16001 16002 404188 ConnectNamedPipe 16000->16002 16001->15997 16005 404176 CloseHandle 16001->16005 16004 404195 GetLastError 16002->16004 16015 4041ab 16002->16015 16006 4040da 16003->16006 16008 40425e DisconnectNamedPipe 16004->16008 16004->16015 16005->16002 16007 403f8c 4 API calls 16006->16007 16009 4040ec 16007->16009 16008->16002 16010 404127 CloseHandle 16009->16010 16011 404101 16009->16011 16010->15997 16012 403f18 4 API calls 16011->16012 16013 40411c ExitProcess 16012->16013 16014 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16014->16015 16015->16002 16015->16008 16015->16014 16016 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16015->16016 16017 40426a CloseHandle CloseHandle 16015->16017 16016->16015 16018 40e318 23 API calls 16017->16018 16019 40427b 16018->16019 16019->16019 16021 408791 16020->16021 16022 40879f 16020->16022 16023 40f04e 4 API calls 16021->16023 16024 40f04e 4 API calls 16022->16024 16026 4087bc 16022->16026 16023->16022 16024->16026 16025 40e819 11 API calls 16027 4087d7 16025->16027 16026->16025 16040 408803 16027->16040 16042 4026b2 gethostbyaddr 16027->16042 16030 4087eb 16032 40e8a1 30 API calls 16030->16032 16030->16040 16032->16040 16035 40e819 11 API calls 16035->16040 16036 4088a0 Sleep 16036->16040 16038 4026b2 2 API calls 16038->16040 16039 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16039->16040 16040->16035 16040->16036 16040->16038 16040->16039 16041 40e8a1 30 API calls 16040->16041 16047 408cee 16040->16047 16055 40c4d6 16040->16055 16058 40c4e2 16040->16058 16061 402011 16040->16061 16096 408328 16040->16096 16041->16040 16043 4026fb 16042->16043 16044 4026cd 16042->16044 16043->16030 16045 4026e1 inet_ntoa 16044->16045 16046 4026de 16044->16046 16045->16046 16046->16030 16048 408d02 GetTickCount 16047->16048 16049 408dae 16047->16049 16048->16049 16052 408d19 16048->16052 16049->16040 16050 408da1 GetTickCount 16050->16049 16052->16050 16054 408d89 16052->16054 16148 40a677 16052->16148 16151 40a688 16052->16151 16054->16050 16159 40c2dc 16055->16159 16059 40c2dc 141 API calls 16058->16059 16060 40c4ec 16059->16060 16060->16040 16062 402020 16061->16062 16063 40202e 16061->16063 16064 40f04e 4 API calls 16062->16064 16065 40204b 16063->16065 16066 40f04e 4 API calls 16063->16066 16064->16063 16067 40206e GetTickCount 16065->16067 16068 40f04e 4 API calls 16065->16068 16066->16065 16069 4020db GetTickCount 16067->16069 16079 402090 16067->16079 16071 402068 16068->16071 16070 402132 GetTickCount GetTickCount 16069->16070 16082 4020e7 16069->16082 16073 40f04e 4 API calls 16070->16073 16071->16067 16072 4020d4 GetTickCount 16072->16069 16075 402159 16073->16075 16074 40212b GetTickCount 16074->16070 16077 4021b4 16075->16077 16081 40e854 13 API calls 16075->16081 16076 402684 2 API calls 16076->16079 16080 40f04e 4 API calls 16077->16080 16079->16072 16079->16076 16085 4020ce 16079->16085 16486 401978 16079->16486 16084 4021d1 16080->16084 16086 40218e 16081->16086 16082->16074 16087 402125 16082->16087 16090 401978 15 API calls 16082->16090 16491 402ef8 16082->16491 16088 4021f2 16084->16088 16091 40ea84 30 API calls 16084->16091 16085->16072 16089 40e819 11 API calls 16086->16089 16087->16074 16088->16040 16092 40219c 16089->16092 16090->16082 16093 4021ec 16091->16093 16092->16077 16499 401c5f 16092->16499 16094 40f04e 4 API calls 16093->16094 16094->16088 16097 407dd6 6 API calls 16096->16097 16098 40833c 16097->16098 16099 406ec3 2 API calls 16098->16099 16125 408340 16098->16125 16100 40834f 16099->16100 16101 40835c 16100->16101 16107 40846b 16100->16107 16102 4073ff 17 API calls 16101->16102 16126 408373 16102->16126 16103 4085df 16104 408626 GetTempPathA 16103->16104 16105 408638 16103->16105 16115 408762 16103->16115 16104->16105 16571 406ba7 IsBadCodePtr 16105->16571 16106 40675c 21 API calls 16106->16103 16109 4084a7 RegOpenKeyExA 16107->16109 16122 408450 16107->16122 16110 4084c0 RegQueryValueExA 16109->16110 16111 40852f 16109->16111 16113 408521 RegCloseKey 16110->16113 16114 4084dd 16110->16114 16116 408564 RegOpenKeyExA 16111->16116 16129 4085a5 16111->16129 16112 4086ad 16112->16115 16117 407e2f 6 API calls 16112->16117 16113->16111 16114->16113 16119 40ebcc 4 API calls 16114->16119 16121 40ec2e codecvt 4 API calls 16115->16121 16115->16125 16118 408573 RegSetValueExA RegCloseKey 16116->16118 16116->16129 16130 4086bb 16117->16130 16118->16129 16124 4084f0 16119->16124 16120 40875b DeleteFileA 16120->16115 16121->16125 16122->16103 16122->16106 16124->16113 16128 4084f8 RegQueryValueExA 16124->16128 16125->16040 16126->16122 16126->16125 16127 4083ea RegOpenKeyExA 16126->16127 16127->16122 16131 4083fd RegQueryValueExA 16127->16131 16128->16113 16132 408515 16128->16132 16129->16122 16133 40ec2e codecvt 4 API calls 16129->16133 16130->16120 16137 4086e0 lstrcpyA lstrlenA 16130->16137 16134 40842d RegSetValueExA 16131->16134 16135 40841e 16131->16135 16136 40ec2e codecvt 4 API calls 16132->16136 16133->16122 16138 408447 RegCloseKey 16134->16138 16135->16134 16135->16138 16139 40851d 16136->16139 16140 407fcf 64 API calls 16137->16140 16138->16122 16139->16113 16141 408719 CreateProcessA 16140->16141 16142 40873d CloseHandle CloseHandle 16141->16142 16143 40874f 16141->16143 16142->16115 16144 407ee6 64 API calls 16143->16144 16145 408754 16144->16145 16146 407ead 6 API calls 16145->16146 16147 40875a 16146->16147 16147->16120 16154 40a63d 16148->16154 16150 40a685 16150->16052 16152 40a63d GetTickCount 16151->16152 16153 40a696 16152->16153 16153->16052 16155 40a645 16154->16155 16156 40a64d 16154->16156 16155->16150 16157 40a66e 16156->16157 16158 40a65e GetTickCount 16156->16158 16157->16150 16158->16157 16175 40a4c7 GetTickCount 16159->16175 16162 40c300 GetTickCount 16164 40c337 16162->16164 16163 40c326 16163->16164 16165 40c32b GetTickCount 16163->16165 16169 40c363 GetTickCount 16164->16169 16174 40c45e 16164->16174 16165->16164 16166 40c4d2 16166->16040 16167 40c4ab InterlockedIncrement CreateThread 16167->16166 16168 40c4cb CloseHandle 16167->16168 16180 40b535 16167->16180 16168->16166 16170 40c373 16169->16170 16169->16174 16171 40c378 GetTickCount 16170->16171 16172 40c37f 16170->16172 16171->16172 16173 40c43b GetTickCount 16172->16173 16173->16174 16174->16166 16174->16167 16176 40a4f7 InterlockedExchange 16175->16176 16177 40a500 16176->16177 16178 40a4e4 GetTickCount 16176->16178 16177->16162 16177->16163 16177->16174 16178->16177 16179 40a4ef Sleep 16178->16179 16179->16176 16181 40b566 16180->16181 16182 40ebcc 4 API calls 16181->16182 16183 40b587 16182->16183 16184 40ebcc 4 API calls 16183->16184 16216 40b590 16184->16216 16185 40bdcd InterlockedDecrement 16186 40bde2 16185->16186 16188 40ec2e codecvt 4 API calls 16186->16188 16189 40bdea 16188->16189 16191 40ec2e codecvt 4 API calls 16189->16191 16190 40bdb7 Sleep 16190->16216 16192 40bdf2 16191->16192 16193 40be05 16192->16193 16195 40ec2e codecvt 4 API calls 16192->16195 16194 40bdcc 16194->16185 16195->16193 16196 40ebed 8 API calls 16196->16216 16199 40b6b6 lstrlenA 16199->16216 16200 4030b5 2 API calls 16200->16216 16201 40e819 11 API calls 16201->16216 16202 40b6ed lstrcpyA 16255 405ce1 16202->16255 16205 40b731 lstrlenA 16205->16216 16206 40b71f lstrcmpA 16206->16205 16206->16216 16207 40b772 GetTickCount 16207->16216 16208 40bd49 InterlockedIncrement 16349 40a628 16208->16349 16211 40b7ce InterlockedIncrement 16265 40acd7 16211->16265 16212 4038f0 6 API calls 16212->16216 16213 40bc5b InterlockedIncrement 16213->16216 16216->16185 16216->16190 16216->16194 16216->16196 16216->16199 16216->16200 16216->16201 16216->16202 16216->16205 16216->16206 16216->16207 16216->16208 16216->16211 16216->16212 16216->16213 16217 40b912 GetTickCount 16216->16217 16218 40b932 GetTickCount 16216->16218 16219 40bcdc closesocket 16216->16219 16220 40b826 InterlockedIncrement 16216->16220 16223 40bba6 InterlockedIncrement 16216->16223 16226 40bc4c closesocket 16216->16226 16228 40ba71 wsprintfA 16216->16228 16229 40a7c1 22 API calls 16216->16229 16230 40ab81 lstrcpynA InterlockedIncrement 16216->16230 16232 405ce1 22 API calls 16216->16232 16234 40ef1e lstrlenA 16216->16234 16235 405ded 12 API calls 16216->16235 16236 40a688 GetTickCount 16216->16236 16237 403e10 16216->16237 16240 403e4f 16216->16240 16243 40384f 16216->16243 16263 40a7a3 inet_ntoa 16216->16263 16270 40abee 16216->16270 16282 401feb GetTickCount 16216->16282 16303 403cfb 16216->16303 16306 40b3c5 16216->16306 16337 40ab81 16216->16337 16217->16216 16218->16216 16221 40bc6d InterlockedIncrement 16218->16221 16219->16216 16220->16207 16221->16216 16223->16216 16226->16216 16283 40a7c1 16228->16283 16229->16216 16230->16216 16232->16216 16234->16216 16235->16216 16236->16216 16238 4030fa 4 API calls 16237->16238 16239 403e1d 16238->16239 16239->16216 16241 4030fa 4 API calls 16240->16241 16242 403e5c 16241->16242 16242->16216 16244 4030fa 4 API calls 16243->16244 16245 403863 16244->16245 16246 4038b9 16245->16246 16247 403889 16245->16247 16254 4038b2 16245->16254 16358 4035f9 16246->16358 16352 403718 16247->16352 16252 4035f9 6 API calls 16252->16254 16253 403718 6 API calls 16253->16254 16254->16216 16256 405cf4 16255->16256 16257 405cec 16255->16257 16259 404bd1 4 API calls 16256->16259 16364 404bd1 GetTickCount 16257->16364 16260 405d02 16259->16260 16369 405472 16260->16369 16264 40a7b9 16263->16264 16264->16216 16266 40f315 14 API calls 16265->16266 16267 40aceb 16266->16267 16268 40acff 16267->16268 16269 40f315 14 API calls 16267->16269 16268->16216 16269->16268 16271 40abfb 16270->16271 16275 40ac65 16271->16275 16432 402f22 16271->16432 16273 40ac23 16273->16275 16279 402684 2 API calls 16273->16279 16274 40f315 14 API calls 16274->16275 16275->16274 16276 40ac8a 16275->16276 16277 40ac6f 16275->16277 16276->16216 16278 40ab81 2 API calls 16277->16278 16280 40ac81 16278->16280 16279->16273 16440 4038f0 16280->16440 16282->16216 16284 40a87d lstrlenA send 16283->16284 16285 40a7df 16283->16285 16286 40a899 16284->16286 16287 40a8bf 16284->16287 16285->16284 16292 40a7fa wsprintfA 16285->16292 16293 40a80a 16285->16293 16295 40a8f2 16285->16295 16290 40a8a5 wsprintfA 16286->16290 16302 40a89e 16286->16302 16288 40a8c4 send 16287->16288 16287->16295 16291 40a8d8 wsprintfA 16288->16291 16288->16295 16289 40a978 recv 16289->16295 16296 40a982 16289->16296 16290->16302 16291->16302 16292->16293 16293->16284 16294 40a9b0 wsprintfA 16294->16302 16295->16289 16295->16294 16295->16296 16297 4030b5 2 API calls 16296->16297 16296->16302 16298 40ab05 16297->16298 16299 40e819 11 API calls 16298->16299 16300 40ab17 16299->16300 16301 40a7a3 inet_ntoa 16300->16301 16301->16302 16302->16216 16304 4030fa 4 API calls 16303->16304 16305 403d0b 16304->16305 16305->16216 16307 405ce1 22 API calls 16306->16307 16308 40b3e6 16307->16308 16309 405ce1 22 API calls 16308->16309 16311 40b404 16309->16311 16310 40b440 16313 40ef7c 3 API calls 16310->16313 16311->16310 16312 40ef7c 3 API calls 16311->16312 16314 40b42b 16312->16314 16315 40b458 wsprintfA 16313->16315 16316 40ef7c 3 API calls 16314->16316 16317 40ef7c 3 API calls 16315->16317 16316->16310 16318 40b480 16317->16318 16319 40ef7c 3 API calls 16318->16319 16320 40b493 16319->16320 16321 40ef7c 3 API calls 16320->16321 16322 40b4bb 16321->16322 16454 40ad89 GetLocalTime SystemTimeToFileTime 16322->16454 16326 40b4cc 16327 40ef7c 3 API calls 16326->16327 16328 40b4dd 16327->16328 16329 40b211 7 API calls 16328->16329 16330 40b4ec 16329->16330 16331 40ef7c 3 API calls 16330->16331 16332 40b4fd 16331->16332 16333 40b211 7 API calls 16332->16333 16334 40b509 16333->16334 16335 40ef7c 3 API calls 16334->16335 16336 40b51a 16335->16336 16336->16216 16338 40abe9 GetTickCount 16337->16338 16340 40ab8c 16337->16340 16342 40a51d 16338->16342 16339 40aba8 lstrcpynA 16339->16340 16340->16338 16340->16339 16341 40abe1 InterlockedIncrement 16340->16341 16341->16340 16343 40a4c7 4 API calls 16342->16343 16344 40a52c 16343->16344 16345 40a542 GetTickCount 16344->16345 16347 40a539 GetTickCount 16344->16347 16345->16347 16348 40a56c 16347->16348 16348->16216 16350 40a4c7 4 API calls 16349->16350 16351 40a633 16350->16351 16351->16216 16353 40f04e 4 API calls 16352->16353 16355 40372a 16353->16355 16354 403847 16354->16253 16354->16254 16355->16354 16356 4037b3 GetCurrentThreadId 16355->16356 16356->16355 16357 4037c8 GetCurrentThreadId 16356->16357 16357->16355 16359 40f04e 4 API calls 16358->16359 16363 40360c 16359->16363 16360 4036f1 16360->16252 16360->16254 16361 4036da GetCurrentThreadId 16361->16360 16362 4036e5 GetCurrentThreadId 16361->16362 16362->16360 16363->16360 16363->16361 16365 404bff InterlockedExchange 16364->16365 16366 404c08 16365->16366 16367 404bec GetTickCount 16365->16367 16366->16256 16367->16366 16368 404bf7 Sleep 16367->16368 16368->16365 16388 404763 16369->16388 16371 405b58 16398 404699 16371->16398 16374 404763 lstrlenA 16375 405b6e 16374->16375 16419 404f9f 16375->16419 16377 405b79 16377->16216 16379 405549 lstrlenA 16383 40548a 16379->16383 16381 40558d lstrcpynA 16381->16383 16382 405a9f lstrcpyA 16382->16383 16383->16371 16383->16381 16383->16382 16384 405935 lstrcpynA 16383->16384 16385 404ae6 8 API calls 16383->16385 16386 405472 13 API calls 16383->16386 16387 4058e7 lstrcpyA 16383->16387 16392 404ae6 16383->16392 16396 40ef7c lstrlenA lstrlenA lstrlenA 16383->16396 16384->16383 16385->16383 16386->16383 16387->16383 16390 40477a 16388->16390 16389 404859 16389->16383 16390->16389 16391 40480d lstrlenA 16390->16391 16391->16390 16393 404af3 16392->16393 16395 404b03 16392->16395 16394 40ebed 8 API calls 16393->16394 16394->16395 16395->16379 16397 40efb4 16396->16397 16397->16383 16424 4045b3 16398->16424 16401 4045b3 7 API calls 16402 4046c6 16401->16402 16403 4045b3 7 API calls 16402->16403 16404 4046d8 16403->16404 16405 4045b3 7 API calls 16404->16405 16406 4046ea 16405->16406 16407 4045b3 7 API calls 16406->16407 16408 4046ff 16407->16408 16409 4045b3 7 API calls 16408->16409 16410 404711 16409->16410 16411 4045b3 7 API calls 16410->16411 16412 404723 16411->16412 16413 40ef7c 3 API calls 16412->16413 16414 404735 16413->16414 16415 40ef7c 3 API calls 16414->16415 16416 40474a 16415->16416 16417 40ef7c 3 API calls 16416->16417 16418 40475c 16417->16418 16418->16374 16420 404fac 16419->16420 16422 404fb0 16419->16422 16420->16377 16421 404ffd 16421->16377 16422->16421 16423 404fd5 IsBadCodePtr 16422->16423 16423->16422 16425 4045c1 16424->16425 16426 4045c8 16424->16426 16428 40ebcc 4 API calls 16425->16428 16427 4045e1 16426->16427 16429 40ebcc 4 API calls 16426->16429 16430 404691 16427->16430 16431 40ef7c 3 API calls 16427->16431 16428->16426 16429->16427 16430->16401 16431->16427 16447 402d21 GetModuleHandleA 16432->16447 16435 402fcf GetProcessHeap HeapFree 16439 402f44 16435->16439 16436 402f85 16436->16435 16436->16436 16437 402f4f 16438 402f6b GetProcessHeap HeapFree 16437->16438 16438->16439 16439->16273 16439->16439 16441 403900 16440->16441 16442 403980 16440->16442 16443 4030fa 4 API calls 16441->16443 16442->16276 16446 40390a 16443->16446 16444 40391b GetCurrentThreadId 16444->16446 16445 403939 GetCurrentThreadId 16445->16446 16446->16442 16446->16444 16446->16445 16448 402d46 LoadLibraryA 16447->16448 16449 402d5b GetProcAddress 16447->16449 16448->16449 16451 402d54 16448->16451 16449->16451 16453 402d6b 16449->16453 16450 402d97 GetProcessHeap HeapAlloc 16450->16451 16450->16453 16451->16436 16451->16437 16451->16439 16452 402db5 lstrcpynA 16452->16453 16453->16450 16453->16451 16453->16452 16455 40adbf 16454->16455 16479 40ad08 gethostname 16455->16479 16458 4030b5 2 API calls 16459 40add3 16458->16459 16460 40a7a3 inet_ntoa 16459->16460 16462 40ade4 16459->16462 16460->16462 16461 40ae85 wsprintfA 16463 40ef7c 3 API calls 16461->16463 16462->16461 16464 40ae36 wsprintfA wsprintfA 16462->16464 16465 40aebb 16463->16465 16467 40ef7c 3 API calls 16464->16467 16466 40ef7c 3 API calls 16465->16466 16468 40aed2 16466->16468 16467->16462 16469 40b211 16468->16469 16470 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16469->16470 16471 40b2af GetLocalTime 16469->16471 16472 40b2d2 16470->16472 16471->16472 16473 40b2d9 SystemTimeToFileTime 16472->16473 16474 40b31c GetTimeZoneInformation 16472->16474 16475 40b2ec 16473->16475 16476 40b33a wsprintfA 16474->16476 16477 40b312 FileTimeToSystemTime 16475->16477 16476->16326 16477->16474 16480 40ad71 16479->16480 16484 40ad26 lstrlenA 16479->16484 16481 40ad85 16480->16481 16482 40ad79 lstrcpyA 16480->16482 16481->16458 16482->16481 16484->16480 16485 40ad68 lstrlenA 16484->16485 16485->16480 16487 40f428 14 API calls 16486->16487 16488 40198a 16487->16488 16489 401990 closesocket 16488->16489 16490 401998 16488->16490 16489->16490 16490->16079 16492 402d21 6 API calls 16491->16492 16494 402f01 16492->16494 16493 402f0f 16496 402684 2 API calls 16493->16496 16498 402f1f 16493->16498 16494->16493 16507 402df2 GetModuleHandleA 16494->16507 16497 402f1d 16496->16497 16497->16082 16498->16082 16500 401c80 16499->16500 16501 401cc2 wsprintfA 16500->16501 16502 401d1c 16500->16502 16506 401d79 16500->16506 16503 402684 2 API calls 16501->16503 16502->16502 16504 401d47 wsprintfA 16502->16504 16503->16500 16505 402684 2 API calls 16504->16505 16505->16506 16506->16077 16508 402e10 LoadLibraryA 16507->16508 16509 402e0b 16507->16509 16510 402e17 16508->16510 16509->16508 16509->16510 16511 402ef1 16510->16511 16512 402e28 GetProcAddress 16510->16512 16511->16493 16512->16511 16513 402e3e GetProcessHeap HeapAlloc 16512->16513 16515 402e62 16513->16515 16514 402ede GetProcessHeap HeapFree 16514->16511 16515->16511 16515->16514 16516 402e7f htons inet_addr 16515->16516 16517 402ea5 gethostbyname 16515->16517 16519 402ceb 16515->16519 16516->16515 16516->16517 16517->16515 16520 402cf2 16519->16520 16522 402d1c 16520->16522 16523 402d0e Sleep 16520->16523 16524 402a62 GetProcessHeap HeapAlloc 16520->16524 16522->16515 16523->16520 16523->16522 16525 402a92 16524->16525 16526 402a99 socket 16524->16526 16525->16520 16527 402cd3 GetProcessHeap HeapFree 16526->16527 16528 402ab4 16526->16528 16527->16525 16528->16527 16540 402abd 16528->16540 16529 402adb htons 16544 4026ff 16529->16544 16531 402b04 select 16531->16540 16532 402ca4 16533 402cb3 GetProcessHeap HeapFree closesocket 16532->16533 16533->16525 16534 402b3f recv 16534->16540 16535 402b66 htons 16535->16532 16535->16540 16536 402b87 htons 16536->16532 16536->16540 16539 402bf3 GetProcessHeap HeapAlloc 16539->16540 16540->16529 16540->16531 16540->16532 16540->16533 16540->16534 16540->16535 16540->16536 16540->16539 16541 402c17 htons 16540->16541 16543 402c4d GetProcessHeap HeapFree 16540->16543 16551 402923 16540->16551 16563 402904 16540->16563 16559 402871 16541->16559 16543->16540 16545 40271d 16544->16545 16546 402717 16544->16546 16548 40272b GetTickCount htons 16545->16548 16547 40ebcc 4 API calls 16546->16547 16547->16545 16549 4027cc htons htons sendto 16548->16549 16550 40278a 16548->16550 16549->16540 16550->16549 16552 402944 16551->16552 16554 40293d 16551->16554 16567 402816 htons 16552->16567 16554->16540 16555 402871 htons 16556 402950 16555->16556 16556->16554 16556->16555 16557 4029bd htons htons htons 16556->16557 16557->16554 16558 4029f6 GetProcessHeap HeapAlloc 16557->16558 16558->16554 16558->16556 16560 4028e3 16559->16560 16561 402889 16559->16561 16560->16540 16561->16560 16562 4028c3 htons 16561->16562 16562->16560 16562->16561 16564 402921 16563->16564 16565 402908 16563->16565 16564->16540 16566 402909 GetProcessHeap HeapFree 16565->16566 16566->16564 16566->16566 16568 40286b 16567->16568 16569 402836 16567->16569 16568->16556 16569->16568 16570 40285c htons 16569->16570 16570->16568 16570->16569 16572 406bc0 16571->16572 16573 406bbc 16571->16573 16574 406bd4 16572->16574 16575 40ebcc 4 API calls 16572->16575 16573->16112 16574->16112 16576 406be4 16575->16576 16576->16574 16577 406c07 CreateFileA 16576->16577 16578 406bfc 16576->16578 16580 406c34 WriteFile 16577->16580 16581 406c2a 16577->16581 16579 40ec2e codecvt 4 API calls 16578->16579 16579->16574 16583 406c49 CloseHandle DeleteFileA 16580->16583 16584 406c5a CloseHandle 16580->16584 16582 40ec2e codecvt 4 API calls 16581->16582 16582->16574 16583->16581 16585 40ec2e codecvt 4 API calls 16584->16585 16585->16574 14783 2ac0005 14788 2ac092b GetPEB 14783->14788 14785 2ac0030 14790 2ac003c 14785->14790 14789 2ac0972 14788->14789 14789->14785 14791 2ac0049 14790->14791 14805 2ac0e0f SetErrorMode SetErrorMode 14791->14805 14796 2ac0265 14797 2ac02ce VirtualProtect 14796->14797 14799 2ac030b 14797->14799 14798 2ac0439 VirtualFree 14803 2ac05f4 LoadLibraryA 14798->14803 14804 2ac04be 14798->14804 14799->14798 14800 2ac04e3 LoadLibraryA 14800->14804 14802 2ac08c7 14803->14802 14804->14800 14804->14803 14806 2ac0223 14805->14806 14807 2ac0d90 14806->14807 14808 2ac0dad 14807->14808 14809 2ac0dbb GetPEB 14808->14809 14810 2ac0238 VirtualAlloc 14808->14810 14809->14810 14810->14796 17731 2b1d800 17732 2b1d808 17731->17732 17733 2b1dfa8 3 API calls 17732->17733 17734 2b1d820 17733->17734 14811 2b1d808 14812 2b1d817 14811->14812 14815 2b1dfa8 14812->14815 14820 2b1dfc3 14815->14820 14816 2b1dfcc CreateToolhelp32Snapshot 14817 2b1dfe8 Module32First 14816->14817 14816->14820 14818 2b1dff7 14817->14818 14819 2b1d820 14817->14819 14822 2b1dc67 14818->14822 14820->14816 14820->14817 14823 2b1dc92 14822->14823 14824 2b1dca3 VirtualAlloc 14823->14824 14825 2b1dcdb 14823->14825 14824->14825 14825->14825
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                            • API String ID: 2089075347-2824936573
                                                                                            • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 542 40964c-409662 526->542 543 40966d-409679 526->543 534 409683 call 4091eb 527->534 550 409530-409537 531->550 551 409539-409565 call 402544 RegQueryValueExA 531->551 536 40957a-40957f 532->536 546 409688-409690 534->546 540 409581-409584 536->540 541 40958a-40958d 536->541 540->523 540->541 541->527 547 409593-40959a 541->547 548 409664-40966b 542->548 549 40962b-40962d 542->549 543->534 553 409692 546->553 554 409698-4096a0 546->554 556 40961a-40961f 547->556 557 40959c-4095a1 547->557 548->549 555 4096a2-4096a9 549->555 558 40956e-409577 RegCloseKey 550->558 551->558 566 409567 551->566 553->554 554->555 564 409625 556->564 557->556 561 4095a3-4095c0 call 40f0e4 557->561 558->536 570 4095c2-4095db call 4018e0 561->570 571 40960c-409618 561->571 564->549 566->558 570->555 574 4095e1-4095f9 570->574 571->564 574->555 575 4095ff-409607 574->575 575->555
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop$runas
                                                                                            • API String ID: 3696105349-2220793183
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 617 406ba3-406ba6 615->617 618 406ac5-406adc call 40eb0e 616->618 619 406b1d-406b34 call 406987 616->619 618->619 626 406ade 618->626 624 406b56-406b63 FindCloseChangeNotification 619->624 625 406b36-406b54 GetLastError CloseHandle 619->625 630 406b65-406b7d GetLastError CloseHandle 624->630 631 406b86-406b8a 624->631 629 406b7f-406b80 DeleteFileA 625->629 627 406ae0-406ae5 626->627 628 406ae7-406afb call 40eca5 626->628 627->628 632 406afd-406aff 627->632 628->619 629->631 630->629 631->617 632->619 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->619 636->637 637->619
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1251348514-2980165447
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 811 2b1dfa8-2b1dfc1 812 2b1dfc3-2b1dfc5 811->812 813 2b1dfc7 812->813 814 2b1dfcc-2b1dfd8 CreateToolhelp32Snapshot 812->814 813->814 815 2b1dfe8-2b1dff5 Module32First 814->815 816 2b1dfda-2b1dfe0 814->816 817 2b1dff7-2b1dff8 call 2b1dc67 815->817 818 2b1dffe-2b1e006 815->818 816->815 821 2b1dfe2-2b1dfe6 816->821 822 2b1dffd 817->822 821->812 821->815 822->818
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02B1DFD0
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 02B1DFF0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136944010.0000000002B19000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B19000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2b19000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 003690f2f74fb08b4de19db76438740aecb91e4d3f798fae5f41234db94a7513
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 4FF096321007166BD7203BF9988CF6E77E9EF49624F900568E642915C0DB74E9454A61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 285 407804-407808 283->285 286 4074a2-4074b1 call 406cad 284->286 287 407714-40771d RegCloseKey 284->287 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 448 407258 436->448 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 448->437 458 4072dd-4072f4 call 40ed23 451->458 459 4072cd-4072d8 RegCloseKey 451->459 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->404 454->453 463 407301 458->463 464 4072f6-4072ff 458->464 459->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 471 40732d-407330 468->471 472 40731f-40732c call 40ef00 468->472 475 4073d5-4073e2 RegCloseKey 469->475 476 40735f-407365 469->476 471->453 472->471 479 4073f2-4073f7 475->479 480 4073e4-4073f1 call 40ef00 475->480 476->475 478 407367-407370 476->478 478->475 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->475 493->492
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.KERNELBASE(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"$PromptOnSecureDesktop
                                                                                            • API String ID: 4293430545-98143240
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 587 4067ed-40680b ReadFile 585->587 588 40696e-406971 FindCloseChangeNotification 586->588 587->586 589 406811-406824 SetFilePointer 587->589 588->583 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->588 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 607 406900-40690b SetFilePointer 598->607 599->598 603 4068bd-4068c3 600->603 601->603 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 608 4068d0 606->608 609 40695a-406969 call 40ec2e 607->609 610 40690d-406920 ReadFile 607->610 608->593 609->588 610->609 611 406922-406958 610->611 611->588
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 640 2ac003c-2ac0047 641 2ac004c-2ac0263 call 2ac0a3f call 2ac0e0f call 2ac0d90 VirtualAlloc 640->641 642 2ac0049 640->642 657 2ac028b-2ac0292 641->657 658 2ac0265-2ac0289 call 2ac0a69 641->658 642->641 660 2ac02a1-2ac02b0 657->660 662 2ac02ce-2ac03c2 VirtualProtect call 2ac0cce call 2ac0ce7 658->662 660->662 663 2ac02b2-2ac02cc 660->663 669 2ac03d1-2ac03e0 662->669 663->660 670 2ac0439-2ac04b8 VirtualFree 669->670 671 2ac03e2-2ac0437 call 2ac0ce7 669->671 673 2ac04be-2ac04cd 670->673 674 2ac05f4-2ac05fe 670->674 671->669 676 2ac04d3-2ac04dd 673->676 677 2ac077f-2ac0789 674->677 678 2ac0604-2ac060d 674->678 676->674 682 2ac04e3-2ac0505 LoadLibraryA 676->682 680 2ac078b-2ac07a3 677->680 681 2ac07a6-2ac07b0 677->681 678->677 683 2ac0613-2ac0637 678->683 680->681 684 2ac086e-2ac08be LoadLibraryA 681->684 685 2ac07b6-2ac07cb 681->685 686 2ac0517-2ac0520 682->686 687 2ac0507-2ac0515 682->687 688 2ac063e-2ac0648 683->688 693 2ac08c7-2ac08f9 684->693 689 2ac07d2-2ac07d5 685->689 690 2ac0526-2ac0547 686->690 687->690 688->677 691 2ac064e-2ac065a 688->691 694 2ac0824-2ac0833 689->694 695 2ac07d7-2ac07e0 689->695 696 2ac054d-2ac0550 690->696 691->677 692 2ac0660-2ac066a 691->692 699 2ac067a-2ac0689 692->699 701 2ac08fb-2ac0901 693->701 702 2ac0902-2ac091d 693->702 700 2ac0839-2ac083c 694->700 703 2ac07e4-2ac0822 695->703 704 2ac07e2 695->704 697 2ac0556-2ac056b 696->697 698 2ac05e0-2ac05ef 696->698 705 2ac056d 697->705 706 2ac056f-2ac057a 697->706 698->676 707 2ac068f-2ac06b2 699->707 708 2ac0750-2ac077a 699->708 700->684 709 2ac083e-2ac0847 700->709 701->702 703->689 704->694 705->698 710 2ac057c-2ac0599 706->710 711 2ac059b-2ac05bb 706->711 712 2ac06ef-2ac06fc 707->712 713 2ac06b4-2ac06ed 707->713 708->688 714 2ac0849 709->714 715 2ac084b-2ac086c 709->715 723 2ac05bd-2ac05db 710->723 711->723 717 2ac06fe-2ac0748 712->717 718 2ac074b 712->718 713->712 714->684 715->700 717->718 718->699 723->696
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02AC024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 77b4f91f235047b03f240085a0b62e3264a2354fde38222ea06cf8f4f096a48e
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: CF526A75A01229DFDB64CF68C984BACBBB1BF09304F1480E9E54DAB351DB30AA95DF14

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4131120076-2980165447
                                                                                            • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                            • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 743 404059-40405c 741->743 744 404052 742->744 745 404037-40403a 742->745 746 404054-404056 743->746 744->746 745->744 747 40403c-40403f 745->747 747->743 748 404041-404050 Sleep 747->748 748->740 748->744
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 408151869-2980165447
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 759 406a53-406a56 756->759 760 406a59 756->760 757->756 758 406a04-406a08 757->758 762 406a0a-406a0d 758->762 763 406a3c-406a3e 758->763 759->760 761 406a5b-406a5f 760->761 764 406a10-406a2e WriteFile 762->764 763->761 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->761 766->765 767 406a35-406a3a 766->767 767->763 767->764
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 773 40930b-40930f 770->773 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 782 40922e-409230 775->782 778 409250-409270 call 40ee08 776->778 779 40924b 776->779 785 409272-40927f 778->785 786 4092dd-4092e1 778->786 779->778 784 409233-409238 782->784 784->784 789 40923a-40923c 784->789 790 409281-409285 785->790 791 40929b-40929e 785->791 787 4092e3-4092e5 786->787 788 4092e7-4092e8 786->788 787->788 793 4092ea-4092ef 787->793 788->786 789->776 790->790 792 409287 790->792 794 4092a0 791->794 795 40928e-409293 791->795 792->791 798 4092f1-4092f6 Sleep 793->798 799 4092fc-409302 793->799 800 4092a8-4092ab 794->800 796 409295-409298 795->796 797 409289-40928c 795->797 796->800 801 40929a 796->801 797->795 797->801 798->799 799->770 799->771 802 4092a2-4092a5 800->802 803 4092ad-4092b0 800->803 801->791 804 4092b2 802->804 805 4092a7 802->805 803->804 806 4092bd 803->806 807 4092b5-4092b9 804->807 805->800 808 4092bf-4092db ShellExecuteA 806->808 807->807 810 4092bb 807->810 808->786 809 409310-409324 808->809 809->773 810->808
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                            • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-0
                                                                                            • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                            • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 824 2ac0e0f-2ac0e24 SetErrorMode * 2 825 2ac0e2b-2ac0e2c 824->825 826 2ac0e26 824->826 826->825
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02AC0223,?,?), ref: 02AC0E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02AC0223,?,?), ref: 02AC0E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: 8a735869a6528d6606602727038bf9373a82e2c2b859bec44d6c4f97bdc17d1c
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 94D01231145128B7D7003B94DC09BCD7B1CDF05B66F108011FB0DD9080CB7095404AE5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02B1DCB8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136944010.0000000002B19000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B19000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2b19000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: cccd54f19bd95910a0c328667e768906a8c0285b461968e788d3715cea6482d9
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 42112B79A00209EFDB01DF98C985E99BBF5AF08351F0580A4F9489B361D371EA50DF80
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-3791576231
                                                                                            • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                            • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-3716895483
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2404124870-2980165447
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 02AC65F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02AC6610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02AC6631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02AC6652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 313b01b5694e347194cf80b6a4a92a6330e840efdc6b2a4cc9acd222c507389c
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 63117771600218BFDB119F65DD45F9B3FACEB45BA5F204029FA05D7250DBB1DD008AA4
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                            • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                              • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                              • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3754425949-0
                                                                                            • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                            • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$GetProcAddress.$l
                                                                                            • API String ID: 0-2784972518
                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction ID: ba8c12a3e452939846fd921f81fc0805f73b0fcdea2c158ac85d7ace117d28a8
                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction Fuzzy Hash: 203139B6910609DFDB14CF99C880BAEBBF9FF48324F25414AD441AB210DB71EA45CFA4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                            • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136944010.0000000002B19000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B19000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2b19000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction ID: dd4186705bafbf549dca4e8e6b16e61753ecb35a3262cda571ba8600bf7122bc
                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction Fuzzy Hash: 7211A172740101AFDB44DF55DCD0FA673EAEB88760B6980A5ED08CB319D775E802CBA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction ID: 06ad2c2c1f6419307f60a8a3603d4e76a2fe1128416141491a51f16bf6b4cb53
                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction Fuzzy Hash: 2F01A776610704CFDF21CF24C844BAA33E9EB85215F5544A9D50697241EB74A9418F90
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 02AC9E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 02AC9FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02AC9FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 02ACA004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 02ACA054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02ACA09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02ACA0D6
                                                                                            • lstrcpy.KERNEL32 ref: 02ACA12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 02ACA13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02AC9F13
                                                                                              • Part of subcall function 02AC7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02AC7081
                                                                                              • Part of subcall function 02AC6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\jfniizgw,02AC7043), ref: 02AC6F4E
                                                                                              • Part of subcall function 02AC6F30: GetProcAddress.KERNEL32(00000000), ref: 02AC6F55
                                                                                              • Part of subcall function 02AC6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02AC6F7B
                                                                                              • Part of subcall function 02AC6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02AC6F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 02ACA1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02ACA1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 02ACA214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 02ACA21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 02ACA265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 02ACA29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 02ACA2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 02ACA2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 02ACA2F4
                                                                                            • wsprintfA.USER32 ref: 02ACA31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 02ACA345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02ACA364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 02ACA387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 02ACA398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02ACA1D1
                                                                                              • Part of subcall function 02AC9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 02AC999D
                                                                                              • Part of subcall function 02AC9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 02AC99BD
                                                                                              • Part of subcall function 02AC9966: RegCloseKey.ADVAPI32(?), ref: 02AC99C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 02ACA3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 02ACA3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 02ACA41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: ed1f7ba47c0d5a0ef80aec24ffe353f9ee8b40c07c08008a70f91cdd74c55c8f
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: ABF133B1D4025DAFDF11DFA09D88FEF77BDAB08304F2444AAE605E2141EB758A848F65
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02AC7D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02AC7D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02AC7D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02AC7DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02AC7DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02AC7DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02AC7DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02AC7DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02AC7E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02AC7E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02AC7E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02AC7E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 7b9132e8dd3ef194ab6c32d4a4f1cd073d822ac36a3db40e3c4831cb9803f7a2
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: 4FA15FB2900219AFDF118FA1DD88FEEBBBDFB08344F14816AE505E6150DB758A85CF64
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02AC7A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02AC7ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02AC7ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02AC7B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02AC7B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02AC7B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02AC7B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02AC7B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02AC7B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02AC7B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02AC7B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02AC7B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 02AC7BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02AC7BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 02AC7C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02AC7C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02AC7CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02AC7CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02AC7CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02AC7CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02AC7CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 08ef20cf7bd75856e68c4ab0dc8446901c2bd13524ee34c23a94f92ddd938223
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 87814D7190021AAFDB11CFA5DD84FEEBBBCBF08344F14806AE615E6150DB759A41CF64
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: PromptOnSecureDesktop$localcfg
                                                                                            • API String ID: 237177642-1678164370
                                                                                            • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 02AC865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 02AC867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 02AC86A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02AC86B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 237177642-3108538426
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 3d119fd11d88b874ca8b2db30236301af6dd5081689a2881516e3675571b076a
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 5CC18FB1940249FEEB12ABA4DD84EEF7BBDFB04344F24407AF605E6050EF744A948B65
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 02AC1601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 02AC17D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: d216e11b4876b2a64f2001163a468d4826bc29e9e086f8513d149408158f4d03
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 5CF18CB1608341DFD720DF64C888BABB7E5FB88304F10892DF59A97291DBB4D944CB56
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 02AC76D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02AC7757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 02AC778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 02AC78B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02AC794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02AC796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02AC797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02AC79AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02AC7A56
                                                                                              • Part of subcall function 02ACF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,02AC772A,?), ref: 02ACF414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02AC79F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02AC7A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 727942a69f7db99c59d688b056cb50b7099a22548feaa494b678926d839a12e1
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 6BC16371940119AFDB21DBA4DD84FEEBBBEEF49710F2440AAE504E6150EF719A84CF60
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02AC2CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02AC2D07
                                                                                            • htons.WS2_32(00000000), ref: 02AC2D42
                                                                                            • select.WS2_32 ref: 02AC2D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02AC2DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02AC2E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: b28830a6ef8e3fe72e65a9b0dd77033c3f3fa8ffba24216fb6cb439a316af100
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: D861C1B1504309ABC3209F64DC48B6BBBF8EB48755F25481EFD84A7150DFB5D880CBA6
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 02AC95A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02AC95D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02AC95DC
                                                                                            • wsprintfA.USER32 ref: 02AC9635
                                                                                            • wsprintfA.USER32 ref: 02AC9673
                                                                                            • wsprintfA.USER32 ref: 02AC96F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02AC9758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02AC978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02AC97D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3696105349-2980165447
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: e4370cc1394cf319aa8362f03900030c1e7bfa1e732adcc23aadf851994bc924
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: ADA16DB1940249EFEB21DFA0CD85FEB3BADEB04740F20402AFA15A6151EB75D584CFA5
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-142018493
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 02AC202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 02AC204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 02AC206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02AC2071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 02AC2082
                                                                                            • GetTickCount.KERNEL32 ref: 02AC2230
                                                                                              • Part of subcall function 02AC1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02AC1E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: f6e1698765e608a7c3a760930c628acc493b8fb17089450fe1627d6bb9668570
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: 055127B0540344AFE330AF758D85F67BAECEF54704F10492DF99682242DFB9A984CB65
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02AC3068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02AC3078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 02AC3095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02AC30B6
                                                                                            • htons.WS2_32(00000035), ref: 02AC30EF
                                                                                            • inet_addr.WS2_32(?), ref: 02AC30FA
                                                                                            • gethostbyname.WS2_32(?), ref: 02AC310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02AC314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 16423502c049615f6fb6d030cb6b7895d07d83caa4a2ff19655e3159af04388b
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 8C31C431A00206AFDF119BB89C88BAE77B8AF04365F24C1A9E518E7390DF74D5458B58
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                            • API String ID: 1082366364-2834986871
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2981417381-1403908072
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 02AC67C3
                                                                                            • htonl.WS2_32(?), ref: 02AC67DF
                                                                                            • htonl.WS2_32(?), ref: 02AC67EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 02AC68F1
                                                                                            • ExitProcess.KERNEL32 ref: 02AC69BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: 04550adf098530d40fed65c308dee7961e3e12d5d9b7aeecc896688484e69a8a
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: 50616D71A40208AFDB609FA4DC45FEA77E9FB48300F24806AFA69D2161EB759990CF14
                                                                                            APIs
                                                                                            • htons.WS2_32(02ACCC84), ref: 02ACF5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 02ACF5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 02ACF5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 309914816024b2567b4f09765c3f0bacb3b238766b470c942b8cdffe1ce700ff
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 99315C72900118AFDB10DFA5DC88DEE7BBDEF88310F20456AF915E3150EB709A818BA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 02AC2FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02AC2FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02AC2FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02AC3000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02AC3007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02AC3032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 4e6efcb91ab85b917452a5849e724d90ab1d0460484936e1d10068ceed40bc88
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: F2217771D41619BBCF219B55DC84AEEBBBCEF08B50F108465F905E7140DB749A8187D4
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3609698214-2980165447
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\jfniizgw,02AC7043), ref: 02AC6F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02AC6F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02AC6F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02AC6F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\jfniizgw
                                                                                            • API String ID: 1082366364-1680333594
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: d2f1d04c8e8d16af2e0a5b2c95acb452fdb97a6b85f6f66ab0db2f25f9775864
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: EA2104217803407DF72297319DC8FFB2E4D8B52B24F2840AEF904E5580DFD984D686AD
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 02AC92E2
                                                                                            • wsprintfA.USER32 ref: 02AC9350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02AC9375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 02AC9389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 02AC9394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02AC939B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: b28c4fb3f9d159dee6801d0f081fcbdbbeb43c34b9ffa7ecd44c3ddecf5963c9
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: 4A1172B17401147BE7206771EE0DFEF3A6EDBC8B10F10806ABB09E5090EEB44E418BA4
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02AC9A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 02AC9A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 02AC9A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02AC9A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 02AC9AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 02AC9AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: 9b27f4a86a7b25cd76c4974f216773a6d9ca5eca07098c62b693717ca06618c3
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 4C213BB1A01219BBDF11DBA1DC49EEF7BBCEF04750F504065FA19E1050EB758A45CBA4
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 02AC1C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 02AC1C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 02AC1C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02AC1C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02AC1CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 02AC1D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 02AC1D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: 2d10a2138d5e6b5d20c265097ce25f53e3946cd46885f9c4e73107c9bc14126c
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: ED313A32E00219BFCB129FA4DCC89EEBAB9EB45715B34447EF509A2111DBB54E80DB94
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1586453840-2980165447
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1371578007-2980165447
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02AC6CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02AC6D22
                                                                                            • GetLastError.KERNEL32 ref: 02AC6DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 02AC6DB5
                                                                                            • GetLastError.KERNEL32 ref: 02AC6DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02AC6DE7
                                                                                            • GetLastError.KERNEL32 ref: 02AC6DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: e0471e81f520155d52cba6de4406870ecd24b084fd56967af34d513f5f5f154d
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 8531E776900649BFCB02DFA4DD84ADE7FBDEF88710F24806AE251E3250DB7089558BA1
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02AC93C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02AC93CD
                                                                                            • CharToOemA.USER32(?,?), ref: 02AC93DB
                                                                                            • wsprintfA.USER32 ref: 02AC9410
                                                                                              • Part of subcall function 02AC92CB: GetTempPathA.KERNEL32(00000400,?), ref: 02AC92E2
                                                                                              • Part of subcall function 02AC92CB: wsprintfA.USER32 ref: 02AC9350
                                                                                              • Part of subcall function 02AC92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02AC9375
                                                                                              • Part of subcall function 02AC92CB: lstrlen.KERNEL32(?,?,00000000), ref: 02AC9389
                                                                                              • Part of subcall function 02AC92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02AC9394
                                                                                              • Part of subcall function 02AC92CB: CloseHandle.KERNEL32(00000000), ref: 02AC939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02AC9448
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: 744e0ff1de9ba136298fa5037b4b68fede678e1b044087abdb577f778d2b4452
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: E40192F6940118BBD720A7619D89EDF377CDB95701F0040A6BB49E2080EAB497C48F75
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: c3c1a404d2b7124a8a19904e562d77d770eb000c1d04f97c8f1e7e34faa141b8
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: 33713D72A4430CAADF228F94EDC5FFE376A9B00719F34402FFA05A6092DF6199848B55
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 02ACDF6C: GetCurrentThreadId.KERNEL32 ref: 02ACDFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 02ACE8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02AC6128), ref: 02ACE950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 02ACE989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: 69ee697530233958e8ea703659a630662db4f57e88b0a6e5b5491f73afe4729d
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: B6319E31A04705DBDF79CF24CAC4BA6BBE8FB09724F20892EE55587550DB74E880CB81
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: 125b20d4faadb30380566825b29f456e05411e2b071f47034fcb44822e95e48a
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: DA211FB6104119BFDB109B61ED88EDF7FADDB89AA5B20842AF502D5090EF70DA409A74
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02ACC6B4
                                                                                            • InterlockedIncrement.KERNEL32(02ACC74B), ref: 02ACC715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,02ACC747), ref: 02ACC728
                                                                                            • CloseHandle.KERNEL32(00000000,?,02ACC747,00413588,02AC8A77), ref: 02ACC733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 4d704acc50a453173ca13e31d6654ea096de445e1b2a96ffc76c062872ac3895
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: D0514FB1A41B458FD7249F29C6D4626BBFAFB48314B60693FE18BC7A90DB74E440CB10
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 124786226-2980165447
                                                                                            • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,02ACE50A,00000000,00000000,00000000,00020106,00000000,02ACE50A,00000000,000000E4), ref: 02ACE319
                                                                                            • RegSetValueExA.ADVAPI32(02ACE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 02ACE38E
                                                                                            • RegDeleteValueA.ADVAPI32(02ACE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 02ACE3BF
                                                                                            • RegCloseKey.ADVAPI32(02ACE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,02ACE50A), ref: 02ACE3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: b0669220aeb55db5b73809aac0990e0e46dfc548a0a26ed72c6c8569f99f50ad
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: 69215C71A0021DBBDF209FA4ED89EEE7F79EF08760F108065F904E6150EB719A54DBA0
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02AC71E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02AC7228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 02AC7286
                                                                                            • wsprintfA.USER32 ref: 02AC729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 917c653a46b49a89ddaf180f090a6c634719acf44abeb6038e8c15a3551d30dd
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 12310976900208BFDB01DFA8DD45ADABBADEF04314F24806AF959DB204EB75D6488F94
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02ACB51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02ACB529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02ACB548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 02ACB590
                                                                                            • wsprintfA.USER32 ref: 02ACB61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: bd9f97d5e8833d09c4ff0723640ff2566b35352b1b9421e470671f5f6c4cbe7d
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: F25131B1D0021CAACF14CFD5D9895EEBBB9BF48304F10852AF501B6150E7B94AC9CFA8
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02AC6303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02AC632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 02AC63B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02AC6405
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 175403e817e80d58ab4e718d8d67e06ecb80a565259c9bb3788ae781d2721c37
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: 86414D71A00205EFDB14CF58C984BA9B7B8FF84B58F2481ADE865D7390DB71E941CB50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3683885500-2980165447
                                                                                            • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                            • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                            APIs
                                                                                              • Part of subcall function 02ACDF6C: GetCurrentThreadId.KERNEL32 ref: 02ACDFBA
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,02ACA6AC), ref: 02ACE7BF
                                                                                            • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,02ACA6AC), ref: 02ACE7EA
                                                                                            • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,02ACA6AC), ref: 02ACE819
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1396056608-2980165447
                                                                                            • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction ID: 1c8ec6f4395eb9a164b7e0fef479ca2bdcb9efb5d2dbb0422024163efdcda56e
                                                                                            • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction Fuzzy Hash: 4D21E7B1A84300BAE22077259E45FEB3E1DDB65B60F30003DBA09B51D3FE5595508AF5
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 02AC76D9
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02AC796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02AC797E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1332880857-2980165447
                                                                                            • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction ID: 930d92dffb251d09a30cfbfbe020b9c4be990b6e0c218fe632fe0785898cf75c
                                                                                            • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction Fuzzy Hash: 1B11AC70A00109AFDB119FA9EC85FAFFFBDEB85714F240169F515E6290EBB189408F60
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                            • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                            • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                            • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 02AC999D
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000), ref: 02AC99BD
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02AC99C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction ID: c667b6bcb756c47e6dc42a7b0ac14c8f75289c09d3728ff5ae07dfe800c153e4
                                                                                            • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction Fuzzy Hash: 84F0C2B2680208BBF7106B54AC46FDB3A2DDB94B10F200075FA05B5091FAE59A9086B9
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: fc940d6db3f8865873b444b18475fd8487fc08b013401a3278df82c76b0f718e
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: FEE0EC306085119FDB509B28F888BD577A5AF4A230F158599F854D71A0CB749C819754
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 02AC69E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 02AC6A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 02AC6A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 02AC6BD8
                                                                                              • Part of subcall function 02ACEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02AC1DCF,?), ref: 02ACEEA8
                                                                                              • Part of subcall function 02ACEE95: HeapFree.KERNEL32(00000000), ref: 02ACEEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: a53cb5e8d0551f370d509d6b6666ee314cd599ce16186cf1378b0ee7af712a44
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: 8C712871D4021DEFDF10DFA4CD80AEEBBB9FB44754F20456AE615AA190DB309E92CB60
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02AC421F
                                                                                            • GetLastError.KERNEL32 ref: 02AC4229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 02AC423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02AC424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: ccdcf10e0e17fa98cec21f594df4a37cff1104417d5215e87fc2a0f0bcfd2bb8
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: B601C872911109AFEF01DF90ED85BEF7BBCEB18255F108465F901E2050DB70DA548BBA
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02AC41AB
                                                                                            • GetLastError.KERNEL32 ref: 02AC41B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 02AC41C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02AC41D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: bf662b964e6785078f72ec58be96c56285f85e45da905fa5176ff34f70ff408a
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 35010C7651110AAFDF01DF90ED88BEF7B7CEB18255F104065F911E2150DB70DA548BB9
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 02ACE066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: cf2fc0cc859874869dc9716b581c4accb815336ed634d15429722b7c3bbeb30c
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 06F06231200702DBCB30CF25D9C4A82B7E9FB05335B64862EE554D3460D774A498CB95
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                              • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                              • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                              • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                            • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,02AC44E2,00000000,00000000,00000000), ref: 02ACE470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 02ACE484
                                                                                              • Part of subcall function 02ACE2FC: RegCreateKeyExA.ADVAPI32(80000001,02ACE50A,00000000,00000000,00000000,00020106,00000000,02ACE50A,00000000,000000E4), ref: 02ACE319
                                                                                              • Part of subcall function 02ACE2FC: RegSetValueExA.ADVAPI32(02ACE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 02ACE38E
                                                                                              • Part of subcall function 02ACE2FC: RegDeleteValueA.ADVAPI32(02ACE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 02ACE3BF
                                                                                              • Part of subcall function 02ACE2FC: RegCloseKey.ADVAPI32(02ACE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,02ACE50A), ref: 02ACE3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: 0f7ad4295864a2272ba0b591c528ca987b65679a70409ce0407415267f5396ad
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: 0B41DAB2940218FAEB206F518F85FDB3B6DDB04764F24807DFD19A4091EBB58650DAB4
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 02AC83C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02AC8477
                                                                                              • Part of subcall function 02AC69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 02AC69E5
                                                                                              • Part of subcall function 02AC69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02AC6A26
                                                                                              • Part of subcall function 02AC69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02AC6A3A
                                                                                              • Part of subcall function 02ACEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02AC1DCF,?), ref: 02ACEEA8
                                                                                              • Part of subcall function 02ACEE95: HeapFree.KERNEL32(00000000), ref: 02ACEEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 359188348-2980165447
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 4282a061979dc35fc7d8828ce36ef45ac4cbfe1d879d7f8473dc072bfff03407
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 8B414DB2940109BEEB11EBA49FC0EEF77ADEB04344F2444AEE504E6110EFB45A948B64
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,02ACE859,00000000,00020119,02ACE859,PromptOnSecureDesktop), ref: 02ACE64D
                                                                                            • RegCloseKey.ADVAPI32(02ACE859,?,?,?,?,000000C8,000000E4), ref: 02ACE787
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 47109696-2980165447
                                                                                            • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction ID: 54435f3736a583d3131e05fe655c9f6f6e784fdb5249656ada256d5abd6e22c1
                                                                                            • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction Fuzzy Hash: 354108B2D0015DFFDF11AF94DD81EEEBBBAFB04304F24446AEA00B6150EB719A559B60
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02ACAFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02ACB00D
                                                                                              • Part of subcall function 02ACAF6F: gethostname.WS2_32(?,00000080), ref: 02ACAF83
                                                                                              • Part of subcall function 02ACAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 02ACAFE6
                                                                                              • Part of subcall function 02AC331C: gethostname.WS2_32(?,00000080), ref: 02AC333F
                                                                                              • Part of subcall function 02AC331C: gethostbyname.WS2_32(?), ref: 02AC3349
                                                                                              • Part of subcall function 02ACAA0A: inet_ntoa.WS2_32(00000000), ref: 02ACAA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: 29b721a7f76f8c10a39cbd27b655d6f180755b8ddc50ea093c9b04267bab47e0
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: 94416D7294024CAFDF21EFA0DC45EEE3BADFB08314F24442BBA24D2151EA75DA448F64
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02AC9536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 02AC955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 64c767c656caeed4e6ee4ef8255aeb48008844d54d5731fdd625d6a488da2fef
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 464107B180438E6EFB368B64D9CC7F77BA49B02314F3441ADD48297192DF744989C711
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02ACB9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 02ACBA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02ACBA94
                                                                                            • GetTickCount.KERNEL32 ref: 02ACBB79
                                                                                            • GetTickCount.KERNEL32 ref: 02ACBB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02ACBE15
                                                                                            • closesocket.WS2_32(00000000), ref: 02ACBEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 528c5cef9480262db2f85edd8b69987a959d45f554e493a5a7af0e2300923a59
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: C6319E71400248DFDF25DFA4DC85BEAB7B9EB44704F20485AFA2492150DF32D685CF20
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 02AC70BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 02AC70F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 3980371b492c3f18a40fb398acb36021cf6b4d87a6820964b15a19a01f07af94
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: BE11FA72900118EBDB11CFD5DC84ADEB7BDAB04715F2481AAE501E62A4DB709B88CFA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2135476167.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2135476167.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                            APIs
                                                                                              • Part of subcall function 02AC2F88: GetModuleHandleA.KERNEL32(?), ref: 02AC2FA1
                                                                                              • Part of subcall function 02AC2F88: LoadLibraryA.KERNEL32(?), ref: 02AC2FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02AC31DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02AC31E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2136828797.0000000002AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2ac0000_fdnoqmpv.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 31266dd7b80b2644cacb4aff5643f61d331849f243e937acaea8edbc7f681ee9
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: D3516C7590024AAFCF019F64DC88AFAB775FF15305B2485A9EC96C7210EB329A19CB90

                                                                                            Execution Graph

                                                                                            Execution Coverage:2.9%
                                                                                            Dynamic/Decrypted Code Coverage:30.5%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:1576
                                                                                            Total number of Limit Nodes:14
                                                                                            execution_graph 14871 2b86a98 14872 2b86aa7 14871->14872 14875 2b87238 14872->14875 14880 2b87253 14875->14880 14876 2b8725c CreateToolhelp32Snapshot 14877 2b87278 Module32First 14876->14877 14876->14880 14878 2b87287 14877->14878 14881 2b86ab0 14877->14881 14882 2b86ef7 14878->14882 14880->14876 14880->14877 14883 2b86f22 14882->14883 14884 2b86f6b 14883->14884 14885 2b86f33 VirtualAlloc 14883->14885 14884->14884 14885->14884 14914 409961 RegisterServiceCtrlHandlerA 14915 40997d 14914->14915 14916 4099cb 14914->14916 14924 409892 14915->14924 14918 40999a 14919 4099ba 14918->14919 14920 409892 SetServiceStatus 14918->14920 14919->14916 14922 409892 SetServiceStatus 14919->14922 14921 4099aa 14920->14921 14921->14919 14927 4098f2 14921->14927 14922->14916 14925 4098c2 SetServiceStatus 14924->14925 14925->14918 14929 4098f6 14927->14929 14930 409904 Sleep 14929->14930 14932 409917 14929->14932 14935 404280 CreateEventA 14929->14935 14930->14929 14931 409915 14930->14931 14931->14932 14934 409947 14932->14934 14962 40977c 14932->14962 14934->14919 14936 4042a5 14935->14936 14937 40429d 14935->14937 14976 403ecd 14936->14976 14937->14929 14939 4042b0 14980 404000 14939->14980 14942 4043c1 FindCloseChangeNotification 14942->14937 14943 4042ce 14986 403f18 WriteFile 14943->14986 14948 4043ba CloseHandle 14948->14942 14949 404318 14950 403f18 4 API calls 14949->14950 14951 404331 14950->14951 14952 403f18 4 API calls 14951->14952 14953 40434a 14952->14953 14994 40ebcc GetProcessHeap HeapAlloc 14953->14994 14956 403f18 4 API calls 14957 404389 14956->14957 14997 40ec2e 14957->14997 14960 403f8c 4 API calls 14961 40439f CloseHandle CloseHandle 14960->14961 14961->14937 15026 40ee2a 14962->15026 14965 4097c2 14967 4097d4 Wow64GetThreadContext 14965->14967 14966 4097bb 14966->14934 14968 409801 14967->14968 14969 4097f5 14967->14969 15028 40637c 14968->15028 14970 4097f6 TerminateProcess 14969->14970 14970->14966 14972 409816 14972->14970 14973 40981e WriteProcessMemory 14972->14973 14973->14969 14974 40983b Wow64SetThreadContext 14973->14974 14974->14969 14975 409858 ResumeThread 14974->14975 14975->14966 14977 403edc 14976->14977 14979 403ee2 14976->14979 15002 406dc2 14977->15002 14979->14939 14981 40400b CreateFileA 14980->14981 14982 404052 14981->14982 14983 40402c GetLastError 14981->14983 14982->14937 14982->14942 14982->14943 14983->14982 14984 404037 14983->14984 14984->14982 14985 404041 Sleep 14984->14985 14985->14981 14985->14982 14987 403f7c 14986->14987 14988 403f4e GetLastError 14986->14988 14990 403f8c ReadFile 14987->14990 14988->14987 14989 403f5b WaitForSingleObject GetOverlappedResult 14988->14989 14989->14987 14991 403ff0 14990->14991 14992 403fc2 GetLastError 14990->14992 14991->14948 14991->14949 14992->14991 14993 403fcf WaitForSingleObject GetOverlappedResult 14992->14993 14993->14991 15020 40eb74 14994->15020 14998 40ec37 14997->14998 14999 40438f 14997->14999 15023 40eba0 14998->15023 14999->14960 15003 406e24 15002->15003 15004 406dd7 15002->15004 15003->14979 15008 406cc9 15004->15008 15006 406ddc 15006->15003 15006->15006 15007 406e02 GetVolumeInformationA 15006->15007 15007->15003 15009 406cdc GetModuleHandleA GetProcAddress 15008->15009 15010 406dbe 15008->15010 15011 406d12 GetSystemDirectoryA 15009->15011 15012 406cfd 15009->15012 15010->15006 15013 406d27 GetWindowsDirectoryA 15011->15013 15014 406d1e 15011->15014 15012->15011 15016 406d8b 15012->15016 15015 406d42 15013->15015 15014->15013 15014->15016 15018 40ef1e lstrlenA 15015->15018 15016->15010 15019 40ef32 15018->15019 15019->15016 15021 40eb7b GetProcessHeap HeapSize 15020->15021 15022 404350 15020->15022 15021->15022 15022->14956 15024 40eba7 GetProcessHeap HeapSize 15023->15024 15025 40ebbf GetProcessHeap HeapFree 15023->15025 15024->15025 15025->14999 15027 409794 CreateProcessA 15026->15027 15027->14965 15027->14966 15029 406386 15028->15029 15030 40638a GetModuleHandleA VirtualAlloc 15028->15030 15029->14972 15031 4063f5 15030->15031 15032 4063b6 15030->15032 15031->14972 15033 4063be VirtualAllocEx 15032->15033 15033->15031 15034 4063d6 15033->15034 15035 4063df WriteProcessMemory 15034->15035 15035->15031 17458 2b86a90 17459 2b86a98 17458->17459 17460 2b87238 3 API calls 17459->17460 17461 2b86ab0 17460->17461 15036 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15153 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15036->15153 15038 409a95 15039 409aa3 GetModuleHandleA GetModuleFileNameA 15038->15039 15044 40a3c7 15038->15044 15052 409ac4 15039->15052 15040 40a41c CreateThread WSAStartup 15264 40e52e 15040->15264 16091 40405e CreateEventA 15040->16091 15041 409afd GetCommandLineA 15053 409b22 15041->15053 15042 40a406 DeleteFileA 15042->15044 15045 40a40d 15042->15045 15044->15040 15044->15042 15044->15045 15047 40a3ed GetLastError 15044->15047 15045->15040 15046 40a445 15283 40eaaf 15046->15283 15047->15045 15050 40a3f8 Sleep 15047->15050 15049 40a44d 15287 401d96 15049->15287 15050->15042 15052->15041 15057 409c0c 15053->15057 15063 409b47 15053->15063 15054 40a457 15335 4080c9 15054->15335 15154 4096aa 15057->15154 15067 409b96 lstrlenA 15063->15067 15069 409b58 15063->15069 15064 40a1d2 15070 40a1e3 GetCommandLineA 15064->15070 15065 409c39 15068 40a167 GetModuleHandleA GetModuleFileNameA 15065->15068 15074 409c4b 15065->15074 15067->15069 15072 409c05 ExitProcess 15068->15072 15073 40a189 15068->15073 15069->15072 15075 409bd2 15069->15075 15098 40a205 15070->15098 15073->15072 15083 40a1b2 GetDriveTypeA 15073->15083 15074->15068 15077 404280 30 API calls 15074->15077 15166 40675c 15075->15166 15078 409c5b 15077->15078 15078->15068 15085 40675c 21 API calls 15078->15085 15083->15072 15084 40a1c5 15083->15084 15256 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15084->15256 15087 409c79 15085->15087 15087->15068 15094 409ca0 GetTempPathA 15087->15094 15095 409e3e 15087->15095 15088 409bff 15088->15072 15090 40a491 15091 40a49f GetTickCount 15090->15091 15092 40a4be Sleep 15090->15092 15097 40a4b7 GetTickCount 15090->15097 15381 40c913 15090->15381 15091->15090 15091->15092 15092->15090 15094->15095 15096 409cba 15094->15096 15101 409e6b GetEnvironmentVariableA 15095->15101 15105 409e04 15095->15105 15204 4099d2 lstrcpyA 15096->15204 15097->15092 15102 40a285 lstrlenA 15098->15102 15114 40a239 15098->15114 15100 40ec2e codecvt 4 API calls 15104 40a15d 15100->15104 15101->15105 15106 409e7d 15101->15106 15102->15114 15104->15068 15104->15072 15105->15100 15107 4099d2 16 API calls 15106->15107 15108 409e9d 15107->15108 15108->15105 15113 409eb0 lstrcpyA lstrlenA 15108->15113 15109 406dc2 6 API calls 15111 409d5f 15109->15111 15117 406cc9 5 API calls 15111->15117 15112 40a3c2 15115 4098f2 41 API calls 15112->15115 15116 409ef4 15113->15116 15162 406ec3 15114->15162 15115->15044 15118 406dc2 6 API calls 15116->15118 15121 409f03 15116->15121 15120 409d72 lstrcpyA lstrcatA lstrcatA 15117->15120 15118->15121 15119 40a39d StartServiceCtrlDispatcherA 15119->15112 15124 409cf6 15120->15124 15122 409f32 RegOpenKeyExA 15121->15122 15123 409f48 RegSetValueExA RegCloseKey 15122->15123 15128 409f70 15122->15128 15123->15128 15211 409326 15124->15211 15125 40a35f 15125->15112 15125->15119 15133 409f9d GetModuleHandleA GetModuleFileNameA 15128->15133 15129 409e0c DeleteFileA 15129->15095 15130 409dde GetFileAttributesExA 15130->15129 15131 409df7 15130->15131 15131->15105 15248 4096ff 15131->15248 15135 409fc2 15133->15135 15136 40a093 15133->15136 15135->15136 15142 409ff1 GetDriveTypeA 15135->15142 15137 40a103 CreateProcessA 15136->15137 15138 40a0a4 wsprintfA 15136->15138 15139 40a13a 15137->15139 15140 40a12a DeleteFileA 15137->15140 15254 402544 15138->15254 15139->15105 15145 4096ff 3 API calls 15139->15145 15140->15139 15142->15136 15144 40a00d 15142->15144 15147 40a02d lstrcatA 15144->15147 15145->15105 15146 40ee2a 15148 40a0ec lstrcatA 15146->15148 15149 40a046 15147->15149 15148->15137 15150 40a052 lstrcatA 15149->15150 15151 40a064 lstrcatA 15149->15151 15150->15151 15151->15136 15152 40a081 lstrcatA 15151->15152 15152->15136 15153->15038 15155 4096b9 15154->15155 15484 4073ff 15155->15484 15157 4096e2 15158 4096e9 15157->15158 15159 4096fa 15157->15159 15504 40704c 15158->15504 15159->15064 15159->15065 15161 4096f7 15161->15159 15163 406ecc 15162->15163 15165 406ed5 15162->15165 15529 406e36 GetUserNameW 15163->15529 15165->15125 15167 406784 CreateFileA 15166->15167 15168 40677a SetFileAttributesA 15166->15168 15169 4067a4 CreateFileA 15167->15169 15170 4067b5 15167->15170 15168->15167 15169->15170 15171 4067c5 15170->15171 15172 4067ba SetFileAttributesA 15170->15172 15173 406977 15171->15173 15174 4067cf GetFileSize 15171->15174 15172->15171 15173->15072 15191 406a60 CreateFileA 15173->15191 15175 4067e5 15174->15175 15190 406922 15174->15190 15177 4067ed ReadFile 15175->15177 15175->15190 15176 40696e CloseHandle 15176->15173 15178 406811 SetFilePointer 15177->15178 15177->15190 15179 40682a ReadFile 15178->15179 15178->15190 15180 406848 SetFilePointer 15179->15180 15179->15190 15183 406867 15180->15183 15180->15190 15181 4068d0 15181->15176 15184 40ebcc 4 API calls 15181->15184 15182 406878 ReadFile 15182->15181 15182->15183 15183->15181 15183->15182 15185 4068f8 15184->15185 15186 406900 SetFilePointer 15185->15186 15185->15190 15187 40695a 15186->15187 15188 40690d ReadFile 15186->15188 15189 40ec2e codecvt 4 API calls 15187->15189 15188->15187 15188->15190 15189->15190 15190->15176 15192 406b8c GetLastError 15191->15192 15193 406a8f GetDiskFreeSpaceA 15191->15193 15202 406b86 15192->15202 15194 406ac5 15193->15194 15203 406ad7 15193->15203 15532 40eb0e 15194->15532 15198 406b56 CloseHandle 15201 406b65 GetLastError CloseHandle 15198->15201 15198->15202 15199 406b36 GetLastError CloseHandle 15200 406b7f DeleteFileA 15199->15200 15200->15202 15201->15200 15202->15088 15536 406987 15203->15536 15205 4099eb 15204->15205 15206 409a2f lstrcatA 15205->15206 15207 40ee2a 15206->15207 15208 409a4b lstrcatA 15207->15208 15209 406a60 13 API calls 15208->15209 15210 409a60 15209->15210 15210->15095 15210->15109 15210->15124 15546 401910 15211->15546 15214 40934a GetModuleHandleA GetModuleFileNameA 15216 40937f 15214->15216 15217 4093a4 15216->15217 15218 4093d9 15216->15218 15219 4093c3 wsprintfA 15217->15219 15220 409401 wsprintfA 15218->15220 15221 409415 15219->15221 15220->15221 15223 406cc9 5 API calls 15221->15223 15245 4094a0 15221->15245 15227 409439 15223->15227 15224 4094ac 15225 40962f 15224->15225 15226 4094e8 RegOpenKeyExA 15224->15226 15231 409646 15225->15231 15569 401820 15225->15569 15229 409502 15226->15229 15230 4094fb 15226->15230 15234 40ef1e lstrlenA 15227->15234 15233 40951f RegQueryValueExA 15229->15233 15230->15225 15235 40958a 15230->15235 15240 4095d6 15231->15240 15575 4091eb 15231->15575 15236 409530 15233->15236 15237 409539 15233->15237 15238 409462 15234->15238 15235->15231 15239 409593 15235->15239 15241 40956e RegCloseKey 15236->15241 15242 409556 RegQueryValueExA 15237->15242 15243 40947e wsprintfA 15238->15243 15239->15240 15556 40f0e4 15239->15556 15240->15129 15240->15130 15241->15230 15242->15236 15242->15241 15243->15245 15548 406edd 15245->15548 15246 4095bb 15246->15240 15563 4018e0 15246->15563 15249 402544 15248->15249 15250 40972d RegOpenKeyExA 15249->15250 15251 409740 15250->15251 15253 409765 15250->15253 15252 40974f RegDeleteValueA RegCloseKey 15251->15252 15252->15253 15253->15105 15255 402554 lstrcatA 15254->15255 15255->15146 15257 402544 15256->15257 15258 40919e wsprintfA 15257->15258 15259 4091bb 15258->15259 15613 409064 GetTempPathA 15259->15613 15262 4091d5 ShellExecuteA 15263 4091e7 15262->15263 15263->15088 15620 40dd05 GetTickCount 15264->15620 15266 40e538 15627 40dbcf 15266->15627 15268 40e544 15269 40e555 GetFileSize 15268->15269 15274 40e5b8 15268->15274 15270 40e5b1 CloseHandle 15269->15270 15271 40e566 15269->15271 15270->15274 15637 40db2e 15271->15637 15646 40e3ca RegOpenKeyExA 15274->15646 15275 40e576 ReadFile 15275->15270 15277 40e58d 15275->15277 15641 40e332 15277->15641 15279 40e5f2 15281 40e3ca 19 API calls 15279->15281 15282 40e629 15279->15282 15281->15282 15282->15046 15284 40eabe 15283->15284 15286 40eaba 15283->15286 15285 40dd05 6 API calls 15284->15285 15284->15286 15285->15286 15286->15049 15288 40ee2a 15287->15288 15289 401db4 GetVersionExA 15288->15289 15290 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15289->15290 15292 401e24 15290->15292 15293 401e16 GetCurrentProcess 15290->15293 15699 40e819 15292->15699 15293->15292 15295 401e3d 15296 40e819 11 API calls 15295->15296 15297 401e4e 15296->15297 15298 401e77 15297->15298 15706 40df70 15297->15706 15715 40ea84 15298->15715 15301 401e6c 15303 40df70 12 API calls 15301->15303 15303->15298 15304 40e819 11 API calls 15305 401e93 15304->15305 15719 40199c inet_addr LoadLibraryA 15305->15719 15308 40e819 11 API calls 15309 401eb9 15308->15309 15310 401ed8 15309->15310 15311 40f04e 4 API calls 15309->15311 15312 40e819 11 API calls 15310->15312 15313 401ec9 15311->15313 15314 401eee 15312->15314 15315 40ea84 30 API calls 15313->15315 15316 401f0a 15314->15316 15732 401b71 15314->15732 15315->15310 15318 40e819 11 API calls 15316->15318 15320 401f23 15318->15320 15319 401efd 15321 40ea84 30 API calls 15319->15321 15322 401f3f 15320->15322 15736 401bdf 15320->15736 15321->15316 15324 40e819 11 API calls 15322->15324 15326 401f5e 15324->15326 15328 401f77 15326->15328 15329 40ea84 30 API calls 15326->15329 15327 40ea84 30 API calls 15327->15322 15743 4030b5 15328->15743 15329->15328 15332 406ec3 2 API calls 15334 401f8e GetTickCount 15332->15334 15334->15054 15336 406ec3 2 API calls 15335->15336 15337 4080eb 15336->15337 15338 4080f9 15337->15338 15339 4080ef 15337->15339 15341 40704c 16 API calls 15338->15341 15791 407ee6 15339->15791 15343 408110 15341->15343 15342 408269 CreateThread 15360 405e6c 15342->15360 16120 40877e 15342->16120 15345 408156 RegOpenKeyExA 15343->15345 15346 4080f4 15343->15346 15344 40675c 21 API calls 15350 408244 15344->15350 15345->15346 15347 40816d RegQueryValueExA 15345->15347 15346->15342 15346->15344 15348 4081f7 15347->15348 15349 40818d 15347->15349 15351 40820d RegCloseKey 15348->15351 15353 40ec2e codecvt 4 API calls 15348->15353 15349->15348 15354 40ebcc 4 API calls 15349->15354 15350->15342 15352 40ec2e codecvt 4 API calls 15350->15352 15351->15346 15352->15342 15359 4081dd 15353->15359 15355 4081a0 15354->15355 15355->15351 15356 4081aa RegQueryValueExA 15355->15356 15356->15348 15357 4081c4 15356->15357 15358 40ebcc 4 API calls 15357->15358 15358->15359 15359->15351 15859 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15360->15859 15362 405e71 15860 40e654 15362->15860 15364 405ec1 15365 403132 15364->15365 15366 40df70 12 API calls 15365->15366 15367 40313b 15366->15367 15368 40c125 15367->15368 15871 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15368->15871 15370 40c12d 15371 40e654 13 API calls 15370->15371 15372 40c2bd 15371->15372 15373 40e654 13 API calls 15372->15373 15374 40c2c9 15373->15374 15375 40e654 13 API calls 15374->15375 15376 40a47a 15375->15376 15377 408db1 15376->15377 15378 408dbc 15377->15378 15379 40e654 13 API calls 15378->15379 15380 408dec Sleep 15379->15380 15380->15090 15382 40c92f 15381->15382 15383 40c93c 15382->15383 15872 40c517 15382->15872 15385 40e819 11 API calls 15383->15385 15400 40ca2b 15383->15400 15386 40c96a 15385->15386 15387 40e819 11 API calls 15386->15387 15388 40c97d 15387->15388 15389 40e819 11 API calls 15388->15389 15390 40c990 15389->15390 15391 40ebcc 4 API calls 15390->15391 15392 40c9aa 15390->15392 15391->15392 15392->15400 15889 402684 15392->15889 15397 40ca26 15896 40c8aa 15397->15896 15400->15090 15401 40ca44 15402 40ca4b closesocket 15401->15402 15403 40ca83 15401->15403 15402->15397 15404 40ea84 30 API calls 15403->15404 15405 40caac 15404->15405 15406 40f04e 4 API calls 15405->15406 15407 40cab2 15406->15407 15408 40ea84 30 API calls 15407->15408 15409 40caca 15408->15409 15410 40ea84 30 API calls 15409->15410 15411 40cad9 15410->15411 15904 40c65c 15411->15904 15414 40cb60 closesocket 15414->15400 15416 40dad2 closesocket 15417 40e318 23 API calls 15416->15417 15417->15400 15418 40df4c 20 API calls 15477 40cb70 15418->15477 15424 40e654 13 API calls 15424->15477 15427 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15427->15477 15428 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15428->15477 15431 40ea84 30 API calls 15431->15477 15432 40d569 closesocket Sleep 15951 40e318 15432->15951 15433 40d815 wsprintfA 15433->15477 15434 40cc1c GetTempPathA 15434->15477 15435 40c517 23 API calls 15435->15477 15437 407ead 6 API calls 15437->15477 15438 40e8a1 30 API calls 15438->15477 15439 40d582 ExitProcess 15440 40cfe3 GetSystemDirectoryA 15440->15477 15441 40cfad GetEnvironmentVariableA 15441->15477 15442 40675c 21 API calls 15442->15477 15443 40d027 GetSystemDirectoryA 15443->15477 15444 40d105 lstrcatA 15444->15477 15445 40ef1e lstrlenA 15445->15477 15446 40cc9f CreateFileA 15448 40ccc6 WriteFile 15446->15448 15446->15477 15447 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15447->15477 15451 40cdcc CloseHandle 15448->15451 15452 40cced CloseHandle 15448->15452 15449 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15449->15477 15450 40d15b CreateFileA 15453 40d182 WriteFile CloseHandle 15450->15453 15450->15477 15451->15477 15458 40cd2f 15452->15458 15453->15477 15454 40cd16 wsprintfA 15454->15458 15455 40d149 SetFileAttributesA 15455->15450 15456 40d36e GetEnvironmentVariableA 15456->15477 15457 40d1bf SetFileAttributesA 15457->15477 15458->15454 15933 407fcf 15458->15933 15459 40d22d GetEnvironmentVariableA 15459->15477 15460 40d3af lstrcatA 15462 40d3f2 CreateFileA 15460->15462 15460->15477 15465 40d415 WriteFile CloseHandle 15462->15465 15462->15477 15464 407fcf 64 API calls 15464->15477 15465->15477 15466 40cd81 WaitForSingleObject CloseHandle CloseHandle 15468 40f04e 4 API calls 15466->15468 15467 40cda5 15469 407ee6 64 API calls 15467->15469 15468->15467 15472 40cdbd DeleteFileA 15469->15472 15470 40d3e0 SetFileAttributesA 15470->15462 15471 40d26e lstrcatA 15474 40d2b1 CreateFileA 15471->15474 15471->15477 15472->15477 15473 40d4b1 CreateProcessA 15475 40d4e8 CloseHandle CloseHandle 15473->15475 15473->15477 15474->15477 15478 40d2d8 WriteFile CloseHandle 15474->15478 15475->15477 15476 40d452 SetFileAttributesA 15476->15477 15477->15416 15477->15418 15477->15424 15477->15427 15477->15428 15477->15431 15477->15432 15477->15433 15477->15434 15477->15435 15477->15437 15477->15438 15477->15440 15477->15441 15477->15442 15477->15443 15477->15444 15477->15445 15477->15446 15477->15447 15477->15449 15477->15450 15477->15455 15477->15456 15477->15457 15477->15459 15477->15460 15477->15462 15477->15464 15477->15470 15477->15471 15477->15473 15477->15474 15477->15476 15479 407ee6 64 API calls 15477->15479 15480 40d29f SetFileAttributesA 15477->15480 15483 40d31d SetFileAttributesA 15477->15483 15912 40c75d 15477->15912 15924 407e2f 15477->15924 15946 407ead 15477->15946 15956 4031d0 15477->15956 15973 403c09 15477->15973 15983 403a00 15477->15983 15987 40e7b4 15477->15987 15990 40c06c 15477->15990 15996 406f5f GetUserNameA 15477->15996 16007 40e854 15477->16007 16017 407dd6 15477->16017 15478->15477 15479->15477 15480->15474 15483->15477 15485 40741b 15484->15485 15486 406dc2 6 API calls 15485->15486 15487 40743f 15486->15487 15488 407469 RegOpenKeyExA 15487->15488 15489 4077f9 15488->15489 15499 407487 ___ascii_stricmp 15488->15499 15489->15157 15490 407703 RegEnumKeyA 15491 407714 RegCloseKey 15490->15491 15490->15499 15491->15489 15492 4074d2 RegOpenKeyExA 15492->15499 15493 40772c 15495 407742 RegCloseKey 15493->15495 15496 40774b 15493->15496 15494 407521 RegQueryValueExA 15494->15499 15495->15496 15497 4077ec RegCloseKey 15496->15497 15497->15489 15498 4076e4 RegCloseKey 15498->15499 15499->15490 15499->15492 15499->15493 15499->15494 15499->15498 15501 40f1a5 lstrlenA 15499->15501 15502 40777e GetFileAttributesExA 15499->15502 15503 407769 15499->15503 15500 4077e3 RegCloseKey 15500->15497 15501->15499 15502->15503 15503->15500 15505 407073 15504->15505 15506 4070b9 RegOpenKeyExA 15505->15506 15507 4070d0 15506->15507 15521 4071b8 15506->15521 15508 406dc2 6 API calls 15507->15508 15511 4070d5 15508->15511 15509 40719b RegEnumValueA 15510 4071af RegCloseKey 15509->15510 15509->15511 15510->15521 15511->15509 15513 4071d0 15511->15513 15527 40f1a5 lstrlenA 15511->15527 15514 407205 RegCloseKey 15513->15514 15515 407227 15513->15515 15514->15521 15516 4072b8 ___ascii_stricmp 15515->15516 15517 40728e RegCloseKey 15515->15517 15518 4072cd RegCloseKey 15516->15518 15519 4072dd 15516->15519 15517->15521 15518->15521 15520 407311 RegCloseKey 15519->15520 15523 407335 15519->15523 15520->15521 15521->15161 15522 4073d5 RegCloseKey 15524 4073e4 15522->15524 15523->15522 15525 40737e GetFileAttributesExA 15523->15525 15526 407397 15523->15526 15525->15526 15526->15522 15528 40f1c3 15527->15528 15528->15511 15530 406e5f LookupAccountNameW 15529->15530 15531 406e97 15529->15531 15530->15531 15531->15165 15533 40eb17 15532->15533 15535 40eb21 15532->15535 15542 40eae4 15533->15542 15535->15203 15538 4069b9 WriteFile 15536->15538 15539 406a3c 15538->15539 15540 4069ff 15538->15540 15539->15198 15539->15199 15540->15539 15541 406a10 WriteFile 15540->15541 15541->15539 15541->15540 15543 40eb02 GetProcAddress 15542->15543 15544 40eaed LoadLibraryA 15542->15544 15543->15535 15544->15543 15545 40eb01 15544->15545 15545->15535 15547 401924 GetVersionExA 15546->15547 15547->15214 15549 406eef AllocateAndInitializeSid 15548->15549 15555 406f55 15548->15555 15550 406f44 15549->15550 15551 406f1c CheckTokenMembership 15549->15551 15554 406e36 2 API calls 15550->15554 15550->15555 15552 406f3b FreeSid 15551->15552 15553 406f2e 15551->15553 15552->15550 15553->15552 15554->15555 15555->15224 15557 40f0f1 15556->15557 15558 40f0ed 15556->15558 15559 40f119 15557->15559 15560 40f0fa lstrlenA SysAllocStringByteLen 15557->15560 15558->15246 15562 40f11c MultiByteToWideChar 15559->15562 15561 40f117 15560->15561 15560->15562 15561->15246 15562->15561 15564 401820 17 API calls 15563->15564 15565 4018f2 15564->15565 15566 4018f9 15565->15566 15580 401280 15565->15580 15566->15240 15568 401908 15568->15240 15592 401000 15569->15592 15571 401839 15572 401851 GetCurrentProcess 15571->15572 15573 40183d 15571->15573 15574 401864 15572->15574 15573->15231 15574->15231 15576 409308 15575->15576 15578 40920e 15575->15578 15576->15240 15577 4092f1 Sleep 15577->15578 15578->15576 15578->15577 15578->15578 15579 4092bf ShellExecuteA 15578->15579 15579->15576 15579->15578 15581 4012e1 15580->15581 15582 4016f9 GetLastError 15581->15582 15588 4013a8 15581->15588 15591 401699 15582->15591 15583 401570 lstrlenW 15583->15588 15584 4015be GetStartupInfoW 15584->15588 15585 4015ff CreateProcessWithLogonW 15586 4016bf GetLastError 15585->15586 15587 40163f WaitForSingleObject 15585->15587 15586->15591 15587->15588 15589 401659 CloseHandle 15587->15589 15588->15583 15588->15584 15588->15585 15590 401668 CloseHandle 15588->15590 15588->15591 15589->15588 15590->15588 15591->15568 15593 40100d LoadLibraryA 15592->15593 15606 401023 15592->15606 15594 401021 15593->15594 15593->15606 15594->15571 15595 4010b5 GetProcAddress 15596 4010d1 GetProcAddress 15595->15596 15597 40127b 15595->15597 15596->15597 15598 4010f0 GetProcAddress 15596->15598 15597->15571 15598->15597 15599 401110 GetProcAddress 15598->15599 15599->15597 15600 401130 GetProcAddress 15599->15600 15600->15597 15601 40114f GetProcAddress 15600->15601 15601->15597 15602 40116f GetProcAddress 15601->15602 15602->15597 15603 40118f GetProcAddress 15602->15603 15603->15597 15604 4011ae GetProcAddress 15603->15604 15604->15597 15605 4011ce GetProcAddress 15604->15605 15605->15597 15607 4011ee GetProcAddress 15605->15607 15606->15595 15612 4010ae 15606->15612 15607->15597 15608 401209 GetProcAddress 15607->15608 15608->15597 15609 401225 GetProcAddress 15608->15609 15609->15597 15610 401241 GetProcAddress 15609->15610 15610->15597 15611 40125c GetProcAddress 15610->15611 15611->15597 15612->15571 15614 40908d 15613->15614 15615 4090e2 wsprintfA 15614->15615 15616 40ee2a 15615->15616 15617 4090fd CreateFileA 15616->15617 15618 40911a lstrlenA WriteFile CloseHandle 15617->15618 15619 40913f 15617->15619 15618->15619 15619->15262 15619->15263 15621 40dd41 InterlockedExchange 15620->15621 15622 40dd20 GetCurrentThreadId 15621->15622 15623 40dd4a 15621->15623 15624 40dd53 GetCurrentThreadId 15622->15624 15625 40dd2e GetTickCount 15622->15625 15623->15624 15624->15266 15625->15623 15626 40dd39 Sleep 15625->15626 15626->15621 15628 40dbf0 15627->15628 15660 40db67 GetEnvironmentVariableA 15628->15660 15630 40dc19 15631 40dcda 15630->15631 15632 40db67 3 API calls 15630->15632 15631->15268 15633 40dc5c 15632->15633 15633->15631 15634 40db67 3 API calls 15633->15634 15635 40dc9b 15634->15635 15635->15631 15636 40db67 3 API calls 15635->15636 15636->15631 15638 40db55 15637->15638 15639 40db3a 15637->15639 15638->15270 15638->15275 15664 40ebed 15639->15664 15673 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15641->15673 15643 40e3be 15643->15270 15645 40e342 15645->15643 15676 40de24 15645->15676 15647 40e528 15646->15647 15648 40e3f4 15646->15648 15647->15279 15649 40e434 RegQueryValueExA 15648->15649 15650 40e458 15649->15650 15651 40e51d RegCloseKey 15649->15651 15652 40e46e RegQueryValueExA 15650->15652 15651->15647 15652->15650 15653 40e488 15652->15653 15653->15651 15654 40db2e 8 API calls 15653->15654 15655 40e499 15654->15655 15655->15651 15656 40e4b9 RegQueryValueExA 15655->15656 15657 40e4e8 15655->15657 15656->15655 15656->15657 15657->15651 15658 40e332 14 API calls 15657->15658 15659 40e513 15658->15659 15659->15651 15661 40dbca 15660->15661 15663 40db89 lstrcpyA CreateFileA 15660->15663 15661->15630 15663->15630 15665 40ec01 15664->15665 15666 40ebf6 15664->15666 15668 40eba0 codecvt 2 API calls 15665->15668 15667 40ebcc 4 API calls 15666->15667 15669 40ebfe 15667->15669 15670 40ec0a GetProcessHeap HeapReAlloc 15668->15670 15669->15638 15671 40eb74 2 API calls 15670->15671 15672 40ec28 15671->15672 15672->15638 15687 40eb41 15673->15687 15677 40de3a 15676->15677 15683 40de4e 15677->15683 15691 40dd84 15677->15691 15680 40ebed 8 API calls 15685 40def6 15680->15685 15681 40de9e 15681->15680 15681->15683 15682 40de76 15695 40ddcf 15682->15695 15683->15645 15685->15683 15686 40ddcf lstrcmpA 15685->15686 15686->15683 15688 40eb54 15687->15688 15689 40eb4a 15687->15689 15688->15645 15690 40eae4 2 API calls 15689->15690 15690->15688 15692 40dd96 15691->15692 15693 40ddc5 15691->15693 15692->15693 15694 40ddad lstrcmpiA 15692->15694 15693->15681 15693->15682 15694->15692 15694->15693 15696 40de20 15695->15696 15697 40dddd 15695->15697 15696->15683 15697->15696 15698 40ddfa lstrcmpA 15697->15698 15698->15697 15700 40dd05 6 API calls 15699->15700 15701 40e821 15700->15701 15702 40dd84 lstrcmpiA 15701->15702 15703 40e82c 15702->15703 15704 40e844 15703->15704 15747 402480 15703->15747 15704->15295 15707 40dd05 6 API calls 15706->15707 15708 40df7c 15707->15708 15709 40dd84 lstrcmpiA 15708->15709 15713 40df89 15709->15713 15710 40dfc4 15710->15301 15711 40ddcf lstrcmpA 15711->15713 15712 40ec2e codecvt 4 API calls 15712->15713 15713->15710 15713->15711 15713->15712 15714 40dd84 lstrcmpiA 15713->15714 15714->15713 15716 40ea98 15715->15716 15756 40e8a1 15716->15756 15718 401e84 15718->15304 15720 4019d5 GetProcAddress GetProcAddress GetProcAddress 15719->15720 15723 4019ce 15719->15723 15721 401ab3 FreeLibrary 15720->15721 15722 401a04 15720->15722 15721->15723 15722->15721 15724 401a14 GetProcessHeap 15722->15724 15723->15308 15724->15723 15726 401a2e HeapAlloc 15724->15726 15726->15723 15727 401a42 15726->15727 15728 401a52 HeapReAlloc 15727->15728 15730 401a62 15727->15730 15728->15730 15729 401aa1 FreeLibrary 15729->15723 15730->15729 15731 401a96 HeapFree 15730->15731 15731->15729 15784 401ac3 LoadLibraryA 15732->15784 15735 401bcf 15735->15319 15737 401ac3 12 API calls 15736->15737 15738 401c09 15737->15738 15739 401c41 15738->15739 15740 401c0d GetComputerNameA 15738->15740 15739->15327 15741 401c45 GetVolumeInformationA 15740->15741 15742 401c1f 15740->15742 15741->15739 15742->15739 15742->15741 15744 40ee2a 15743->15744 15745 4030d0 gethostname gethostbyname 15744->15745 15746 401f82 15745->15746 15746->15332 15746->15334 15750 402419 lstrlenA 15747->15750 15749 402491 15749->15704 15751 40243d lstrlenA 15750->15751 15755 402474 15750->15755 15752 402464 lstrlenA 15751->15752 15753 40244e lstrcmpiA 15751->15753 15752->15751 15752->15755 15753->15752 15754 40245c 15753->15754 15754->15752 15754->15755 15755->15749 15757 40dd05 6 API calls 15756->15757 15758 40e8b4 15757->15758 15759 40dd84 lstrcmpiA 15758->15759 15760 40e8c0 15759->15760 15761 40e90a 15760->15761 15762 40e8c8 lstrcpynA 15760->15762 15763 402419 4 API calls 15761->15763 15772 40ea27 15761->15772 15764 40e8f5 15762->15764 15765 40e926 lstrlenA lstrlenA 15763->15765 15777 40df4c 15764->15777 15766 40e96a 15765->15766 15767 40e94c lstrlenA 15765->15767 15771 40ebcc 4 API calls 15766->15771 15766->15772 15767->15766 15769 40e901 15770 40dd84 lstrcmpiA 15769->15770 15770->15761 15773 40e98f 15771->15773 15772->15718 15773->15772 15774 40df4c 20 API calls 15773->15774 15775 40ea1e 15774->15775 15776 40ec2e codecvt 4 API calls 15775->15776 15776->15772 15778 40dd05 6 API calls 15777->15778 15779 40df51 15778->15779 15780 40f04e 4 API calls 15779->15780 15781 40df58 15780->15781 15782 40de24 10 API calls 15781->15782 15783 40df63 15782->15783 15783->15769 15785 401ae2 GetProcAddress 15784->15785 15786 401b68 GetComputerNameA GetVolumeInformationA 15784->15786 15785->15786 15787 401af5 15785->15787 15786->15735 15788 40ebed 8 API calls 15787->15788 15789 401b29 15787->15789 15788->15787 15789->15786 15789->15789 15790 40ec2e codecvt 4 API calls 15789->15790 15790->15786 15792 406ec3 2 API calls 15791->15792 15793 407ef4 15792->15793 15794 4073ff 17 API calls 15793->15794 15803 407fc9 15793->15803 15795 407f16 15794->15795 15795->15803 15804 407809 GetUserNameA 15795->15804 15797 407f63 15798 40ef1e lstrlenA 15797->15798 15797->15803 15799 407fa6 15798->15799 15800 40ef1e lstrlenA 15799->15800 15801 407fb7 15800->15801 15828 407a95 RegOpenKeyExA 15801->15828 15803->15346 15805 40783d LookupAccountNameA 15804->15805 15806 407a8d 15804->15806 15805->15806 15807 407874 GetLengthSid GetFileSecurityA 15805->15807 15806->15797 15807->15806 15808 4078a8 GetSecurityDescriptorOwner 15807->15808 15809 4078c5 EqualSid 15808->15809 15810 40791d GetSecurityDescriptorDacl 15808->15810 15809->15810 15811 4078dc LocalAlloc 15809->15811 15810->15806 15816 407941 15810->15816 15811->15810 15812 4078ef InitializeSecurityDescriptor 15811->15812 15814 407916 LocalFree 15812->15814 15815 4078fb SetSecurityDescriptorOwner 15812->15815 15813 40795b GetAce 15813->15816 15814->15810 15815->15814 15817 40790b SetFileSecurityA 15815->15817 15816->15806 15816->15813 15818 407980 EqualSid 15816->15818 15819 407a3d 15816->15819 15820 4079be EqualSid 15816->15820 15821 40799d DeleteAce 15816->15821 15817->15814 15818->15816 15819->15806 15822 407a43 LocalAlloc 15819->15822 15820->15816 15821->15816 15822->15806 15823 407a56 InitializeSecurityDescriptor 15822->15823 15824 407a62 SetSecurityDescriptorDacl 15823->15824 15825 407a86 LocalFree 15823->15825 15824->15825 15826 407a73 SetFileSecurityA 15824->15826 15825->15806 15826->15825 15827 407a83 15826->15827 15827->15825 15829 407ac4 15828->15829 15830 407acb GetUserNameA 15828->15830 15829->15803 15831 407da7 RegCloseKey 15830->15831 15832 407aed LookupAccountNameA 15830->15832 15831->15829 15832->15831 15833 407b24 RegGetKeySecurity 15832->15833 15833->15831 15834 407b49 GetSecurityDescriptorOwner 15833->15834 15835 407b63 EqualSid 15834->15835 15836 407bb8 GetSecurityDescriptorDacl 15834->15836 15835->15836 15838 407b74 LocalAlloc 15835->15838 15837 407da6 15836->15837 15845 407bdc 15836->15845 15837->15831 15838->15836 15839 407b8a InitializeSecurityDescriptor 15838->15839 15840 407bb1 LocalFree 15839->15840 15841 407b96 SetSecurityDescriptorOwner 15839->15841 15840->15836 15841->15840 15843 407ba6 RegSetKeySecurity 15841->15843 15842 407bf8 GetAce 15842->15845 15843->15840 15844 407c1d EqualSid 15844->15845 15845->15837 15845->15842 15845->15844 15846 407cd9 15845->15846 15847 407c5f EqualSid 15845->15847 15848 407c3a DeleteAce 15845->15848 15846->15837 15849 407d5a LocalAlloc 15846->15849 15851 407cf2 RegOpenKeyExA 15846->15851 15847->15845 15848->15845 15849->15837 15850 407d70 InitializeSecurityDescriptor 15849->15850 15852 407d7c SetSecurityDescriptorDacl 15850->15852 15853 407d9f LocalFree 15850->15853 15851->15849 15856 407d0f 15851->15856 15852->15853 15854 407d8c RegSetKeySecurity 15852->15854 15853->15837 15854->15853 15855 407d9c 15854->15855 15855->15853 15857 407d43 RegSetValueExA 15856->15857 15857->15849 15858 407d54 15857->15858 15858->15849 15859->15362 15861 40dd05 6 API calls 15860->15861 15864 40e65f 15861->15864 15862 40e6a5 15863 40ebcc 4 API calls 15862->15863 15867 40e6f5 15862->15867 15866 40e6b0 15863->15866 15864->15862 15865 40e68c lstrcmpA 15864->15865 15865->15864 15866->15867 15869 40e6b7 15866->15869 15870 40e6e0 lstrcpynA 15866->15870 15868 40e71d lstrcmpA 15867->15868 15867->15869 15868->15867 15869->15364 15870->15867 15871->15370 15873 40c525 15872->15873 15879 40c532 15872->15879 15877 40ec2e codecvt 4 API calls 15873->15877 15873->15879 15874 40c548 15875 40c54f 15874->15875 15878 40e7ff lstrcmpiA 15874->15878 15875->15383 15877->15879 15880 40c615 15878->15880 15879->15874 16024 40e7ff 15879->16024 15880->15875 15881 40ebcc 4 API calls 15880->15881 15881->15875 15882 40c5d1 15884 40ebcc 4 API calls 15882->15884 15884->15875 15885 40e819 11 API calls 15886 40c5b7 15885->15886 15887 40f04e 4 API calls 15886->15887 15888 40c5bf 15887->15888 15888->15874 15888->15882 15890 402692 inet_addr 15889->15890 15891 40268e 15889->15891 15890->15891 15892 40269e gethostbyname 15890->15892 15893 40f428 15891->15893 15892->15891 16027 40f315 15893->16027 15898 40c8d2 15896->15898 15897 40c907 15897->15400 15898->15897 15899 40c517 23 API calls 15898->15899 15899->15897 15900 40f43e 15901 40f473 recv 15900->15901 15902 40f458 15901->15902 15903 40f47c 15901->15903 15902->15901 15902->15903 15903->15401 15905 40c670 15904->15905 15906 40c67d 15904->15906 15908 40ebcc 4 API calls 15905->15908 15907 40c699 15906->15907 15909 40ebcc 4 API calls 15906->15909 15910 40c6f3 15907->15910 15911 40c73c send 15907->15911 15908->15906 15909->15907 15910->15414 15910->15477 15911->15910 15913 40c770 15912->15913 15914 40c77d 15912->15914 15915 40ebcc 4 API calls 15913->15915 15916 40ebcc 4 API calls 15914->15916 15919 40c799 15914->15919 15915->15914 15916->15919 15917 40ebcc 4 API calls 15920 40c7b5 15917->15920 15918 40f43e recv 15921 40c7cb 15918->15921 15919->15917 15919->15920 15920->15918 15922 40f43e recv 15921->15922 15923 40c7d3 15921->15923 15922->15923 15923->15477 16040 407db7 15924->16040 15927 407e70 15929 407e96 15927->15929 15931 40f04e 4 API calls 15927->15931 15928 40f04e 4 API calls 15930 407e4c 15928->15930 15929->15477 15930->15927 15932 40f04e 4 API calls 15930->15932 15931->15929 15932->15927 15934 406ec3 2 API calls 15933->15934 15935 407fdd 15934->15935 15936 4073ff 17 API calls 15935->15936 15945 4080c2 CreateProcessA 15935->15945 15937 407fff 15936->15937 15938 407809 21 API calls 15937->15938 15937->15945 15939 40804d 15938->15939 15940 40ef1e lstrlenA 15939->15940 15939->15945 15941 40809e 15940->15941 15942 40ef1e lstrlenA 15941->15942 15943 4080af 15942->15943 15944 407a95 24 API calls 15943->15944 15944->15945 15945->15466 15945->15467 15947 407db7 2 API calls 15946->15947 15948 407eb8 15947->15948 15949 40f04e 4 API calls 15948->15949 15950 407ece DeleteFileA 15949->15950 15950->15477 15952 40dd05 6 API calls 15951->15952 15953 40e31d 15952->15953 16044 40e177 15953->16044 15955 40e326 15955->15439 15957 4031f3 15956->15957 15959 4031ec 15956->15959 15958 40ebcc 4 API calls 15957->15958 15965 4031fc 15958->15965 15959->15477 15960 403459 15963 40f04e 4 API calls 15960->15963 15961 40349d 15962 40ec2e codecvt 4 API calls 15961->15962 15962->15959 15964 40345f 15963->15964 15967 4030fa 4 API calls 15964->15967 15965->15959 15965->15965 15966 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15965->15966 15968 40344d 15965->15968 15970 40344b 15965->15970 15972 403141 lstrcmpiA 15965->15972 16070 4030fa GetTickCount 15965->16070 15966->15965 15967->15959 15969 40ec2e codecvt 4 API calls 15968->15969 15969->15970 15970->15960 15970->15961 15972->15965 15974 4030fa 4 API calls 15973->15974 15975 403c1a 15974->15975 15976 403ce6 15975->15976 16075 403a72 15975->16075 15976->15477 15979 403a72 9 API calls 15981 403c5e 15979->15981 15980 403a72 9 API calls 15980->15981 15981->15976 15981->15980 15982 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15981->15982 15982->15981 15984 403a10 15983->15984 15985 4030fa 4 API calls 15984->15985 15986 403a1a 15985->15986 15986->15477 15988 40dd05 6 API calls 15987->15988 15989 40e7be 15988->15989 15989->15477 15991 40c105 15990->15991 15992 40c07e wsprintfA 15990->15992 15991->15477 16084 40bfce GetTickCount wsprintfA 15992->16084 15994 40c0ef 16085 40bfce GetTickCount wsprintfA 15994->16085 15997 407047 15996->15997 15998 406f88 LookupAccountNameA 15996->15998 15997->15477 16000 407025 15998->16000 16002 406fcb 15998->16002 16001 406edd 5 API calls 16000->16001 16003 40702a wsprintfA 16001->16003 16004 406fdb ConvertSidToStringSidA 16002->16004 16003->15997 16004->16000 16005 406ff1 16004->16005 16006 407013 LocalFree 16005->16006 16006->16000 16008 40dd05 6 API calls 16007->16008 16009 40e85c 16008->16009 16010 40dd84 lstrcmpiA 16009->16010 16011 40e867 16010->16011 16012 40e885 lstrcpyA 16011->16012 16086 4024a5 16011->16086 16089 40dd69 16012->16089 16018 407db7 2 API calls 16017->16018 16019 407de1 16018->16019 16020 407e16 16019->16020 16021 40f04e 4 API calls 16019->16021 16020->15477 16022 407df2 16021->16022 16022->16020 16023 40f04e 4 API calls 16022->16023 16023->16020 16025 40dd84 lstrcmpiA 16024->16025 16026 40c58e 16025->16026 16026->15874 16026->15882 16026->15885 16028 40ca1d 16027->16028 16029 40f33b 16027->16029 16028->15397 16028->15900 16030 40f347 htons socket 16029->16030 16031 40f382 ioctlsocket 16030->16031 16032 40f374 closesocket 16030->16032 16033 40f3aa connect select 16031->16033 16034 40f39d 16031->16034 16032->16028 16033->16028 16036 40f3f2 __WSAFDIsSet 16033->16036 16035 40f39f closesocket 16034->16035 16035->16028 16036->16035 16037 40f403 ioctlsocket 16036->16037 16039 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16037->16039 16039->16028 16041 407dc8 InterlockedExchange 16040->16041 16042 407dc0 Sleep 16041->16042 16043 407dd4 16041->16043 16042->16041 16043->15927 16043->15928 16045 40e184 16044->16045 16046 40e2e4 16045->16046 16047 40e223 16045->16047 16060 40dfe2 16045->16060 16046->15955 16047->16046 16049 40dfe2 8 API calls 16047->16049 16053 40e23c 16049->16053 16050 40e1be 16050->16047 16051 40dbcf 3 API calls 16050->16051 16054 40e1d6 16051->16054 16052 40e21a CloseHandle 16052->16047 16053->16046 16064 40e095 RegCreateKeyExA 16053->16064 16054->16047 16054->16052 16055 40e1f9 WriteFile 16054->16055 16055->16052 16057 40e213 16055->16057 16057->16052 16058 40e2a3 16058->16046 16059 40e095 4 API calls 16058->16059 16059->16046 16061 40dffc 16060->16061 16063 40e024 16060->16063 16062 40db2e 8 API calls 16061->16062 16061->16063 16062->16063 16063->16050 16065 40e172 16064->16065 16067 40e0c0 16064->16067 16065->16058 16066 40e13d 16068 40e14e RegDeleteValueA RegCloseKey 16066->16068 16067->16066 16069 40e115 RegSetValueExA 16067->16069 16068->16065 16069->16066 16069->16067 16071 403122 InterlockedExchange 16070->16071 16072 40312e 16071->16072 16073 40310f GetTickCount 16071->16073 16072->15965 16073->16072 16074 40311a Sleep 16073->16074 16074->16071 16076 40f04e 4 API calls 16075->16076 16083 403a83 16076->16083 16077 403bc0 16079 403be6 16077->16079 16081 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16077->16081 16078 403ac1 16078->15976 16078->15979 16080 40ec2e codecvt 4 API calls 16079->16080 16080->16078 16081->16077 16082 403b66 lstrlenA 16082->16078 16082->16083 16083->16077 16083->16078 16083->16082 16084->15994 16085->15991 16087 402419 4 API calls 16086->16087 16088 4024b6 16087->16088 16088->16012 16090 40dd79 lstrlenA 16089->16090 16090->15477 16092 404084 16091->16092 16093 40407d 16091->16093 16094 403ecd 6 API calls 16092->16094 16095 40408f 16094->16095 16096 404000 3 API calls 16095->16096 16097 404095 16096->16097 16098 404130 16097->16098 16103 403f18 4 API calls 16097->16103 16099 403ecd 6 API calls 16098->16099 16100 404159 CreateNamedPipeA 16099->16100 16101 404167 Sleep 16100->16101 16102 404188 ConnectNamedPipe 16100->16102 16101->16098 16104 404176 CloseHandle 16101->16104 16106 404195 GetLastError 16102->16106 16115 4041ab 16102->16115 16105 4040da 16103->16105 16104->16102 16107 403f8c 4 API calls 16105->16107 16108 40425e DisconnectNamedPipe 16106->16108 16106->16115 16109 4040ec 16107->16109 16108->16102 16110 404127 CloseHandle 16109->16110 16111 404101 16109->16111 16110->16098 16112 403f18 4 API calls 16111->16112 16113 40411c ExitProcess 16112->16113 16114 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16114->16115 16115->16102 16115->16108 16115->16114 16116 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16115->16116 16117 40426a CloseHandle CloseHandle 16115->16117 16116->16115 16118 40e318 23 API calls 16117->16118 16119 40427b 16118->16119 16119->16119 16121 408791 16120->16121 16122 40879f 16120->16122 16123 40f04e 4 API calls 16121->16123 16124 4087bc 16122->16124 16126 40f04e 4 API calls 16122->16126 16123->16122 16125 40e819 11 API calls 16124->16125 16127 4087d7 16125->16127 16126->16124 16140 408803 16127->16140 16142 4026b2 gethostbyaddr 16127->16142 16130 4087eb 16132 40e8a1 30 API calls 16130->16132 16130->16140 16132->16140 16135 40e819 11 API calls 16135->16140 16136 4088a0 Sleep 16136->16140 16138 4026b2 2 API calls 16138->16140 16139 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16139->16140 16140->16135 16140->16136 16140->16138 16140->16139 16141 40e8a1 30 API calls 16140->16141 16147 408cee 16140->16147 16155 40c4d6 16140->16155 16158 40c4e2 16140->16158 16161 402011 16140->16161 16196 408328 16140->16196 16141->16140 16143 4026fb 16142->16143 16144 4026cd 16142->16144 16143->16130 16145 4026e1 inet_ntoa 16144->16145 16146 4026de 16144->16146 16145->16146 16146->16130 16148 408d02 GetTickCount 16147->16148 16149 408dae 16147->16149 16148->16149 16152 408d19 16148->16152 16149->16140 16150 408da1 GetTickCount 16150->16149 16152->16150 16154 408d89 16152->16154 16248 40a677 16152->16248 16251 40a688 16152->16251 16154->16150 16259 40c2dc 16155->16259 16159 40c2dc 141 API calls 16158->16159 16160 40c4ec 16159->16160 16160->16140 16162 402020 16161->16162 16163 40202e 16161->16163 16165 40f04e 4 API calls 16162->16165 16164 40204b 16163->16164 16166 40f04e 4 API calls 16163->16166 16167 40206e GetTickCount 16164->16167 16168 40f04e 4 API calls 16164->16168 16165->16163 16166->16164 16169 4020db GetTickCount 16167->16169 16179 402090 16167->16179 16171 402068 16168->16171 16170 402132 GetTickCount GetTickCount 16169->16170 16181 4020e7 16169->16181 16173 40f04e 4 API calls 16170->16173 16171->16167 16172 4020d4 GetTickCount 16172->16169 16175 402159 16173->16175 16174 40212b GetTickCount 16174->16170 16177 4021b4 16175->16177 16180 40e854 13 API calls 16175->16180 16176 402684 2 API calls 16176->16179 16182 40f04e 4 API calls 16177->16182 16179->16172 16179->16176 16184 4020ce 16179->16184 16586 401978 16179->16586 16185 40218e 16180->16185 16181->16174 16189 401978 15 API calls 16181->16189 16190 402125 16181->16190 16591 402ef8 16181->16591 16183 4021d1 16182->16183 16187 4021f2 16183->16187 16191 40ea84 30 API calls 16183->16191 16184->16172 16188 40e819 11 API calls 16185->16188 16187->16140 16192 40219c 16188->16192 16189->16181 16190->16174 16193 4021ec 16191->16193 16192->16177 16599 401c5f 16192->16599 16194 40f04e 4 API calls 16193->16194 16194->16187 16197 407dd6 6 API calls 16196->16197 16198 40833c 16197->16198 16199 406ec3 2 API calls 16198->16199 16205 408340 16198->16205 16200 40834f 16199->16200 16201 40835c 16200->16201 16207 40846b 16200->16207 16202 4073ff 17 API calls 16201->16202 16220 408373 16202->16220 16203 4085df 16204 408626 GetTempPathA 16203->16204 16209 408638 16203->16209 16216 408762 16203->16216 16204->16209 16205->16140 16206 40675c 21 API calls 16206->16203 16210 4084a7 RegOpenKeyExA 16207->16210 16236 408450 16207->16236 16671 406ba7 IsBadCodePtr 16209->16671 16212 4084c0 RegQueryValueExA 16210->16212 16213 40852f 16210->16213 16211 4086ad 16211->16216 16217 407e2f 6 API calls 16211->16217 16214 408521 RegCloseKey 16212->16214 16215 4084dd 16212->16215 16218 408564 RegOpenKeyExA 16213->16218 16226 4085a5 16213->16226 16214->16213 16215->16214 16221 40ebcc 4 API calls 16215->16221 16216->16205 16223 40ec2e codecvt 4 API calls 16216->16223 16227 4086bb 16217->16227 16219 408573 RegSetValueExA RegCloseKey 16218->16219 16218->16226 16219->16226 16220->16205 16229 4083ea RegOpenKeyExA 16220->16229 16220->16236 16225 4084f0 16221->16225 16222 40875b DeleteFileA 16222->16216 16223->16205 16225->16214 16228 4084f8 RegQueryValueExA 16225->16228 16232 40ec2e codecvt 4 API calls 16226->16232 16226->16236 16227->16222 16237 4086e0 lstrcpyA lstrlenA 16227->16237 16228->16214 16231 408515 16228->16231 16230 4083fd RegQueryValueExA 16229->16230 16229->16236 16233 40842d RegSetValueExA 16230->16233 16234 40841e 16230->16234 16235 40ec2e codecvt 4 API calls 16231->16235 16232->16236 16238 408447 RegCloseKey 16233->16238 16234->16233 16234->16238 16239 40851d 16235->16239 16236->16203 16236->16206 16240 407fcf 64 API calls 16237->16240 16238->16236 16239->16214 16241 408719 CreateProcessA 16240->16241 16242 40873d CloseHandle CloseHandle 16241->16242 16243 40874f 16241->16243 16242->16216 16244 407ee6 64 API calls 16243->16244 16245 408754 16244->16245 16246 407ead 6 API calls 16245->16246 16247 40875a 16246->16247 16247->16222 16254 40a63d 16248->16254 16250 40a685 16250->16152 16252 40a63d GetTickCount 16251->16252 16253 40a696 16252->16253 16253->16152 16255 40a645 16254->16255 16256 40a64d 16254->16256 16255->16250 16257 40a66e 16256->16257 16258 40a65e GetTickCount 16256->16258 16257->16250 16258->16257 16275 40a4c7 GetTickCount 16259->16275 16262 40c300 GetTickCount 16264 40c337 16262->16264 16263 40c326 16263->16264 16265 40c32b GetTickCount 16263->16265 16269 40c363 GetTickCount 16264->16269 16274 40c45e 16264->16274 16265->16264 16266 40c4d2 16266->16140 16267 40c4ab InterlockedIncrement CreateThread 16267->16266 16268 40c4cb CloseHandle 16267->16268 16280 40b535 16267->16280 16268->16266 16270 40c373 16269->16270 16269->16274 16271 40c378 GetTickCount 16270->16271 16272 40c37f 16270->16272 16271->16272 16273 40c43b GetTickCount 16272->16273 16273->16274 16274->16266 16274->16267 16276 40a4f7 InterlockedExchange 16275->16276 16277 40a500 16276->16277 16278 40a4e4 GetTickCount 16276->16278 16277->16262 16277->16263 16277->16274 16278->16277 16279 40a4ef Sleep 16278->16279 16279->16276 16281 40b566 16280->16281 16282 40ebcc 4 API calls 16281->16282 16283 40b587 16282->16283 16284 40ebcc 4 API calls 16283->16284 16334 40b590 16284->16334 16285 40bdcd InterlockedDecrement 16286 40bde2 16285->16286 16288 40ec2e codecvt 4 API calls 16286->16288 16289 40bdea 16288->16289 16291 40ec2e codecvt 4 API calls 16289->16291 16290 40bdb7 Sleep 16290->16334 16292 40bdf2 16291->16292 16294 40be05 16292->16294 16295 40ec2e codecvt 4 API calls 16292->16295 16293 40bdcc 16293->16285 16295->16294 16296 40ebed 8 API calls 16296->16334 16299 40b6b6 lstrlenA 16299->16334 16300 4030b5 2 API calls 16300->16334 16301 40e819 11 API calls 16301->16334 16302 40b6ed lstrcpyA 16355 405ce1 16302->16355 16305 40b731 lstrlenA 16305->16334 16306 40b71f lstrcmpA 16306->16305 16306->16334 16307 40b772 GetTickCount 16307->16334 16308 40bd49 InterlockedIncrement 16449 40a628 16308->16449 16311 40b7ce InterlockedIncrement 16365 40acd7 16311->16365 16312 4038f0 6 API calls 16312->16334 16313 40bc5b InterlockedIncrement 16313->16334 16316 40b912 GetTickCount 16316->16334 16317 40b826 InterlockedIncrement 16317->16307 16318 40b932 GetTickCount 16321 40bc6d InterlockedIncrement 16318->16321 16318->16334 16319 40bcdc closesocket 16319->16334 16320 405ce1 22 API calls 16320->16334 16321->16334 16324 40a7c1 22 API calls 16324->16334 16325 40bba6 InterlockedIncrement 16325->16334 16327 40bc4c closesocket 16327->16334 16329 40ab81 lstrcpynA InterlockedIncrement 16329->16334 16331 40ba71 wsprintfA 16383 40a7c1 16331->16383 16333 40ef1e lstrlenA 16333->16334 16334->16285 16334->16290 16334->16293 16334->16296 16334->16299 16334->16300 16334->16301 16334->16302 16334->16305 16334->16306 16334->16307 16334->16308 16334->16311 16334->16312 16334->16313 16334->16316 16334->16317 16334->16318 16334->16319 16334->16320 16334->16324 16334->16325 16334->16327 16334->16329 16334->16331 16334->16333 16335 405ded 12 API calls 16334->16335 16336 40a688 GetTickCount 16334->16336 16337 403e10 16334->16337 16340 403e4f 16334->16340 16343 40384f 16334->16343 16363 40a7a3 inet_ntoa 16334->16363 16370 40abee 16334->16370 16382 401feb GetTickCount 16334->16382 16403 403cfb 16334->16403 16406 40b3c5 16334->16406 16437 40ab81 16334->16437 16335->16334 16336->16334 16338 4030fa 4 API calls 16337->16338 16339 403e1d 16338->16339 16339->16334 16341 4030fa 4 API calls 16340->16341 16342 403e5c 16341->16342 16342->16334 16344 4030fa 4 API calls 16343->16344 16346 403863 16344->16346 16345 4038b2 16345->16334 16346->16345 16347 4038b9 16346->16347 16348 403889 16346->16348 16458 4035f9 16347->16458 16452 403718 16348->16452 16353 403718 6 API calls 16353->16345 16354 4035f9 6 API calls 16354->16345 16356 405cf4 16355->16356 16357 405cec 16355->16357 16359 404bd1 4 API calls 16356->16359 16464 404bd1 GetTickCount 16357->16464 16360 405d02 16359->16360 16469 405472 16360->16469 16364 40a7b9 16363->16364 16364->16334 16366 40f315 14 API calls 16365->16366 16367 40aceb 16366->16367 16368 40f315 14 API calls 16367->16368 16369 40acff 16367->16369 16368->16369 16369->16334 16371 40abfb 16370->16371 16374 40ac65 16371->16374 16532 402f22 16371->16532 16373 40f315 14 API calls 16373->16374 16374->16373 16375 40ac6f 16374->16375 16376 40ac8a 16374->16376 16377 40ab81 2 API calls 16375->16377 16376->16334 16379 40ac81 16377->16379 16378 402684 2 API calls 16380 40ac23 16378->16380 16540 4038f0 16379->16540 16380->16374 16380->16378 16382->16334 16384 40a87d lstrlenA send 16383->16384 16385 40a7df 16383->16385 16386 40a899 16384->16386 16387 40a8bf 16384->16387 16385->16384 16392 40a7fa wsprintfA 16385->16392 16393 40a80a 16385->16393 16395 40a8f2 16385->16395 16390 40a8a5 wsprintfA 16386->16390 16402 40a89e 16386->16402 16388 40a8c4 send 16387->16388 16387->16395 16391 40a8d8 wsprintfA 16388->16391 16388->16395 16389 40a978 recv 16389->16395 16396 40a982 16389->16396 16390->16402 16391->16402 16392->16393 16393->16384 16394 40a9b0 wsprintfA 16394->16402 16395->16389 16395->16394 16395->16396 16397 4030b5 2 API calls 16396->16397 16396->16402 16398 40ab05 16397->16398 16399 40e819 11 API calls 16398->16399 16400 40ab17 16399->16400 16401 40a7a3 inet_ntoa 16400->16401 16401->16402 16402->16334 16404 4030fa 4 API calls 16403->16404 16405 403d0b 16404->16405 16405->16334 16407 405ce1 22 API calls 16406->16407 16408 40b3e6 16407->16408 16409 405ce1 22 API calls 16408->16409 16411 40b404 16409->16411 16410 40b440 16413 40ef7c 3 API calls 16410->16413 16411->16410 16412 40ef7c 3 API calls 16411->16412 16414 40b42b 16412->16414 16415 40b458 wsprintfA 16413->16415 16416 40ef7c 3 API calls 16414->16416 16417 40ef7c 3 API calls 16415->16417 16416->16410 16418 40b480 16417->16418 16419 40ef7c 3 API calls 16418->16419 16420 40b493 16419->16420 16421 40ef7c 3 API calls 16420->16421 16422 40b4bb 16421->16422 16554 40ad89 GetLocalTime SystemTimeToFileTime 16422->16554 16426 40b4cc 16427 40ef7c 3 API calls 16426->16427 16428 40b4dd 16427->16428 16429 40b211 7 API calls 16428->16429 16430 40b4ec 16429->16430 16431 40ef7c 3 API calls 16430->16431 16432 40b4fd 16431->16432 16433 40b211 7 API calls 16432->16433 16434 40b509 16433->16434 16435 40ef7c 3 API calls 16434->16435 16436 40b51a 16435->16436 16436->16334 16439 40abe9 GetTickCount 16437->16439 16440 40ab8c 16437->16440 16438 40aba8 lstrcpynA 16438->16440 16442 40a51d 16439->16442 16440->16438 16440->16439 16441 40abe1 InterlockedIncrement 16440->16441 16441->16440 16443 40a4c7 4 API calls 16442->16443 16444 40a52c 16443->16444 16445 40a542 GetTickCount 16444->16445 16447 40a539 GetTickCount 16444->16447 16445->16447 16448 40a56c 16447->16448 16448->16334 16450 40a4c7 4 API calls 16449->16450 16451 40a633 16450->16451 16451->16334 16453 40f04e 4 API calls 16452->16453 16455 40372a 16453->16455 16454 403847 16454->16345 16454->16353 16455->16454 16456 4037b3 GetCurrentThreadId 16455->16456 16456->16455 16457 4037c8 GetCurrentThreadId 16456->16457 16457->16455 16459 40f04e 4 API calls 16458->16459 16463 40360c 16459->16463 16460 4036f1 16460->16345 16460->16354 16461 4036da GetCurrentThreadId 16461->16460 16462 4036e5 GetCurrentThreadId 16461->16462 16462->16460 16463->16460 16463->16461 16465 404bff InterlockedExchange 16464->16465 16466 404c08 16465->16466 16467 404bec GetTickCount 16465->16467 16466->16356 16467->16466 16468 404bf7 Sleep 16467->16468 16468->16465 16488 404763 16469->16488 16471 405b58 16498 404699 16471->16498 16474 404763 lstrlenA 16475 405b6e 16474->16475 16519 404f9f 16475->16519 16477 405b79 16477->16334 16479 405549 lstrlenA 16485 40548a 16479->16485 16481 40558d lstrcpynA 16481->16485 16482 405a9f lstrcpyA 16482->16485 16483 404ae6 8 API calls 16483->16485 16484 405935 lstrcpynA 16484->16485 16485->16471 16485->16481 16485->16482 16485->16483 16485->16484 16486 405472 13 API calls 16485->16486 16487 4058e7 lstrcpyA 16485->16487 16492 404ae6 16485->16492 16496 40ef7c lstrlenA lstrlenA lstrlenA 16485->16496 16486->16485 16487->16485 16490 40477a 16488->16490 16489 404859 16489->16485 16490->16489 16491 40480d lstrlenA 16490->16491 16491->16490 16493 404af3 16492->16493 16495 404b03 16492->16495 16494 40ebed 8 API calls 16493->16494 16494->16495 16495->16479 16497 40efb4 16496->16497 16497->16485 16524 4045b3 16498->16524 16501 4045b3 7 API calls 16502 4046c6 16501->16502 16503 4045b3 7 API calls 16502->16503 16504 4046d8 16503->16504 16505 4045b3 7 API calls 16504->16505 16506 4046ea 16505->16506 16507 4045b3 7 API calls 16506->16507 16508 4046ff 16507->16508 16509 4045b3 7 API calls 16508->16509 16510 404711 16509->16510 16511 4045b3 7 API calls 16510->16511 16512 404723 16511->16512 16513 40ef7c 3 API calls 16512->16513 16514 404735 16513->16514 16515 40ef7c 3 API calls 16514->16515 16516 40474a 16515->16516 16517 40ef7c 3 API calls 16516->16517 16518 40475c 16517->16518 16518->16474 16520 404fac 16519->16520 16523 404fb0 16519->16523 16520->16477 16521 404ffd 16521->16477 16522 404fd5 IsBadCodePtr 16522->16523 16523->16521 16523->16522 16525 4045c1 16524->16525 16526 4045c8 16524->16526 16527 40ebcc 4 API calls 16525->16527 16528 40ebcc 4 API calls 16526->16528 16530 4045e1 16526->16530 16527->16526 16528->16530 16529 404691 16529->16501 16530->16529 16531 40ef7c 3 API calls 16530->16531 16531->16530 16547 402d21 GetModuleHandleA 16532->16547 16535 402fcf GetProcessHeap HeapFree 16539 402f44 16535->16539 16536 402f4f 16538 402f6b GetProcessHeap HeapFree 16536->16538 16537 402f85 16537->16535 16537->16537 16538->16539 16539->16380 16541 403900 16540->16541 16543 403980 16540->16543 16542 4030fa 4 API calls 16541->16542 16546 40390a 16542->16546 16543->16376 16544 40391b GetCurrentThreadId 16544->16546 16545 403939 GetCurrentThreadId 16545->16546 16546->16543 16546->16544 16546->16545 16548 402d46 LoadLibraryA 16547->16548 16549 402d5b GetProcAddress 16547->16549 16548->16549 16550 402d54 16548->16550 16549->16550 16553 402d6b 16549->16553 16550->16536 16550->16537 16550->16539 16551 402d97 GetProcessHeap HeapAlloc 16551->16550 16551->16553 16552 402db5 lstrcpynA 16552->16553 16553->16550 16553->16551 16553->16552 16555 40adbf 16554->16555 16579 40ad08 gethostname 16555->16579 16558 4030b5 2 API calls 16559 40add3 16558->16559 16560 40a7a3 inet_ntoa 16559->16560 16562 40ade4 16559->16562 16560->16562 16561 40ae85 wsprintfA 16563 40ef7c 3 API calls 16561->16563 16562->16561 16565 40ae36 wsprintfA wsprintfA 16562->16565 16564 40aebb 16563->16564 16566 40ef7c 3 API calls 16564->16566 16567 40ef7c 3 API calls 16565->16567 16568 40aed2 16566->16568 16567->16562 16569 40b211 16568->16569 16570 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16569->16570 16571 40b2af GetLocalTime 16569->16571 16572 40b2d2 16570->16572 16571->16572 16573 40b2d9 SystemTimeToFileTime 16572->16573 16574 40b31c GetTimeZoneInformation 16572->16574 16575 40b2ec 16573->16575 16576 40b33a wsprintfA 16574->16576 16577 40b312 FileTimeToSystemTime 16575->16577 16576->16426 16577->16574 16580 40ad71 16579->16580 16585 40ad26 lstrlenA 16579->16585 16582 40ad85 16580->16582 16583 40ad79 lstrcpyA 16580->16583 16582->16558 16583->16582 16584 40ad68 lstrlenA 16584->16580 16585->16580 16585->16584 16587 40f428 14 API calls 16586->16587 16588 40198a 16587->16588 16589 401990 closesocket 16588->16589 16590 401998 16588->16590 16589->16590 16590->16179 16592 402d21 6 API calls 16591->16592 16593 402f01 16592->16593 16596 402f0f 16593->16596 16607 402df2 GetModuleHandleA 16593->16607 16595 402684 2 API calls 16597 402f1d 16595->16597 16596->16595 16598 402f1f 16596->16598 16597->16181 16598->16181 16603 401c80 16599->16603 16600 401d1c 16600->16600 16604 401d47 wsprintfA 16600->16604 16601 401cc2 wsprintfA 16602 402684 2 API calls 16601->16602 16602->16603 16603->16600 16603->16601 16606 401d79 16603->16606 16605 402684 2 API calls 16604->16605 16605->16606 16606->16177 16608 402e10 LoadLibraryA 16607->16608 16609 402e0b 16607->16609 16610 402e17 16608->16610 16609->16608 16609->16610 16611 402ef1 16610->16611 16612 402e28 GetProcAddress 16610->16612 16611->16596 16612->16611 16613 402e3e GetProcessHeap HeapAlloc 16612->16613 16614 402e62 16613->16614 16614->16611 16615 402ede GetProcessHeap HeapFree 16614->16615 16616 402e7f htons inet_addr 16614->16616 16617 402ea5 gethostbyname 16614->16617 16619 402ceb 16614->16619 16615->16611 16616->16614 16616->16617 16617->16614 16621 402cf2 16619->16621 16622 402d1c 16621->16622 16623 402d0e Sleep 16621->16623 16624 402a62 GetProcessHeap HeapAlloc 16621->16624 16622->16614 16623->16621 16623->16622 16625 402a92 16624->16625 16626 402a99 socket 16624->16626 16625->16621 16627 402cd3 GetProcessHeap HeapFree 16626->16627 16628 402ab4 16626->16628 16627->16625 16628->16627 16640 402abd 16628->16640 16629 402adb htons 16644 4026ff 16629->16644 16631 402b04 select 16631->16640 16632 402ca4 16633 402cb3 GetProcessHeap HeapFree closesocket 16632->16633 16633->16625 16634 402b3f recv 16634->16640 16635 402b66 htons 16635->16632 16635->16640 16636 402b87 htons 16636->16632 16636->16640 16639 402bf3 GetProcessHeap HeapAlloc 16639->16640 16640->16629 16640->16631 16640->16632 16640->16633 16640->16634 16640->16635 16640->16636 16640->16639 16641 402c17 htons 16640->16641 16643 402c4d GetProcessHeap HeapFree 16640->16643 16651 402923 16640->16651 16663 402904 16640->16663 16659 402871 16641->16659 16643->16640 16645 40271d 16644->16645 16646 402717 16644->16646 16648 40272b GetTickCount htons 16645->16648 16647 40ebcc 4 API calls 16646->16647 16647->16645 16649 4027cc htons htons sendto 16648->16649 16650 40278a 16648->16650 16649->16640 16650->16649 16652 402944 16651->16652 16653 40293d 16651->16653 16667 402816 htons 16652->16667 16653->16640 16655 402871 htons 16658 402950 16655->16658 16656 4029bd htons htons htons 16656->16653 16657 4029f6 GetProcessHeap HeapAlloc 16656->16657 16657->16653 16657->16658 16658->16653 16658->16655 16658->16656 16660 4028e3 16659->16660 16661 402889 16659->16661 16660->16640 16661->16660 16661->16661 16662 4028c3 htons 16661->16662 16662->16660 16662->16661 16664 402921 16663->16664 16665 402908 16663->16665 16664->16640 16666 402909 GetProcessHeap HeapFree 16665->16666 16666->16664 16666->16666 16668 40286b 16667->16668 16669 402836 16667->16669 16668->16658 16669->16668 16670 40285c htons 16669->16670 16670->16668 16670->16669 16672 406bc0 16671->16672 16673 406bbc 16671->16673 16674 406bd4 16672->16674 16675 40ebcc 4 API calls 16672->16675 16673->16211 16674->16211 16676 406be4 16675->16676 16676->16674 16677 406c07 CreateFileA 16676->16677 16678 406bfc 16676->16678 16680 406c34 WriteFile 16677->16680 16681 406c2a 16677->16681 16679 40ec2e codecvt 4 API calls 16678->16679 16679->16674 16683 406c49 CloseHandle DeleteFileA 16680->16683 16684 406c5a CloseHandle 16680->16684 16682 40ec2e codecvt 4 API calls 16681->16682 16682->16674 16683->16681 16685 40ec2e codecvt 4 API calls 16684->16685 16685->16674 14886 2b50005 14891 2b5092b GetPEB 14886->14891 14888 2b50030 14893 2b5003c 14888->14893 14892 2b50972 14891->14892 14892->14888 14894 2b50049 14893->14894 14908 2b50e0f SetErrorMode SetErrorMode 14894->14908 14899 2b50265 14900 2b502ce VirtualProtect 14899->14900 14902 2b5030b 14900->14902 14901 2b50439 VirtualFree 14903 2b504be 14901->14903 14907 2b505f4 LoadLibraryA 14901->14907 14902->14901 14904 2b504e3 LoadLibraryA 14903->14904 14903->14907 14904->14903 14906 2b508c7 14907->14906 14909 2b50223 14908->14909 14910 2b50d90 14909->14910 14911 2b50dad 14910->14911 14912 2b50dbb GetPEB 14911->14912 14913 2b50238 VirtualAlloc 14911->14913 14912->14913 14913->14899
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(C:\Users\user\Desktop\fdnoqmpv.exe), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\fdnoqmpv.exe$C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe$D$P$\$miqllcjz
                                                                                            • API String ID: 2089075347-2324929444
                                                                                            • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 522 40637c-406384 523 406386-406389 522->523 524 40638a-4063b4 GetModuleHandleA VirtualAlloc 522->524 525 4063f5-4063f7 524->525 526 4063b6-4063d4 call 40ee08 VirtualAllocEx 524->526 528 40640b-40640f 525->528 526->525 530 4063d6-4063f3 call 4062b7 WriteProcessMemory 526->530 530->525 533 4063f9-40640a 530->533 533->528
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 285 407804-407808 283->285 286 4074a2-4074b1 call 406cad 284->286 287 407714-40771d RegCloseKey 284->287 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 360 4077e3-4077e6 RegCloseKey 352->360 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 360->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->360 384->383
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 386 2b5003c-2b50047 387 2b5004c-2b50263 call 2b50a3f call 2b50e0f call 2b50d90 VirtualAlloc 386->387 388 2b50049 386->388 403 2b50265-2b50289 call 2b50a69 387->403 404 2b5028b-2b50292 387->404 388->387 409 2b502ce-2b503c2 VirtualProtect call 2b50cce call 2b50ce7 403->409 406 2b502a1-2b502b0 404->406 408 2b502b2-2b502cc 406->408 406->409 408->406 415 2b503d1-2b503e0 409->415 416 2b503e2-2b50437 call 2b50ce7 415->416 417 2b50439-2b504b8 VirtualFree 415->417 416->415 419 2b505f4-2b505fe 417->419 420 2b504be-2b504cd 417->420 423 2b50604-2b5060d 419->423 424 2b5077f-2b50789 419->424 422 2b504d3-2b504dd 420->422 422->419 428 2b504e3-2b50505 LoadLibraryA 422->428 423->424 429 2b50613-2b50637 423->429 426 2b507a6-2b507b0 424->426 427 2b5078b-2b507a3 424->427 430 2b507b6-2b507cb 426->430 431 2b5086e-2b508be LoadLibraryA 426->431 427->426 432 2b50517-2b50520 428->432 433 2b50507-2b50515 428->433 434 2b5063e-2b50648 429->434 435 2b507d2-2b507d5 430->435 438 2b508c7-2b508f9 431->438 436 2b50526-2b50547 432->436 433->436 434->424 437 2b5064e-2b5065a 434->437 439 2b50824-2b50833 435->439 440 2b507d7-2b507e0 435->440 441 2b5054d-2b50550 436->441 437->424 442 2b50660-2b5066a 437->442 443 2b50902-2b5091d 438->443 444 2b508fb-2b50901 438->444 450 2b50839-2b5083c 439->450 445 2b507e4-2b50822 440->445 446 2b507e2 440->446 447 2b50556-2b5056b 441->447 448 2b505e0-2b505ef 441->448 449 2b5067a-2b50689 442->449 444->443 445->435 446->439 451 2b5056d 447->451 452 2b5056f-2b5057a 447->452 448->422 453 2b50750-2b5077a 449->453 454 2b5068f-2b506b2 449->454 450->431 455 2b5083e-2b50847 450->455 451->448 457 2b5057c-2b50599 452->457 458 2b5059b-2b505bb 452->458 453->434 459 2b506b4-2b506ed 454->459 460 2b506ef-2b506fc 454->460 461 2b50849 455->461 462 2b5084b-2b5086c 455->462 469 2b505bd-2b505db 457->469 458->469 459->460 463 2b506fe-2b50748 460->463 464 2b5074b 460->464 461->431 462->450 463->464 464->449 469->441
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02B5024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 821bedec49acb24693a21ae71ce52af293cbcb3bb01fe2280baf47763d91b231
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: DA526974A01229DFDB64DF68C985BACBBB1BF09304F1484D9E94DAB351DB30AA85CF14

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2098669666-2746444292
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 534 404000-404008 535 40400b-40402a CreateFileA 534->535 536 404057 535->536 537 40402c-404035 GetLastError 535->537 540 404059-40405c 536->540 538 404052 537->538 539 404037-40403a 537->539 542 404054-404056 538->542 539->538 541 40403c-40403f 539->541 540->542 541->540 543 404041-404050 Sleep 541->543 543->535 543->538
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 545 406e36-406e5d GetUserNameW 546 406ebe-406ec2 545->546 547 406e5f-406e95 LookupAccountNameW 545->547 547->546 548 406e97-406e9b 547->548 549 406ebb-406ebd 548->549 550 406e9d-406ea3 548->550 549->546 550->549 551 406ea5-406eaa 550->551 552 406eb7-406eb9 551->552 553 406eac-406eb0 551->553 552->546 553->549 554 406eb2-406eb5 553->554 554->549 554->552
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID:
                                                                                            • API String ID: 2370142434-0
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 555 2b87238-2b87251 556 2b87253-2b87255 555->556 557 2b8725c-2b87268 CreateToolhelp32Snapshot 556->557 558 2b87257 556->558 559 2b87278-2b87285 Module32First 557->559 560 2b8726a-2b87270 557->560 558->557 561 2b8728e-2b87296 559->561 562 2b87287-2b87288 call 2b86ef7 559->562 560->559 565 2b87272-2b87276 560->565 566 2b8728d 562->566 565->556 565->559 566->561
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02B87260
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 02B87280
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152720884.0000000002B82000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B82000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b82000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 37599476e560b213b5a220a023bbeaf248ae0724eb41f3cd67018803c7ae6370
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: A0F0C8355007146BD7203EB8AC8CB6AB6E8EF46228F2002A8F68A910C0DF70E8458A52

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 568 2b50e0f-2b50e24 SetErrorMode * 2 569 2b50e26 568->569 570 2b50e2b-2b50e2c 568->570 569->570
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02B50223,?,?), ref: 02B50E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02B50223,?,?), ref: 02B50E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: fe2ffd228ee814aa6645193ff169a6dcf1091009a50bf38f89cc0308feb338e2
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 2CD01232645228B7DB003A94DC09BCEBB1CDF09BA6F108461FB0DED080CBB09A4046EA

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 571 406dc2-406dd5 572 406e33-406e35 571->572 573 406dd7-406df1 call 406cc9 call 40ef00 571->573 578 406df4-406df9 573->578 578->578 579 406dfb-406e00 578->579 580 406e02-406e22 GetVolumeInformationA 579->580 581 406e24 579->581 580->581 582 406e2e 580->582 581->582 582->572
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 583 409892-4098c0 584 4098c2-4098c5 583->584 585 4098d9 583->585 584->585 587 4098c7-4098d7 584->587 586 4098e0-4098f1 SetServiceStatus 585->586 587->586
                                                                                            APIs
                                                                                            • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ServiceStatus
                                                                                            • String ID:
                                                                                            • API String ID: 3969395364-0
                                                                                            • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                            • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 588 2b86ef7-2b86f31 call 2b8720a 591 2b86f7f 588->591 592 2b86f33-2b86f66 VirtualAlloc call 2b86f84 588->592 591->591 594 2b86f6b-2b86f7d 592->594 594->591
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02B86F48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152720884.0000000002B82000.00000040.00000020.00020000.00000000.sdmp, Offset: 02B82000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b82000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: ff1951bd5dedbea3e2382f734877af4e58c85e2b14af5a34e4d8e698ecca3842
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 66110B79A00208EFDB01DF98C985E99BBF5AF08751F1580A4F9489B361D771EA50EF90

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 595 4098f2-4098f4 596 4098f6-409902 call 404280 595->596 599 409904-409913 Sleep 596->599 600 409917 596->600 599->596 601 409915 599->601 602 409919-409942 call 402544 call 40977c 600->602 603 40995e-409960 600->603 601->600 607 409947-409957 call 40ee2a 602->607 607->603
                                                                                            APIs
                                                                                              • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3100162736-0
                                                                                            • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                            • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 02B565F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02B56610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02B56631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02B56652
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 0dc5d20dfd5f064561891013f6c62445108f2822086109a5fd1c3521e95f8f84
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 1D1151B1600228BFDB219F65EC45F9B3FACEB057A5F104064FE08AB251D7B1DD008AA4
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 02B59E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 02B59FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02B59FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 02B5A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 02B5A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02B5A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02B5A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 02B5A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 02B5A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02B59F13
                                                                                              • Part of subcall function 02B57029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02B57081
                                                                                              • Part of subcall function 02B56F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\jfniizgw,02B57043), ref: 02B56F4E
                                                                                              • Part of subcall function 02B56F30: GetProcAddress.KERNEL32(00000000), ref: 02B56F55
                                                                                              • Part of subcall function 02B56F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02B56F7B
                                                                                              • Part of subcall function 02B56F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02B56F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 02B5A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02B5A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 02B5A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 02B5A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 02B5A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 02B5A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 02B5A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 02B5A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 02B5A2F4
                                                                                            • wsprintfA.USER32 ref: 02B5A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 02B5A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02B5A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 02B5A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 02B5A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 02B5A1D1
                                                                                              • Part of subcall function 02B59966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 02B5999D
                                                                                              • Part of subcall function 02B59966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 02B599BD
                                                                                              • Part of subcall function 02B59966: RegCloseKey.ADVAPI32(?), ref: 02B599C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 02B5A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 02B5A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 02B5A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: fd34ba5254221ef080569d3e927840871edd356429d9718add349f7e2ceb979a
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: 2AF14FB1C40269EFDB11DBA0DD48FEE7BBCEB08304F0481E5EA05EA141E7759A858F64
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe$D
                                                                                            • API String ID: 2976863881-2072606513
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02B57D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02B57D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02B57D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02B57DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02B57DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02B57DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B57DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B57DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02B57E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02B57E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02B57E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02B57E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe$D
                                                                                            • API String ID: 2976863881-2072606513
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: b7c22a944bbe053845dd5c98c7285dc016d8e92032fcd45a982b34d71defaaa6
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: EEA14071A00229AFDB11DFA1DD48FEEBB7DFF08304F0481A9E905EA150DB758A85DB64
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02B57A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02B57ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02B57ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02B57B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02B57B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02B57B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B57B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B57B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02B57B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02B57B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02B57B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02B57B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 02B57BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02B57BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 02B57C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02B57C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B57CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B57CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02B57CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02B57CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02B57CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 700303cf616861b6cd6260510b80bdd6a7f5613389b9d74a027fb115292fd36b
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 22814F71A00229AFDB11CFA5DD84FEEBBB8FF08304F0480A9E905EA150DB759641DFA4
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe$localcfg
                                                                                            • API String ID: 237177642-601414241
                                                                                            • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-3716895483
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 02B5865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 02B5867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 02B586A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02B586B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe
                                                                                            • API String ID: 237177642-3116881678
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 13012afd7acd722029f2859d73b4264c37c2ea3a751374d1fd93e63bae77a724
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 55C1A371900258BEEB11EBA4DD85FEF7BBDEB08304F1440A5FA05EA050E7718AD48F65
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 02B51601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 02B517D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: b49837fe2644e33a006852cc3f8fab30073f209ae11c8fefb92968bd63d41a33
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 6EF1B1B15183519FD720DF68C888BABB7E5FB88304F00896DFA999B390D7B4D944CB52
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 02B576D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02B57757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 02B5778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 02B578B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02B5794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 02B5796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02B5797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02B579AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02B57A56
                                                                                              • Part of subcall function 02B5F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,02B5772A,?), ref: 02B5F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B579F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02B57A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 76c531f3e8bba5e5c349dc75a5fa8aa1c4d513cd5ea5f36440f4a47374786950
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 75C15171A00269AFEB11DFA4DC44FEEBBB9EF49310F1440E5E904AA150EF759A84DB60
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B52CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02B52D07
                                                                                            • htons.WS2_32(00000000), ref: 02B52D42
                                                                                            • select.WS2_32 ref: 02B52D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02B52DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02B52E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: 9edc1aada59a740b4ee84089bb1603b75e09b61f63ddc8b246c7df4c3865c484
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: 9861F372505325ABD720AF60DC48B6BBBF8FB48745F044899FD889B190D7B4D880CBA6
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 02B5202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 02B5204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 02B5206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B52071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 02B52082
                                                                                            • GetTickCount.KERNEL32 ref: 02B52230
                                                                                              • Part of subcall function 02B51E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02B51E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: 602b300ee3762d138b06bec4619f5d76fb711925caa6e4cfff8a6b392b45b67e
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: AA51F1B0900358AFE320AF758C85F67BAECEF44704F00495DFD968A142D7B9E584CB65
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02B53068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02B53078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 02B53095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B530B6
                                                                                            • htons.WS2_32(00000035), ref: 02B530EF
                                                                                            • inet_addr.WS2_32(?), ref: 02B530FA
                                                                                            • gethostbyname.WS2_32(?), ref: 02B5310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02B5314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: e0bcaff6a1744e085b6e011dd2d219b87b89e493495135a32749880299240cea
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: BA318431A00716ABDB119BB89C48BAE77F8EF047A4F1441E5ED18EB390DB74D5818B68
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 02B595A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02B595D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02B595DC
                                                                                            • wsprintfA.USER32 ref: 02B59635
                                                                                            • wsprintfA.USER32 ref: 02B59673
                                                                                            • wsprintfA.USER32 ref: 02B596F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02B59758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02B5978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02B597D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID:
                                                                                            • API String ID: 3696105349-0
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: 7889003cb5eeeb0a84b0ef9524ca3bc71d4a6e2997717ed34a552c5dd9daf63b
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: 6DA17CB1900668EBEB21DFA0DC45FDA3BADEB04740F1040A6FE159A151E7B5D984CFA4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 02B567C3
                                                                                            • htonl.WS2_32(?), ref: 02B567DF
                                                                                            • htonl.WS2_32(?), ref: 02B567EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 02B568F1
                                                                                            • ExitProcess.KERNEL32 ref: 02B569BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: 88725b4f978a636b92829267ab6f79f3877ebb1355a4350bdd870361328f1dd5
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: 2B616F71A40218AFDB609FB4DC45FEA77E9FF08300F148066FA6DD6161DBB5A9908F14
                                                                                            APIs
                                                                                            • htons.WS2_32(02B5CC84), ref: 02B5F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 02B5F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 02B5F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: fc278130314db384a62ad7f699ef9b241e1c9ed376a81bbccbbd4c1474f4ff30
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: B9317C76900128ABDB11DFA5DC88EEEBBFCEF89310F1045A6F905D7150E7708A81CBA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 02B52FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02B52FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02B52FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02B53000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B53007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02B53032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: a6a14b9a932512481559982a348f6d2521eba0965ac7ffd98efaa2d0af0e7619
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 12213071D41729BBCB219B55DC48BAEBBB8EF08B50F1484A1FD05EB240D7B49A8187E4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02B59A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 02B59A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 02B59A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02B59A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 02B59AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 02B59AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: 8fa364e010fac5b3ab620c549bf1fd374af0e2ba6a93712637112b71daf9e9e6
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: AF212AB1A01229BBDF119BA1DC09FEFBBBCEF05750F4040A1FA19E6050E7758A44CEA4
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 02B51C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 02B51C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 02B51C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02B51C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02B51CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 02B51D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 02B51D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: 20582bfe35f8f64ab7641b4761912c3f3e2dd91b2ec21c1c352d4aaac43edcc2
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: DC316131D10229BFCB119FE8DC88AFEBBB9EB45305B2444BAE905AA150D7B54E80DB54
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02B56CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02B56D22
                                                                                            • GetLastError.KERNEL32 ref: 02B56DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 02B56DB5
                                                                                            • GetLastError.KERNEL32 ref: 02B56DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02B56DE7
                                                                                            • GetLastError.KERNEL32 ref: 02B56DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ad063546108f3a1de224834b59acdd557179193ea7833a4c46a4680dd2774ebc
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: F2312372800259BFCB01DFA4DD44BEE7FBDEB48300F0485A5EA11EB290D7708A81CB61
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\jfniizgw,02B57043), ref: 02B56F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B56F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02B56F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02B56F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$\\.\pipe\jfniizgw
                                                                                            • API String ID: 1082366364-1567519040
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: 4f0433668ddace705ef3c98920c4e38797d12b2f33d92b679024b8457e5a16c6
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: 7C210E21B413603AF72297319C88FFB6E8DCF52724F1C80E5FC04AA490DBD984D686AD
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: 0344700cafbb86559de1f0ebb7434b1a7171f1dbfb4228cd9bc423285571def6
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: 35711672A00338ABDF21AA54DC85FEE3769EB01719F2442E6FE04BE0D0DF6295848B55
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 02B5DF6C: GetCurrentThreadId.KERNEL32 ref: 02B5DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 02B5E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02B56128), ref: 02B5E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 02B5E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: a30b91784907e44d5af3e0bcd287dae9c6b9dc8ca391f793d8fd6f7e7facec5a
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 6131AD31A00725DBDF71CF24C884BA67BE4EF05724F1089AAEA96CF550D374EA81CB91
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: 6a63e0e2e68a3c728d2d39f30bd3993283dbf29d743ed101e7d11cccdeba89cc
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: 19216072105125FFDB109BB0FC48FDF3FADDB49265B5084A5F906D9090EB70DA419A74
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 02B592E2
                                                                                            • wsprintfA.USER32 ref: 02B59350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B59375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 02B59389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 02B59394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B5939B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: d5da7a6666f93349680d696c02b90b8a4cfbc2573c965a4562f2031f27a755fc
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: D61175B16402247BF7256731DC0DFEF3A6EDBC5B14F00C0A5BF06A9090EEB49A418AA4
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B5C6B4
                                                                                            • InterlockedIncrement.KERNEL32(02B5C74B), ref: 02B5C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,02B5C747), ref: 02B5C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,02B5C747,00413588,02B58A77), ref: 02B5C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: eca346a4cd58943c494ad6a1380dfcb729f8213a4e08028515f35d7479eb32ec
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: C3517FB1A00B518FD7248F69C5C562ABBEAFB48304B50697FE58BCBA90D774F940CB10
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe
                                                                                            • API String ID: 124786226-3787335913
                                                                                            • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02B571E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02B57228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 02B57286
                                                                                            • wsprintfA.USER32 ref: 02B5729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 939af82a8f77603e9ede124d6ee1f6ba281654bbde87c6e73f4aab7e8112d575
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 51311872A00218BBDB11DFA8DC45BDA7BACEF05354F1480A6FD59DB200EB75D6488BA4
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02B5B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02B5B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02B5B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 02B5B590
                                                                                            • wsprintfA.USER32 ref: 02B5B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 97087d01b93f24b2c3e71075f1112092963bf46f1569abb28710388fd868a515
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D55102B1D0021DAADF18DFD5D8445EEBBB9FF48304F10816AF505A6150E7B84AC9CF94
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02B56303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02B5632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 02B563B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02B56405
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 1fd478efc5f7d7496d60df26afc701fa52369907fa63459e71fa09f7282f437e
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: EE414B71A00229ABDB14CF58C884BADB7B8EF04358F58C1A9ED65DB290E775E941CB50
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1802437671-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 02B593C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02B593CD
                                                                                            • CharToOemA.USER32(?,?), ref: 02B593DB
                                                                                            • wsprintfA.USER32 ref: 02B59410
                                                                                              • Part of subcall function 02B592CB: GetTempPathA.KERNEL32(00000400,?), ref: 02B592E2
                                                                                              • Part of subcall function 02B592CB: wsprintfA.USER32 ref: 02B59350
                                                                                              • Part of subcall function 02B592CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B59375
                                                                                              • Part of subcall function 02B592CB: lstrlen.KERNEL32(?,?,00000000), ref: 02B59389
                                                                                              • Part of subcall function 02B592CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02B59394
                                                                                              • Part of subcall function 02B592CB: CloseHandle.KERNEL32(00000000), ref: 02B5939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02B59448
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: b4dd5066b3f831080d11651bedd2daacdd709c23aebc9d756d7baea4c6ad93af
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: 4E0152F6900128BBD721A7619D49FDF777CDB95701F0040A1BB49E6080DAB49AC58F75
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: f2cb01cfafcb314e32b9fd1b2dfc3bd6be1cccf9f883c16c21cbba3d20415df8
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 47E08C306051618FCB008B28F888BC537A4EF0A230F0081D0F850CB2A0C738AC809640
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 02B569E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 02B56A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 02B56A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 02B56BD8
                                                                                              • Part of subcall function 02B5EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02B51DCF,?), ref: 02B5EEA8
                                                                                              • Part of subcall function 02B5EE95: HeapFree.KERNEL32(00000000), ref: 02B5EEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: f29b49ba9a9fa83c59118a2672c2f884d8b185b02f11fbefcdcd9691d20d2d40
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: 3C711971D0062DEFDF10DFA4CC81AEEBBB9FB08354F5045AAE915AA190D7309E92DB50
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,02B5E50A,00000000,00000000,00000000,00020106,00000000,02B5E50A,00000000,000000E4), ref: 02B5E319
                                                                                            • RegSetValueExA.ADVAPI32(02B5E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 02B5E38E
                                                                                            • RegDeleteValueA.ADVAPI32(02B5E50A,?,?,?,?,?,000000C8,004122F8), ref: 02B5E3BF
                                                                                            • RegCloseKey.ADVAPI32(02B5E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,02B5E50A), ref: 02B5E3C8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 21b8b5475965f774b3a5f34a68cf72b1e70803cd7be8018dde5209d300b54d85
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: 20214B71A00229ABDB219FA4EC89FEE7F69EF09750F048061E904AA150E371CA54DBA0
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02B5421F
                                                                                            • GetLastError.KERNEL32 ref: 02B54229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 02B5423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B5424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 19977e573e04b1bd92cf5eeb1ba45912bf89efef39118d9a102019de6cf14f5a
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: 59010872521129AFDF01DF91ED84BEF7BBCEB08255F0080A1F901E6050DB71DA958BB6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 02B541AB
                                                                                            • GetLastError.KERNEL32 ref: 02B541B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 02B541C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B541D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 23609a2046eaa358f3f743a2f21faad7016d9ccf15516880e1232544d9d92b44
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 9301E97651111AABDF01DF90EE84BEE7F7CEB18295F0040A1F901E6150D7709AA48BB5
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 02B5E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 304e62cb1e815738cfdc1a867fe6c90ba9e692a4517d248ba35602231ac55aa0
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: D7F062716007229BCB20CF25D884B82B7E9FF05325B4886ABE954D7060D374E599CB51
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 02B583C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02B58477
                                                                                              • Part of subcall function 02B569C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 02B569E5
                                                                                              • Part of subcall function 02B569C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02B56A26
                                                                                              • Part of subcall function 02B569C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02B56A3A
                                                                                              • Part of subcall function 02B5EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02B51DCF,?), ref: 02B5EEA8
                                                                                              • Part of subcall function 02B5EE95: HeapFree.KERNEL32(00000000), ref: 02B5EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe
                                                                                            • API String ID: 359188348-3787335913
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 974c5878f9d1d59e44bcc17344448678045e32200bb72f7877cc34d81fff1557
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 0C4150B2901129BFEB20EBA49D80FFF776DEB04344F1844E6ED44DA010EBB05A958F64
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 02B5AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 02B5B00D
                                                                                              • Part of subcall function 02B5AF6F: gethostname.WS2_32(?,00000080), ref: 02B5AF83
                                                                                              • Part of subcall function 02B5AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 02B5AFE6
                                                                                              • Part of subcall function 02B5331C: gethostname.WS2_32(?,00000080), ref: 02B5333F
                                                                                              • Part of subcall function 02B5331C: gethostbyname.WS2_32(?), ref: 02B53349
                                                                                              • Part of subcall function 02B5AA0A: inet_ntoa.WS2_32(00000000), ref: 02B5AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: 24b8dd59228d83e88bb8fa630d0a7a2cd55a671c18253699521c91cbd7880320
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: F1417F7290021CABDB21EFA0DC45FEE3BADFF08304F184466FE2496151EA75E6848F54
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02B59536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 02B5955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 9a5e7433e88636841f9b80378e79d2d33763fc5db1975a9e905e11784dd53e5d
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: E94125718087A4EFFB369B64E88C7B63BA5DB02314F1800E5DC869F1A3D7B44981C7A1
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02B5B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 02B5BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02B5BA94
                                                                                            • GetTickCount.KERNEL32 ref: 02B5BB79
                                                                                            • GetTickCount.KERNEL32 ref: 02B5BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02B5BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 02B5BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 2745e1a50f3263b21da9ef9321407d3b293225ed50c16e525fc9b0da92b77ab9
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 4A317A71400298DFDF25DFA4DC84BEDB7A9EB48704F2444AAFE249A1A4DB70DA85CF10
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 02B570BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 02B570F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 51b46af6d8d71093b0323f56cc65824b60e02372a8945f8214c88a8546e72919
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 1611FA72A00128EBDB11DBD6DC84FDEB7BDEB04715F1441A6E901EA194DB709B88DBA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2151244211.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                            APIs
                                                                                              • Part of subcall function 02B52F88: GetModuleHandleA.KERNEL32(?), ref: 02B52FA1
                                                                                              • Part of subcall function 02B52F88: LoadLibraryA.KERNEL32(?), ref: 02B52FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B531DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02B531E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2152673775.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_2b50000_fzzrueiu.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: f19a6042535d841ac1d19de522ab5b5547c392dec6bcfbebcd6ab75328de7c86
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 7B518E7190066AAFCB019F64D884AFAB7B5FF05344F1445E9EC96CB310E732DA59CB90

                                                                                            Execution Graph

                                                                                            Execution Coverage:14.6%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0.7%
                                                                                            Total number of Nodes:1809
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 8056 585099 8057 584bd1 4 API calls 8056->8057 8058 5850a2 8057->8058 7909 58195b 7910 58196b 7909->7910 7911 581971 7909->7911 7912 58ec2e codecvt 4 API calls 7910->7912 7912->7911 7913 588c51 7914 588c86 7913->7914 7916 588c5d 7913->7916 7915 588c8b lstrcmpA 7914->7915 7926 588c7b 7914->7926 7918 588c9e 7915->7918 7915->7926 7919 588c7d 7916->7919 7920 588c6e 7916->7920 7917 588cad 7925 58ebcc 4 API calls 7917->7925 7917->7926 7918->7917 7922 58ec2e codecvt 4 API calls 7918->7922 7935 588bb3 7919->7935 7927 588be7 7920->7927 7922->7917 7925->7926 7928 588c2a 7927->7928 7929 588bf2 7927->7929 7928->7926 7930 588bb3 6 API calls 7929->7930 7931 588bf8 7930->7931 7939 586410 7931->7939 7933 588c01 7933->7928 7954 586246 7933->7954 7936 588be4 7935->7936 7937 588bbc 7935->7937 7937->7936 7938 586246 6 API calls 7937->7938 7938->7936 7940 58641e 7939->7940 7941 586421 7939->7941 7940->7933 7942 58643a 7941->7942 7943 58643e VirtualAlloc 7941->7943 7942->7933 7944 58645b VirtualAlloc 7943->7944 7945 586472 7943->7945 7944->7945 7952 5864fb 7944->7952 7946 58ebcc 4 API calls 7945->7946 7947 586479 7946->7947 7947->7952 7964 586069 7947->7964 7951 586246 6 API calls 7951->7952 7952->7933 7953 5864da 7953->7951 7953->7952 7955 5862b3 7954->7955 7960 586252 7954->7960 7955->7928 7956 586297 7957 5862ad 7956->7957 7958 5862a0 VirtualFree 7956->7958 7961 58ec2e codecvt 4 API calls 7957->7961 7958->7957 7959 58628f 7963 58ec2e codecvt 4 API calls 7959->7963 7960->7956 7960->7959 7962 586281 FreeLibrary 7960->7962 7961->7955 7962->7960 7963->7956 7965 586090 IsBadReadPtr 7964->7965 7967 586089 7964->7967 7965->7967 7970 5860aa 7965->7970 7966 5860c0 LoadLibraryA 7966->7967 7966->7970 7967->7953 7974 585f3f 7967->7974 7968 58ebcc 4 API calls 7968->7970 7969 58ebed 8 API calls 7969->7970 7970->7966 7970->7967 7970->7968 7970->7969 7971 586191 IsBadReadPtr 7970->7971 7972 586141 GetProcAddress 7970->7972 7973 586155 GetProcAddress 7970->7973 7971->7967 7971->7970 7972->7970 7973->7970 7975 585fe6 7974->7975 7977 585f61 7974->7977 7975->7953 7976 585fbf VirtualProtect 7976->7975 7976->7977 7977->7975 7977->7976 8059 586511 wsprintfA IsBadReadPtr 8060 58656a htonl htonl wsprintfA wsprintfA 8059->8060 8061 58674e 8059->8061 8066 5865f3 8060->8066 8062 58e318 23 API calls 8061->8062 8063 586753 ExitProcess 8062->8063 8064 58668a GetCurrentProcess StackWalk64 8065 5866a0 wsprintfA 8064->8065 8064->8066 8067 5866ba 8065->8067 8066->8064 8066->8065 8068 586652 wsprintfA 8066->8068 8069 586712 wsprintfA 8067->8069 8070 5866da wsprintfA 8067->8070 8071 5866ed wsprintfA 8067->8071 8068->8066 8072 58e8a1 30 API calls 8069->8072 8070->8071 8071->8067 8073 586739 8072->8073 8074 58e318 23 API calls 8073->8074 8075 586741 8074->8075 7978 5843d2 7979 5843e0 7978->7979 7980 5843ef 7979->7980 7982 581940 7979->7982 7983 58ec2e codecvt 4 API calls 7982->7983 7984 581949 7983->7984 7984->7980 8076 584e92 GetTickCount 8077 584ec0 InterlockedExchange 8076->8077 8078 584ec9 8077->8078 8079 584ead GetTickCount 8077->8079 8079->8078 8080 584eb8 Sleep 8079->8080 8080->8077 7985 585453 7990 58543a 7985->7990 7993 585048 7990->7993 7994 584bd1 4 API calls 7993->7994 7995 585056 7994->7995 7996 58ec2e codecvt 4 API calls 7995->7996 7997 58508b 7995->7997 7996->7997 7998 584ed3 8003 584c9a 7998->8003 8004 584ca9 8003->8004 8006 584cd8 8003->8006 8005 58ec2e codecvt 4 API calls 8004->8005 8005->8006 8081 585d93 IsBadWritePtr 8082 585ddc 8081->8082 8083 585da8 8081->8083 8083->8082 8085 585389 8083->8085 8086 584bd1 4 API calls 8085->8086 8087 5853a5 8086->8087 8088 584ae6 8 API calls 8087->8088 8091 5853ad 8088->8091 8089 585407 8089->8082 8090 584ae6 8 API calls 8090->8091 8091->8089 8091->8090 8092 588314 8093 58675c 21 API calls 8092->8093 8094 588324 8093->8094 8007 58e749 8008 58dd05 6 API calls 8007->8008 8009 58e751 8008->8009 8010 58e781 lstrcmpA 8009->8010 8011 58e799 8009->8011 8010->8009 8012 58444a 8013 584458 8012->8013 8014 58446a 8013->8014 8015 581940 4 API calls 8013->8015 8015->8014 8016 585e4d 8017 585048 8 API calls 8016->8017 8018 585e55 8017->8018 8019 585e64 8018->8019 8020 581940 4 API calls 8018->8020 8020->8019 8108 585e0d 8111 5850dc 8108->8111 8110 585e20 8112 584bd1 4 API calls 8111->8112 8113 5850f2 8112->8113 8114 584ae6 8 API calls 8113->8114 8120 5850ff 8114->8120 8115 585130 8117 584ae6 8 API calls 8115->8117 8116 584ae6 8 API calls 8118 585110 lstrcmpA 8116->8118 8119 585138 8117->8119 8118->8115 8118->8120 8122 58516e 8119->8122 8123 584ae6 8 API calls 8119->8123 8153 58513e 8119->8153 8120->8115 8120->8116 8121 584ae6 8 API calls 8120->8121 8121->8120 8124 584ae6 8 API calls 8122->8124 8122->8153 8125 58515e 8123->8125 8126 5851b6 8124->8126 8125->8122 8127 584ae6 8 API calls 8125->8127 8154 584a3d 8126->8154 8127->8122 8130 584ae6 8 API calls 8131 5851c7 8130->8131 8132 584ae6 8 API calls 8131->8132 8133 5851d7 8132->8133 8134 584ae6 8 API calls 8133->8134 8135 5851e7 8134->8135 8136 584ae6 8 API calls 8135->8136 8135->8153 8137 585219 8136->8137 8138 584ae6 8 API calls 8137->8138 8139 585227 8138->8139 8140 584ae6 8 API calls 8139->8140 8141 58524f lstrcpyA 8140->8141 8142 584ae6 8 API calls 8141->8142 8145 585263 8142->8145 8143 584ae6 8 API calls 8144 585315 8143->8144 8146 584ae6 8 API calls 8144->8146 8145->8143 8147 585323 8146->8147 8148 584ae6 8 API calls 8147->8148 8150 585331 8148->8150 8149 584ae6 8 API calls 8149->8150 8150->8149 8151 584ae6 8 API calls 8150->8151 8150->8153 8152 585351 lstrcmpA 8151->8152 8152->8150 8152->8153 8153->8110 8155 584a4a 8154->8155 8156 584a53 8154->8156 8157 58ebed 8 API calls 8155->8157 8158 584a78 8156->8158 8159 58ebed 8 API calls 8156->8159 8157->8156 8160 584a8e 8158->8160 8161 584aa3 8158->8161 8159->8158 8162 584a9b 8160->8162 8164 58ec2e codecvt 4 API calls 8160->8164 8161->8162 8163 58ebed 8 API calls 8161->8163 8162->8130 8163->8162 8164->8162 8165 584c0d 8166 584ae6 8 API calls 8165->8166 8167 584c17 8166->8167 8168 58f483 WSAStartup 8169 58f304 8172 58f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8169->8172 8171 58f312 8172->8171 8173 585b84 IsBadWritePtr 8174 585b99 8173->8174 8175 585b9d 8173->8175 8176 584bd1 4 API calls 8175->8176 8177 585bcc 8176->8177 8178 585472 18 API calls 8177->8178 8179 585be5 8178->8179 8180 585c05 IsBadWritePtr 8181 585c24 IsBadWritePtr 8180->8181 8188 585ca6 8180->8188 8182 585c32 8181->8182 8181->8188 8183 585c82 8182->8183 8184 584bd1 4 API calls 8182->8184 8185 584bd1 4 API calls 8183->8185 8184->8183 8186 585c90 8185->8186 8187 585472 18 API calls 8186->8187 8187->8188 8189 58be31 lstrcmpiA 8190 58be55 lstrcmpiA 8189->8190 8196 58be71 8189->8196 8191 58be61 lstrcmpiA 8190->8191 8190->8196 8194 58bfc8 8191->8194 8191->8196 8192 58bf62 lstrcmpiA 8193 58bf77 lstrcmpiA 8192->8193 8197 58bf70 8192->8197 8195 58bf8c lstrcmpiA 8193->8195 8193->8197 8195->8197 8196->8192 8200 58ebcc 4 API calls 8196->8200 8197->8194 8198 58bfc2 8197->8198 8199 58ec2e codecvt 4 API calls 8197->8199 8201 58ec2e codecvt 4 API calls 8198->8201 8199->8197 8204 58beb6 8200->8204 8201->8194 8202 58ebcc 4 API calls 8202->8204 8203 58bf5a 8203->8192 8204->8192 8204->8194 8204->8202 8204->8203 8205 585d34 IsBadWritePtr 8206 585d47 8205->8206 8207 585d4a 8205->8207 8208 585389 12 API calls 8207->8208 8209 585d80 8208->8209 8210 585029 8215 584a02 8210->8215 8216 584a18 8215->8216 8217 584a12 8215->8217 8219 584a26 8216->8219 8220 58ec2e codecvt 4 API calls 8216->8220 8218 58ec2e codecvt 4 API calls 8217->8218 8218->8216 8221 584a34 8219->8221 8222 58ec2e codecvt 4 API calls 8219->8222 8220->8219 8222->8221 6137 589a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6253 58ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6137->6253 6139 589a95 6140 589aa3 GetModuleHandleA GetModuleFileNameA 6139->6140 6146 58a3cc 6139->6146 6149 589ac4 6140->6149 6141 58a41c CreateThread WSAStartup 6254 58e52e 6141->6254 7328 58405e CreateEventA 6141->7328 6143 589afd GetCommandLineA 6153 589b22 6143->6153 6144 58a406 DeleteFileA 6144->6146 6147 58a40d 6144->6147 6145 58a445 6273 58eaaf 6145->6273 6146->6141 6146->6144 6146->6147 6150 58a3ed GetLastError 6146->6150 6147->6141 6149->6143 6150->6147 6152 58a3f8 Sleep 6150->6152 6151 58a44d 6277 581d96 6151->6277 6152->6144 6157 589c0c 6153->6157 6166 589b47 6153->6166 6155 58a457 6325 5880c9 6155->6325 6517 5896aa 6157->6517 6163 589c39 6167 58a167 GetModuleHandleA GetModuleFileNameA 6163->6167 6523 584280 CreateEventA 6163->6523 6164 58a1d2 6173 58a1e3 GetCommandLineA 6164->6173 6169 589b96 lstrlenA 6166->6169 6172 589b58 6166->6172 6170 58a189 6167->6170 6171 589c05 ExitProcess 6167->6171 6169->6172 6170->6171 6181 58a1b2 GetDriveTypeA 6170->6181 6172->6171 6476 58675c 6172->6476 6197 58a205 6173->6197 6181->6171 6183 58a1c5 6181->6183 6624 589145 GetModuleHandleA GetModuleFileNameA CharToOemA 6183->6624 6184 58675c 21 API calls 6186 589c79 6184->6186 6186->6167 6193 589e3e 6186->6193 6194 589ca0 GetTempPathA 6186->6194 6187 589bff 6187->6171 6189 58a491 6190 58a49f GetTickCount 6189->6190 6191 58a4be Sleep 6189->6191 6196 58a4b7 GetTickCount 6189->6196 6372 58c913 6189->6372 6190->6189 6190->6191 6191->6189 6200 589e6b GetEnvironmentVariableA 6193->6200 6204 589e04 6193->6204 6194->6193 6195 589cba 6194->6195 6549 5899d2 lstrcpyA 6195->6549 6196->6191 6201 58a285 lstrlenA 6197->6201 6213 58a239 6197->6213 6200->6204 6205 589e7d 6200->6205 6201->6213 6619 58ec2e 6204->6619 6206 5899d2 16 API calls 6205->6206 6207 589e9d 6206->6207 6207->6204 6212 589eb0 lstrcpyA lstrlenA 6207->6212 6209 589d5f 6563 586cc9 6209->6563 6211 58a3c2 6636 5898f2 6211->6636 6216 589ef4 6212->6216 6213->6213 6632 586ec3 6213->6632 6217 586dc2 6 API calls 6216->6217 6221 589f03 6216->6221 6217->6221 6218 58a39d StartServiceCtrlDispatcherA 6218->6211 6219 589d72 lstrcpyA lstrcatA lstrcatA 6222 589cf6 6219->6222 6220 58a3c7 6220->6146 6223 589f32 RegOpenKeyExA 6221->6223 6572 589326 6222->6572 6225 589f48 RegSetValueExA RegCloseKey 6223->6225 6228 589f70 6223->6228 6224 58a35f 6224->6211 6224->6218 6225->6228 6233 589f9d GetModuleHandleA GetModuleFileNameA 6228->6233 6229 589dde GetFileAttributesExA 6230 589e0c DeleteFileA 6229->6230 6232 589df7 6229->6232 6230->6193 6232->6204 6609 5896ff 6232->6609 6235 589fc2 6233->6235 6252 58a093 6233->6252 6241 589ff1 GetDriveTypeA 6235->6241 6235->6252 6236 58a103 CreateProcessA 6237 58a13a 6236->6237 6238 58a12a DeleteFileA 6236->6238 6237->6204 6245 5896ff 3 API calls 6237->6245 6238->6237 6239 58a0a4 wsprintfA 6615 582544 6239->6615 6243 58a00d 6241->6243 6241->6252 6247 58a02d lstrcatA 6243->6247 6245->6204 6248 58a046 6247->6248 6249 58a052 lstrcatA 6248->6249 6250 58a064 lstrcatA 6248->6250 6249->6250 6251 58a081 lstrcatA 6250->6251 6250->6252 6251->6252 6252->6236 6252->6239 6253->6139 6643 58dd05 GetTickCount 6254->6643 6256 58e538 6651 58dbcf 6256->6651 6258 58e544 6259 58e555 GetFileSize 6258->6259 6264 58e5b8 6258->6264 6260 58e5b1 CloseHandle 6259->6260 6261 58e566 6259->6261 6260->6264 6675 58db2e 6261->6675 6661 58e3ca RegOpenKeyExA 6264->6661 6265 58e576 ReadFile 6265->6260 6266 58e58d 6265->6266 6679 58e332 6266->6679 6269 58e5f2 6271 58e3ca 19 API calls 6269->6271 6272 58e629 6269->6272 6271->6272 6272->6145 6274 58eabe 6273->6274 6276 58eaba 6273->6276 6275 58dd05 6 API calls 6274->6275 6274->6276 6275->6276 6276->6151 6278 58ee2a 6277->6278 6279 581db4 GetVersionExA 6278->6279 6280 581dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6279->6280 6282 581e24 6280->6282 6283 581e16 GetCurrentProcess 6280->6283 6737 58e819 6282->6737 6283->6282 6285 581e3d 6286 58e819 11 API calls 6285->6286 6287 581e4e 6286->6287 6288 581e77 6287->6288 6778 58df70 6287->6778 6744 58ea84 6288->6744 6291 581e6c 6293 58df70 12 API calls 6291->6293 6293->6288 6294 58e819 11 API calls 6295 581e93 6294->6295 6748 58199c inet_addr LoadLibraryA 6295->6748 6298 58e819 11 API calls 6299 581eb9 6298->6299 6300 581ed8 6299->6300 6301 58f04e 4 API calls 6299->6301 6302 58e819 11 API calls 6300->6302 6303 581ec9 6301->6303 6304 581eee 6302->6304 6305 58ea84 30 API calls 6303->6305 6306 581f0a 6304->6306 6762 581b71 6304->6762 6305->6300 6308 58e819 11 API calls 6306->6308 6310 581f23 6308->6310 6309 581efd 6312 58ea84 30 API calls 6309->6312 6311 581f3f 6310->6311 6766 581bdf 6310->6766 6314 58e819 11 API calls 6311->6314 6312->6306 6316 581f5e 6314->6316 6318 581f77 6316->6318 6319 58ea84 30 API calls 6316->6319 6317 58ea84 30 API calls 6317->6311 6774 5830b5 6318->6774 6319->6318 6322 586ec3 2 API calls 6324 581f8e GetTickCount 6322->6324 6324->6155 6326 586ec3 2 API calls 6325->6326 6327 5880eb 6326->6327 6328 5880f9 6327->6328 6329 5880ef 6327->6329 6845 58704c 6328->6845 6832 587ee6 6329->6832 6332 5880f4 6334 58675c 21 API calls 6332->6334 6344 588269 CreateThread 6332->6344 6333 588110 6333->6332 6335 588156 RegOpenKeyExA 6333->6335 6338 588244 6334->6338 6336 58816d RegQueryValueExA 6335->6336 6337 588216 6335->6337 6339 58818d 6336->6339 6340 5881f7 6336->6340 6337->6332 6342 58ec2e codecvt 4 API calls 6338->6342 6338->6344 6339->6340 6345 58ebcc 4 API calls 6339->6345 6341 58820d RegCloseKey 6340->6341 6343 58ec2e codecvt 4 API calls 6340->6343 6341->6337 6342->6344 6350 5881dd 6343->6350 6351 585e6c 6344->6351 7306 58877e 6344->7306 6346 5881a0 6345->6346 6346->6341 6347 5881aa RegQueryValueExA 6346->6347 6347->6340 6348 5881c4 6347->6348 6349 58ebcc 4 API calls 6348->6349 6349->6350 6350->6341 6947 58ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6351->6947 6353 585e71 6948 58e654 6353->6948 6355 585ec1 6356 583132 6355->6356 6357 58df70 12 API calls 6356->6357 6358 58313b 6357->6358 6359 58c125 6358->6359 6959 58ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6359->6959 6361 58c12d 6362 58e654 13 API calls 6361->6362 6363 58c2bd 6362->6363 6364 58e654 13 API calls 6363->6364 6365 58c2c9 6364->6365 6366 58e654 13 API calls 6365->6366 6367 58a47a 6366->6367 6368 588db1 6367->6368 6369 588dbc 6368->6369 6370 58e654 13 API calls 6369->6370 6371 588dec Sleep 6370->6371 6371->6189 6373 58c92f 6372->6373 6374 58c93c 6373->6374 6971 58c517 6373->6971 6376 58ca2b 6374->6376 6377 58e819 11 API calls 6374->6377 6376->6189 6378 58c96a 6377->6378 6379 58e819 11 API calls 6378->6379 6380 58c97d 6379->6380 6381 58e819 11 API calls 6380->6381 6382 58c990 6381->6382 6383 58c9aa 6382->6383 6384 58ebcc 4 API calls 6382->6384 6383->6376 6960 582684 6383->6960 6384->6383 6389 58ca26 6988 58c8aa 6389->6988 6392 58ca44 6393 58ca4b closesocket 6392->6393 6394 58ca83 6392->6394 6393->6389 6395 58ea84 30 API calls 6394->6395 6396 58caac 6395->6396 6397 58f04e 4 API calls 6396->6397 6398 58cab2 6397->6398 6399 58ea84 30 API calls 6398->6399 6400 58caca 6399->6400 6401 58ea84 30 API calls 6400->6401 6402 58cad9 6401->6402 6992 58c65c 6402->6992 6405 58cb60 closesocket 6405->6376 6407 58dad2 closesocket 6408 58e318 23 API calls 6407->6408 6409 58dae0 6408->6409 6409->6376 6410 58df4c 20 API calls 6457 58cb70 6410->6457 6416 58e654 13 API calls 6416->6457 6417 58f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6417->6457 6422 58ea84 30 API calls 6422->6457 6423 58d569 closesocket Sleep 7039 58e318 6423->7039 6424 58d815 wsprintfA 6424->6457 6425 58cc1c GetTempPathA 6425->6457 6426 58c517 23 API calls 6426->6457 6428 587ead 6 API calls 6428->6457 6429 58e8a1 30 API calls 6429->6457 6430 58d582 ExitProcess 6431 58c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6431->6457 6432 58ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6432->6457 6433 58cfe3 GetSystemDirectoryA 6433->6457 6434 58cfad GetEnvironmentVariableA 6434->6457 6435 58675c 21 API calls 6435->6457 6436 58d027 GetSystemDirectoryA 6436->6457 6437 58d105 lstrcatA 6437->6457 6438 58ef1e lstrlenA 6438->6457 6439 58cc9f CreateFileA 6440 58ccc6 WriteFile 6439->6440 6439->6457 6443 58cdcc CloseHandle 6440->6443 6444 58cced CloseHandle 6440->6444 6441 588e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6441->6457 6442 58d15b CreateFileA 6445 58d182 WriteFile CloseHandle 6442->6445 6442->6457 6443->6457 6450 58cd2f 6444->6450 6445->6457 6446 58cd16 wsprintfA 6446->6450 6447 58d149 SetFileAttributesA 6447->6442 6448 58d1bf SetFileAttributesA 6448->6457 6449 58d36e GetEnvironmentVariableA 6449->6457 6450->6446 7021 587fcf 6450->7021 6451 58d22d GetEnvironmentVariableA 6451->6457 6452 58d3af lstrcatA 6454 58d3f2 CreateFileA 6452->6454 6452->6457 6454->6457 6458 58d415 WriteFile CloseHandle 6454->6458 6456 587fcf 64 API calls 6456->6457 6457->6407 6457->6410 6457->6416 6457->6417 6457->6422 6457->6423 6457->6424 6457->6425 6457->6426 6457->6428 6457->6429 6457->6431 6457->6432 6457->6433 6457->6434 6457->6435 6457->6436 6457->6437 6457->6438 6457->6439 6457->6441 6457->6442 6457->6447 6457->6448 6457->6449 6457->6451 6457->6452 6457->6454 6457->6456 6462 58d3e0 SetFileAttributesA 6457->6462 6463 58d26e lstrcatA 6457->6463 6466 58d4b1 CreateProcessA 6457->6466 6467 58d2b1 CreateFileA 6457->6467 6469 587ee6 64 API calls 6457->6469 6470 58d452 SetFileAttributesA 6457->6470 6473 58d29f SetFileAttributesA 6457->6473 6475 58d31d SetFileAttributesA 6457->6475 7000 58c75d 6457->7000 7012 587e2f 6457->7012 7034 587ead 6457->7034 7044 5831d0 6457->7044 7061 583c09 6457->7061 7071 583a00 6457->7071 7075 58e7b4 6457->7075 7078 58c06c 6457->7078 7084 586f5f GetUserNameA 6457->7084 7095 58e854 6457->7095 7105 587dd6 6457->7105 6458->6457 6459 58cd81 WaitForSingleObject CloseHandle CloseHandle 6460 58f04e 4 API calls 6459->6460 6464 58cda5 6460->6464 6461 587ee6 64 API calls 6465 58cdbd DeleteFileA 6461->6465 6462->6454 6463->6457 6463->6467 6464->6461 6465->6457 6466->6457 6468 58d4e8 CloseHandle CloseHandle 6466->6468 6467->6457 6471 58d2d8 WriteFile CloseHandle 6467->6471 6468->6457 6469->6457 6470->6457 6471->6457 6473->6467 6475->6457 6477 58677a SetFileAttributesA 6476->6477 6478 586784 CreateFileA 6476->6478 6477->6478 6479 5867a4 CreateFileA 6478->6479 6480 5867b5 6478->6480 6479->6480 6481 5867ba SetFileAttributesA 6480->6481 6482 5867c5 6480->6482 6481->6482 6483 5867cf GetFileSize 6482->6483 6484 586977 6482->6484 6485 5867e5 6483->6485 6503 586965 6483->6503 6484->6171 6504 586a60 CreateFileA 6484->6504 6486 5867ed ReadFile 6485->6486 6485->6503 6488 586811 SetFilePointer 6486->6488 6486->6503 6487 58696e FindCloseChangeNotification 6487->6484 6489 58682a ReadFile 6488->6489 6488->6503 6490 586848 SetFilePointer 6489->6490 6489->6503 6491 586867 6490->6491 6490->6503 6492 586878 ReadFile 6491->6492 6493 5868d5 6491->6493 6494 5868d0 6492->6494 6497 586891 6492->6497 6493->6487 6495 58ebcc 4 API calls 6493->6495 6494->6493 6496 5868f8 6495->6496 6498 586900 SetFilePointer 6496->6498 6496->6503 6497->6492 6497->6494 6499 58695a 6498->6499 6500 58690d ReadFile 6498->6500 6502 58ec2e codecvt 4 API calls 6499->6502 6500->6499 6501 586922 6500->6501 6501->6487 6502->6503 6503->6487 6505 586b8c GetLastError 6504->6505 6506 586a8f GetDiskFreeSpaceA 6504->6506 6507 586b86 6505->6507 6508 586ac5 6506->6508 6514 586ad7 6506->6514 6507->6187 7190 58eb0e 6508->7190 6512 586b56 CloseHandle 6512->6507 6516 586b65 GetLastError CloseHandle 6512->6516 6513 586b36 GetLastError CloseHandle 6515 586b7f DeleteFileA 6513->6515 7194 586987 6514->7194 6515->6507 6516->6515 6518 5896b9 6517->6518 6519 5873ff 17 API calls 6518->6519 6520 5896e2 6519->6520 6521 5896f7 6520->6521 6522 58704c 16 API calls 6520->6522 6521->6163 6521->6164 6522->6521 6524 58429d 6523->6524 6525 5842a5 6523->6525 6524->6167 6524->6184 7200 583ecd 6525->7200 6527 5842b0 7204 584000 6527->7204 6529 5843c1 CloseHandle 6529->6524 6530 5842b6 6530->6524 6530->6529 7210 583f18 WriteFile 6530->7210 6535 5843ba CloseHandle 6535->6529 6536 584318 6537 583f18 4 API calls 6536->6537 6538 584331 6537->6538 6539 583f18 4 API calls 6538->6539 6540 58434a 6539->6540 6541 58ebcc 4 API calls 6540->6541 6542 584350 6541->6542 6543 583f18 4 API calls 6542->6543 6544 584389 6543->6544 6545 58ec2e codecvt 4 API calls 6544->6545 6546 58438f 6545->6546 6547 583f8c 4 API calls 6546->6547 6548 58439f CloseHandle CloseHandle 6547->6548 6548->6524 6550 5899eb 6549->6550 6551 589a2f lstrcatA 6550->6551 6552 58ee2a 6551->6552 6553 589a4b lstrcatA 6552->6553 6554 586a60 13 API calls 6553->6554 6555 589a60 6554->6555 6555->6193 6555->6222 6556 586dc2 6555->6556 6557 586e33 6556->6557 6558 586dd7 6556->6558 6557->6209 6559 586cc9 5 API calls 6558->6559 6560 586ddc 6559->6560 6560->6560 6561 586e02 GetVolumeInformationA 6560->6561 6562 586e24 6560->6562 6561->6562 6562->6557 6564 586cdc GetModuleHandleA GetProcAddress 6563->6564 6571 586d8b 6563->6571 6565 586cfd 6564->6565 6566 586d12 GetSystemDirectoryA 6564->6566 6565->6566 6565->6571 6567 586d1e 6566->6567 6568 586d27 GetWindowsDirectoryA 6566->6568 6567->6568 6567->6571 6570 586d42 6568->6570 6569 58ef1e lstrlenA 6569->6571 6570->6569 6571->6219 7218 581910 6572->7218 6575 58934a GetModuleHandleA GetModuleFileNameA 6577 58937f 6575->6577 6578 5893d9 6577->6578 6579 5893a4 6577->6579 6581 589401 wsprintfA 6578->6581 6580 5893c3 wsprintfA 6579->6580 6582 589415 6580->6582 6581->6582 6583 5894a0 6582->6583 6586 586cc9 5 API calls 6582->6586 6584 586edd 5 API calls 6583->6584 6585 5894ac 6584->6585 6587 58962f 6585->6587 6588 5894e8 RegOpenKeyExA 6585->6588 6592 589439 6586->6592 6593 589646 6587->6593 7233 581820 6587->7233 6590 5894fb 6588->6590 6591 589502 6588->6591 6590->6587 6595 58958a 6590->6595 6596 58951f RegQueryValueExA 6591->6596 6597 58ef1e lstrlenA 6592->6597 6602 5895d6 6593->6602 7239 5891eb 6593->7239 6595->6593 6598 589593 6595->6598 6599 589539 6596->6599 6600 589530 6596->6600 6601 589462 6597->6601 6598->6602 7220 58f0e4 6598->7220 6604 589556 RegQueryValueExA 6599->6604 6603 58956e RegCloseKey 6600->6603 6605 58947e wsprintfA 6601->6605 6602->6229 6602->6230 6603->6590 6604->6600 6604->6603 6605->6583 6607 5895bb 6607->6602 7227 5818e0 6607->7227 6610 582544 6609->6610 6611 58972d RegOpenKeyExA 6610->6611 6612 589740 6611->6612 6613 589765 6611->6613 6614 58974f RegDeleteValueA RegCloseKey 6612->6614 6613->6204 6614->6613 6616 582554 lstrcatA 6615->6616 6617 58ee2a 6616->6617 6618 58a0ec lstrcatA 6617->6618 6618->6236 6620 58a15d 6619->6620 6621 58ec37 6619->6621 6620->6167 6620->6171 6622 58eba0 codecvt 2 API calls 6621->6622 6623 58ec3d GetProcessHeap RtlFreeHeap 6622->6623 6623->6620 6625 582544 6624->6625 6626 58919e wsprintfA 6625->6626 6627 5891bb 6626->6627 7277 589064 GetTempPathA 6627->7277 6630 5891d5 ShellExecuteA 6631 5891e7 6630->6631 6631->6187 6633 586ecc 6632->6633 6635 586ed5 6632->6635 6634 586e36 2 API calls 6633->6634 6634->6635 6635->6224 6637 5898f6 6636->6637 6638 584280 30 API calls 6637->6638 6639 589904 Sleep 6637->6639 6640 589915 6637->6640 6638->6637 6639->6637 6639->6640 6642 589947 6640->6642 7284 58977c 6640->7284 6642->6220 6644 58dd41 InterlockedExchange 6643->6644 6645 58dd4a 6644->6645 6646 58dd20 GetCurrentThreadId 6644->6646 6648 58dd53 GetCurrentThreadId 6645->6648 6647 58dd2e GetTickCount 6646->6647 6646->6648 6649 58dd39 Sleep 6647->6649 6650 58dd4c 6647->6650 6648->6256 6649->6644 6650->6648 6652 58dbf0 6651->6652 6684 58db67 GetEnvironmentVariableA 6652->6684 6654 58dc19 6655 58dcda 6654->6655 6656 58db67 3 API calls 6654->6656 6655->6258 6657 58dc5c 6656->6657 6657->6655 6658 58db67 3 API calls 6657->6658 6659 58dc9b 6658->6659 6659->6655 6660 58db67 3 API calls 6659->6660 6660->6655 6662 58e528 6661->6662 6663 58e3f4 6661->6663 6662->6269 6664 58e434 RegQueryValueExA 6663->6664 6665 58e458 6664->6665 6666 58e51d RegCloseKey 6664->6666 6667 58e46e RegQueryValueExA 6665->6667 6666->6662 6667->6665 6668 58e488 6667->6668 6668->6666 6669 58db2e 8 API calls 6668->6669 6670 58e499 6669->6670 6670->6666 6671 58e4b9 RegQueryValueExA 6670->6671 6672 58e4e8 6670->6672 6671->6670 6671->6672 6672->6666 6673 58e332 14 API calls 6672->6673 6674 58e513 6673->6674 6674->6666 6676 58db3a 6675->6676 6678 58db55 6675->6678 6688 58ebed 6676->6688 6678->6260 6678->6265 6706 58f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6679->6706 6681 58e342 6682 58e3be 6681->6682 6709 58de24 6681->6709 6682->6260 6685 58db89 lstrcpyA CreateFileA 6684->6685 6686 58dbca 6684->6686 6685->6654 6686->6654 6689 58ec01 6688->6689 6690 58ebf6 6688->6690 6700 58eba0 6689->6700 6697 58ebcc GetProcessHeap RtlAllocateHeap 6690->6697 6698 58eb74 2 API calls 6697->6698 6699 58ebe8 6698->6699 6699->6678 6701 58ebbf GetProcessHeap HeapReAlloc 6700->6701 6702 58eba7 GetProcessHeap HeapSize 6700->6702 6703 58eb74 6701->6703 6702->6701 6704 58eb7b GetProcessHeap HeapSize 6703->6704 6705 58eb93 6703->6705 6704->6705 6705->6678 6720 58eb41 6706->6720 6708 58f0b7 6708->6681 6710 58de3a 6709->6710 6715 58de4e 6710->6715 6729 58dd84 6710->6729 6713 58de9e 6713->6715 6716 58ebed 8 API calls 6713->6716 6714 58de76 6733 58ddcf 6714->6733 6715->6681 6718 58def6 6716->6718 6718->6715 6719 58ddcf lstrcmpA 6718->6719 6719->6715 6721 58eb4a 6720->6721 6722 58eb61 6720->6722 6725 58eae4 6721->6725 6722->6708 6724 58eb54 6724->6708 6724->6722 6726 58eaed LoadLibraryA 6725->6726 6727 58eb02 GetProcAddress 6725->6727 6726->6727 6728 58eb01 6726->6728 6727->6724 6728->6724 6730 58ddc5 6729->6730 6731 58dd96 6729->6731 6730->6713 6730->6714 6731->6730 6732 58ddad lstrcmpiA 6731->6732 6732->6730 6732->6731 6734 58de20 6733->6734 6735 58dddd 6733->6735 6734->6715 6735->6734 6736 58ddfa lstrcmpA 6735->6736 6736->6735 6738 58dd05 6 API calls 6737->6738 6739 58e821 6738->6739 6740 58dd84 lstrcmpiA 6739->6740 6741 58e82c 6740->6741 6743 58e844 6741->6743 6787 582480 6741->6787 6743->6285 6745 58ea98 6744->6745 6796 58e8a1 6745->6796 6747 581e84 6747->6294 6749 5819ce 6748->6749 6750 5819d5 GetProcAddress GetProcAddress GetProcAddress 6748->6750 6749->6298 6751 581ab3 FreeLibrary 6750->6751 6752 581a04 6750->6752 6751->6749 6752->6751 6753 581a14 GetBestInterface GetProcessHeap 6752->6753 6753->6749 6754 581a2e HeapAlloc 6753->6754 6754->6749 6755 581a42 GetAdaptersInfo 6754->6755 6756 581a62 6755->6756 6757 581a52 HeapReAlloc 6755->6757 6758 581a69 GetAdaptersInfo 6756->6758 6759 581aa1 FreeLibrary 6756->6759 6757->6756 6758->6759 6760 581a75 HeapFree 6758->6760 6759->6749 6760->6759 6824 581ac3 LoadLibraryA 6762->6824 6765 581bcf 6765->6309 6767 581ac3 13 API calls 6766->6767 6768 581c09 6767->6768 6769 581c5a 6768->6769 6770 581c0d GetComputerNameA 6768->6770 6769->6317 6771 581c1f 6770->6771 6772 581c45 GetVolumeInformationA 6770->6772 6771->6772 6773 581c41 6771->6773 6772->6769 6773->6769 6775 58ee2a 6774->6775 6776 5830d0 gethostname gethostbyname 6775->6776 6777 581f82 6776->6777 6777->6322 6777->6324 6779 58dd05 6 API calls 6778->6779 6780 58df7c 6779->6780 6781 58dd84 lstrcmpiA 6780->6781 6785 58df89 6781->6785 6782 58dfc4 6782->6291 6783 58ddcf lstrcmpA 6783->6785 6784 58ec2e codecvt 4 API calls 6784->6785 6785->6782 6785->6783 6785->6784 6786 58dd84 lstrcmpiA 6785->6786 6786->6785 6790 582419 lstrlenA 6787->6790 6789 582491 6789->6743 6791 58243d lstrlenA 6790->6791 6792 582474 6790->6792 6793 58244e lstrcmpiA 6791->6793 6794 582464 lstrlenA 6791->6794 6792->6789 6793->6794 6795 58245c 6793->6795 6794->6791 6794->6792 6795->6792 6795->6794 6797 58dd05 6 API calls 6796->6797 6798 58e8b4 6797->6798 6799 58dd84 lstrcmpiA 6798->6799 6800 58e8c0 6799->6800 6801 58e8c8 lstrcpynA 6800->6801 6810 58e90a 6800->6810 6803 58e8f5 6801->6803 6802 582419 4 API calls 6804 58e926 lstrlenA lstrlenA 6802->6804 6817 58df4c 6803->6817 6806 58e96a 6804->6806 6807 58e94c lstrlenA 6804->6807 6811 58ebcc 4 API calls 6806->6811 6812 58ea27 6806->6812 6807->6806 6808 58e901 6809 58dd84 lstrcmpiA 6808->6809 6809->6810 6810->6802 6810->6812 6813 58e98f 6811->6813 6812->6747 6813->6812 6814 58df4c 20 API calls 6813->6814 6815 58ea1e 6814->6815 6816 58ec2e codecvt 4 API calls 6815->6816 6816->6812 6818 58dd05 6 API calls 6817->6818 6819 58df51 6818->6819 6820 58f04e 4 API calls 6819->6820 6821 58df58 6820->6821 6822 58de24 10 API calls 6821->6822 6823 58df63 6822->6823 6823->6808 6825 581ae2 GetProcAddress 6824->6825 6831 581b68 GetComputerNameA GetVolumeInformationA 6824->6831 6828 581af5 6825->6828 6825->6831 6826 581b1c GetAdaptersAddresses 6826->6828 6829 581b29 6826->6829 6827 58ebed 8 API calls 6827->6828 6828->6826 6828->6827 6828->6829 6829->6829 6830 58ec2e codecvt 4 API calls 6829->6830 6829->6831 6830->6831 6831->6765 6833 586ec3 2 API calls 6832->6833 6834 587ef4 6833->6834 6844 587fc9 6834->6844 6868 5873ff 6834->6868 6836 587f16 6836->6844 6888 587809 GetUserNameA 6836->6888 6838 587f63 6838->6844 6912 58ef1e lstrlenA 6838->6912 6841 58ef1e lstrlenA 6842 587fb7 6841->6842 6914 587a95 RegOpenKeyExA 6842->6914 6844->6332 6846 587073 6845->6846 6847 5870b9 RegOpenKeyExA 6846->6847 6848 5871b8 6847->6848 6849 5870d0 6847->6849 6848->6333 6850 586dc2 6 API calls 6849->6850 6851 5870d5 6850->6851 6852 58719b RegEnumValueA 6851->6852 6855 5871d0 6851->6855 6945 58f1a5 lstrlenA 6851->6945 6852->6851 6853 5871af RegCloseKey 6852->6853 6853->6848 6856 587205 RegCloseKey 6855->6856 6857 587227 6855->6857 6856->6848 6858 5872b8 ___ascii_stricmp 6857->6858 6859 58728e RegCloseKey 6857->6859 6860 5872cd RegCloseKey 6858->6860 6861 5872dd 6858->6861 6859->6848 6860->6848 6862 587311 RegCloseKey 6861->6862 6863 587335 6861->6863 6862->6848 6864 5873d5 RegCloseKey 6863->6864 6866 58737e GetFileAttributesExA 6863->6866 6867 587397 6863->6867 6865 5873e4 6864->6865 6866->6867 6867->6864 6869 58741b 6868->6869 6870 586dc2 6 API calls 6869->6870 6871 58743f 6870->6871 6872 587469 RegOpenKeyExA 6871->6872 6873 5877f9 6872->6873 6884 587487 ___ascii_stricmp 6872->6884 6873->6836 6874 587703 RegEnumKeyA 6875 587714 RegCloseKey 6874->6875 6874->6884 6875->6873 6876 58f1a5 lstrlenA 6876->6884 6877 5874d2 RegOpenKeyExA 6877->6884 6878 58772c 6880 58774b 6878->6880 6881 587742 RegCloseKey 6878->6881 6879 587521 RegQueryValueExA 6879->6884 6882 5877ec RegCloseKey 6880->6882 6881->6880 6882->6873 6883 5876e4 RegCloseKey 6883->6884 6884->6874 6884->6876 6884->6877 6884->6878 6884->6879 6884->6883 6885 587769 6884->6885 6887 58777e GetFileAttributesExA 6884->6887 6886 5877e3 RegCloseKey 6885->6886 6886->6882 6887->6885 6889 58783d LookupAccountNameA 6888->6889 6890 587a8d 6888->6890 6889->6890 6891 587874 GetLengthSid GetFileSecurityA 6889->6891 6890->6838 6891->6890 6892 5878a8 GetSecurityDescriptorOwner 6891->6892 6893 58791d GetSecurityDescriptorDacl 6892->6893 6894 5878c5 EqualSid 6892->6894 6893->6890 6909 587941 6893->6909 6894->6893 6895 5878dc LocalAlloc 6894->6895 6895->6893 6896 5878ef InitializeSecurityDescriptor 6895->6896 6898 5878fb SetSecurityDescriptorOwner 6896->6898 6899 587916 LocalFree 6896->6899 6897 58795b GetAce 6897->6909 6898->6899 6900 58790b SetFileSecurityA 6898->6900 6899->6893 6900->6899 6901 587980 EqualSid 6901->6909 6902 587a3d 6902->6890 6905 587a43 LocalAlloc 6902->6905 6903 5879be EqualSid 6903->6909 6904 58799d DeleteAce 6904->6909 6905->6890 6906 587a56 InitializeSecurityDescriptor 6905->6906 6907 587a62 SetSecurityDescriptorDacl 6906->6907 6908 587a86 LocalFree 6906->6908 6907->6908 6910 587a73 SetFileSecurityA 6907->6910 6908->6890 6909->6890 6909->6897 6909->6901 6909->6902 6909->6903 6909->6904 6910->6908 6911 587a83 6910->6911 6911->6908 6913 587fa6 6912->6913 6913->6841 6915 587acb GetUserNameA 6914->6915 6916 587ac4 6914->6916 6917 587aed LookupAccountNameA 6915->6917 6918 587da7 RegCloseKey 6915->6918 6916->6844 6917->6918 6919 587b24 RegGetKeySecurity 6917->6919 6918->6916 6919->6918 6920 587b49 GetSecurityDescriptorOwner 6919->6920 6921 587bb8 GetSecurityDescriptorDacl 6920->6921 6922 587b63 EqualSid 6920->6922 6924 587da6 6921->6924 6930 587bdc 6921->6930 6922->6921 6923 587b74 LocalAlloc 6922->6923 6923->6921 6925 587b8a InitializeSecurityDescriptor 6923->6925 6924->6918 6926 587bb1 LocalFree 6925->6926 6927 587b96 SetSecurityDescriptorOwner 6925->6927 6926->6921 6927->6926 6929 587ba6 RegSetKeySecurity 6927->6929 6928 587bf8 GetAce 6928->6930 6929->6926 6930->6924 6930->6928 6931 587c1d EqualSid 6930->6931 6932 587c5f EqualSid 6930->6932 6933 587cd9 6930->6933 6934 587c3a DeleteAce 6930->6934 6931->6930 6932->6930 6933->6924 6935 587d5a LocalAlloc 6933->6935 6937 587cf2 RegOpenKeyExA 6933->6937 6934->6930 6935->6924 6936 587d70 InitializeSecurityDescriptor 6935->6936 6938 587d7c SetSecurityDescriptorDacl 6936->6938 6939 587d9f LocalFree 6936->6939 6937->6935 6942 587d0f 6937->6942 6938->6939 6940 587d8c RegSetKeySecurity 6938->6940 6939->6924 6940->6939 6941 587d9c 6940->6941 6941->6939 6943 587d43 RegSetValueExA 6942->6943 6943->6935 6944 587d54 6943->6944 6944->6935 6946 58f1c3 6945->6946 6946->6851 6946->6946 6947->6353 6949 58dd05 6 API calls 6948->6949 6952 58e65f 6949->6952 6950 58e6a5 6951 58ebcc 4 API calls 6950->6951 6956 58e6f5 6950->6956 6954 58e6b0 6951->6954 6952->6950 6953 58e68c lstrcmpA 6952->6953 6953->6952 6955 58e6e0 lstrcpynA 6954->6955 6954->6956 6958 58e6b7 6954->6958 6955->6956 6957 58e71d lstrcmpA 6956->6957 6956->6958 6957->6956 6958->6355 6959->6361 6961 582692 inet_addr 6960->6961 6963 58268e 6960->6963 6962 58269e gethostbyname 6961->6962 6961->6963 6962->6963 6964 58f428 6963->6964 7112 58f315 6964->7112 6967 58f43e 6968 58f473 recv 6967->6968 6969 58f458 6968->6969 6970 58f47c 6968->6970 6969->6968 6969->6970 6970->6392 6972 58c525 6971->6972 6976 58c532 6971->6976 6974 58ec2e codecvt 4 API calls 6972->6974 6972->6976 6973 58c548 6977 58e7ff lstrcmpiA 6973->6977 6983 58c54f 6973->6983 6974->6976 6976->6973 7125 58e7ff 6976->7125 6978 58c615 6977->6978 6979 58ebcc 4 API calls 6978->6979 6978->6983 6979->6983 6980 58c5d1 6982 58ebcc 4 API calls 6980->6982 6982->6983 6983->6374 6984 58e819 11 API calls 6985 58c5b7 6984->6985 6986 58f04e 4 API calls 6985->6986 6987 58c5bf 6986->6987 6987->6973 6987->6980 6990 58c8d2 6988->6990 6989 58c907 6989->6376 6990->6989 6991 58c517 23 API calls 6990->6991 6991->6989 6993 58c670 6992->6993 6994 58c67d 6992->6994 6995 58ebcc 4 API calls 6993->6995 6996 58ebcc 4 API calls 6994->6996 6998 58c699 6994->6998 6995->6994 6996->6998 6997 58c6f3 6997->6405 6997->6457 6998->6997 6999 58c73c send 6998->6999 6999->6997 7001 58c770 7000->7001 7002 58c77d 7000->7002 7004 58ebcc 4 API calls 7001->7004 7003 58c799 7002->7003 7005 58ebcc 4 API calls 7002->7005 7006 58c7b5 7003->7006 7007 58ebcc 4 API calls 7003->7007 7004->7002 7005->7003 7008 58f43e recv 7006->7008 7007->7006 7009 58c7cb 7008->7009 7010 58f43e recv 7009->7010 7011 58c7d3 7009->7011 7010->7011 7011->6457 7128 587db7 7012->7128 7015 587e96 7015->6457 7016 587e70 7016->7015 7018 58f04e 4 API calls 7016->7018 7017 58f04e 4 API calls 7019 587e4c 7017->7019 7018->7015 7019->7016 7020 58f04e 4 API calls 7019->7020 7020->7016 7022 586ec3 2 API calls 7021->7022 7023 587fdd 7022->7023 7024 5873ff 17 API calls 7023->7024 7025 5880c2 CreateProcessA 7023->7025 7026 587fff 7024->7026 7025->6459 7025->6464 7026->7025 7026->7026 7027 587809 21 API calls 7026->7027 7028 58804d 7027->7028 7028->7025 7029 58ef1e lstrlenA 7028->7029 7030 58809e 7029->7030 7031 58ef1e lstrlenA 7030->7031 7032 5880af 7031->7032 7033 587a95 24 API calls 7032->7033 7033->7025 7035 587db7 2 API calls 7034->7035 7036 587eb8 7035->7036 7037 58f04e 4 API calls 7036->7037 7038 587ece DeleteFileA 7037->7038 7038->6457 7040 58dd05 6 API calls 7039->7040 7041 58e31d 7040->7041 7132 58e177 7041->7132 7043 58e326 7043->6430 7045 5831f3 7044->7045 7055 5831ec 7044->7055 7046 58ebcc 4 API calls 7045->7046 7053 5831fc 7046->7053 7047 583459 7049 58f04e 4 API calls 7047->7049 7048 58349d 7050 58ec2e codecvt 4 API calls 7048->7050 7051 58345f 7049->7051 7050->7055 7052 5830fa 4 API calls 7051->7052 7052->7055 7054 58ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7053->7054 7053->7055 7056 58344d 7053->7056 7059 583141 lstrcmpiA 7053->7059 7060 58344b 7053->7060 7158 5830fa GetTickCount 7053->7158 7054->7053 7055->6457 7057 58ec2e codecvt 4 API calls 7056->7057 7057->7060 7059->7053 7060->7047 7060->7048 7062 5830fa 4 API calls 7061->7062 7063 583c1a 7062->7063 7067 583ce6 7063->7067 7163 583a72 7063->7163 7066 583a72 9 API calls 7070 583c5e 7066->7070 7067->6457 7068 583a72 9 API calls 7068->7070 7069 58ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7069->7070 7070->7067 7070->7068 7070->7069 7072 583a10 7071->7072 7073 5830fa 4 API calls 7072->7073 7074 583a1a 7073->7074 7074->6457 7076 58dd05 6 API calls 7075->7076 7077 58e7be 7076->7077 7077->6457 7079 58c07e wsprintfA 7078->7079 7080 58c105 7078->7080 7172 58bfce GetTickCount wsprintfA 7079->7172 7080->6457 7082 58c0ef 7173 58bfce GetTickCount wsprintfA 7082->7173 7085 587047 7084->7085 7086 586f88 7084->7086 7085->6457 7086->7086 7087 586f94 LookupAccountNameA 7086->7087 7088 586fcb 7087->7088 7089 587025 7087->7089 7091 586fdb ConvertSidToStringSidA 7088->7091 7174 586edd 7089->7174 7091->7089 7093 586ff1 7091->7093 7094 587013 LocalFree 7093->7094 7094->7089 7096 58dd05 6 API calls 7095->7096 7097 58e85c 7096->7097 7098 58dd84 lstrcmpiA 7097->7098 7099 58e867 7098->7099 7100 58e885 lstrcpyA 7099->7100 7185 5824a5 7099->7185 7188 58dd69 7100->7188 7106 587db7 2 API calls 7105->7106 7107 587de1 7106->7107 7108 587e16 7107->7108 7109 58f04e 4 API calls 7107->7109 7108->6457 7110 587df2 7109->7110 7110->7108 7111 58f04e 4 API calls 7110->7111 7111->7108 7113 58f33b 7112->7113 7114 58ca1d 7112->7114 7115 58f347 htons socket 7113->7115 7114->6389 7114->6967 7116 58f382 ioctlsocket 7115->7116 7117 58f374 closesocket 7115->7117 7118 58f3aa connect select 7116->7118 7119 58f39d 7116->7119 7117->7114 7118->7114 7121 58f3f2 __WSAFDIsSet 7118->7121 7120 58f39f closesocket 7119->7120 7120->7114 7121->7120 7122 58f403 ioctlsocket 7121->7122 7124 58f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7122->7124 7124->7114 7126 58dd84 lstrcmpiA 7125->7126 7127 58c58e 7126->7127 7127->6973 7127->6980 7127->6984 7129 587dc8 InterlockedExchange 7128->7129 7130 587dc0 Sleep 7129->7130 7131 587dd4 7129->7131 7130->7129 7131->7016 7131->7017 7133 58e184 7132->7133 7134 58e2e4 7133->7134 7135 58e223 7133->7135 7148 58dfe2 7133->7148 7134->7043 7135->7134 7137 58dfe2 8 API calls 7135->7137 7141 58e23c 7137->7141 7138 58e1be 7138->7135 7139 58dbcf 3 API calls 7138->7139 7142 58e1d6 7139->7142 7140 58e21a CloseHandle 7140->7135 7141->7134 7152 58e095 RegCreateKeyExA 7141->7152 7142->7135 7142->7140 7143 58e1f9 WriteFile 7142->7143 7143->7140 7145 58e213 7143->7145 7145->7140 7146 58e2a3 7146->7134 7147 58e095 4 API calls 7146->7147 7147->7134 7149 58dffc 7148->7149 7151 58e024 7148->7151 7150 58db2e 8 API calls 7149->7150 7149->7151 7150->7151 7151->7138 7153 58e172 7152->7153 7155 58e0c0 7152->7155 7153->7146 7154 58e13d 7156 58e14e RegDeleteValueA RegCloseKey 7154->7156 7155->7154 7157 58e115 RegSetValueExA 7155->7157 7156->7153 7157->7154 7157->7155 7159 583122 InterlockedExchange 7158->7159 7160 58312e 7159->7160 7161 58310f GetTickCount 7159->7161 7160->7053 7161->7160 7162 58311a Sleep 7161->7162 7162->7159 7164 58f04e 4 API calls 7163->7164 7165 583a83 7164->7165 7168 583bc0 7165->7168 7169 583b66 lstrlenA 7165->7169 7170 583ac1 7165->7170 7166 583be6 7167 58ec2e codecvt 4 API calls 7166->7167 7167->7170 7168->7166 7171 58ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7168->7171 7169->7165 7169->7170 7170->7066 7170->7067 7171->7168 7172->7082 7173->7080 7175 586f55 wsprintfA 7174->7175 7176 586eef AllocateAndInitializeSid 7174->7176 7175->7085 7177 586f1c CheckTokenMembership 7176->7177 7178 586f44 7176->7178 7179 586f3b FreeSid 7177->7179 7180 586f2e 7177->7180 7178->7175 7182 586e36 GetUserNameW 7178->7182 7179->7178 7180->7179 7183 586e97 7182->7183 7184 586e5f LookupAccountNameW 7182->7184 7183->7175 7184->7183 7186 582419 4 API calls 7185->7186 7187 5824b6 7186->7187 7187->7100 7189 58dd79 lstrlenA 7188->7189 7189->6457 7191 58eb21 7190->7191 7192 58eb17 7190->7192 7191->6514 7193 58eae4 2 API calls 7192->7193 7193->7191 7195 5869b9 WriteFile 7194->7195 7197 586a3c 7195->7197 7199 5869ff 7195->7199 7197->6512 7197->6513 7198 586a10 WriteFile 7198->7197 7198->7199 7199->7197 7199->7198 7201 583edc 7200->7201 7203 583ee2 7200->7203 7202 586dc2 6 API calls 7201->7202 7202->7203 7203->6527 7205 58400b CreateFileA 7204->7205 7206 58402c GetLastError 7205->7206 7208 584052 7205->7208 7207 584037 7206->7207 7206->7208 7207->7208 7209 584041 Sleep 7207->7209 7208->6530 7209->7205 7209->7208 7211 583f7c 7210->7211 7212 583f4e GetLastError 7210->7212 7214 583f8c ReadFile 7211->7214 7212->7211 7213 583f5b WaitForSingleObject GetOverlappedResult 7212->7213 7213->7211 7215 583ff0 7214->7215 7216 583fc2 GetLastError 7214->7216 7215->6535 7215->6536 7216->7215 7217 583fcf WaitForSingleObject GetOverlappedResult 7216->7217 7217->7215 7219 581924 GetVersionExA 7218->7219 7219->6575 7221 58f0ed 7220->7221 7222 58f0f1 7220->7222 7221->6607 7223 58f119 7222->7223 7224 58f0fa lstrlenA SysAllocStringByteLen 7222->7224 7225 58f11c MultiByteToWideChar 7223->7225 7224->7225 7226 58f117 7224->7226 7225->7226 7226->6607 7228 581820 17 API calls 7227->7228 7229 5818f2 7228->7229 7230 5818f9 7229->7230 7244 581280 7229->7244 7230->6602 7232 581908 7232->6602 7256 581000 7233->7256 7235 581839 7236 58183d 7235->7236 7237 581851 GetCurrentProcess 7235->7237 7236->6593 7238 581864 7237->7238 7238->6593 7240 58920e 7239->7240 7243 589308 7239->7243 7241 5892f1 Sleep 7240->7241 7242 5892bf ShellExecuteA 7240->7242 7240->7243 7241->7240 7242->7240 7242->7243 7243->6602 7245 5812e1 7244->7245 7246 5816f9 GetLastError 7245->7246 7254 5813a8 7245->7254 7247 581699 7246->7247 7247->7232 7248 581570 lstrlenW 7248->7254 7249 5815be GetStartupInfoW 7249->7254 7250 5815ff CreateProcessWithLogonW 7251 5816bf GetLastError 7250->7251 7252 58163f WaitForSingleObject 7250->7252 7251->7247 7253 581659 CloseHandle 7252->7253 7252->7254 7253->7254 7254->7247 7254->7248 7254->7249 7254->7250 7255 581668 CloseHandle 7254->7255 7255->7254 7257 58100d LoadLibraryA 7256->7257 7259 581023 7256->7259 7258 581021 7257->7258 7257->7259 7258->7235 7260 5810b5 GetProcAddress 7259->7260 7276 5810ae 7259->7276 7261 58127b 7260->7261 7262 5810d1 GetProcAddress 7260->7262 7261->7235 7262->7261 7263 5810f0 GetProcAddress 7262->7263 7263->7261 7264 581110 GetProcAddress 7263->7264 7264->7261 7265 581130 GetProcAddress 7264->7265 7265->7261 7266 58114f GetProcAddress 7265->7266 7266->7261 7267 58116f GetProcAddress 7266->7267 7267->7261 7268 58118f GetProcAddress 7267->7268 7268->7261 7269 5811ae GetProcAddress 7268->7269 7269->7261 7270 5811ce GetProcAddress 7269->7270 7270->7261 7271 5811ee GetProcAddress 7270->7271 7271->7261 7272 581209 GetProcAddress 7271->7272 7272->7261 7273 581225 GetProcAddress 7272->7273 7273->7261 7274 581241 GetProcAddress 7273->7274 7274->7261 7275 58125c GetProcAddress 7274->7275 7275->7261 7276->7235 7278 58908d 7277->7278 7279 5890e2 wsprintfA 7278->7279 7280 58ee2a 7279->7280 7281 5890fd CreateFileA 7280->7281 7282 58911a lstrlenA WriteFile CloseHandle 7281->7282 7283 58913f 7281->7283 7282->7283 7283->6630 7283->6631 7285 58ee2a 7284->7285 7286 589794 CreateProcessA 7285->7286 7287 5897bb 7286->7287 7288 5897c2 7286->7288 7287->6642 7289 5897d4 GetThreadContext 7288->7289 7290 589801 7289->7290 7291 5897f5 7289->7291 7298 58637c 7290->7298 7293 5897f6 TerminateProcess 7291->7293 7293->7287 7294 589816 7294->7293 7295 58981e WriteProcessMemory 7294->7295 7295->7291 7296 58983b SetThreadContext 7295->7296 7296->7291 7297 589858 ResumeThread 7296->7297 7297->7287 7299 58638a GetModuleHandleA VirtualAlloc 7298->7299 7300 586386 7298->7300 7301 5863f5 7299->7301 7302 5863b6 7299->7302 7300->7294 7301->7294 7303 5863be VirtualAllocEx 7302->7303 7303->7301 7304 5863d6 7303->7304 7305 5863df WriteProcessMemory 7304->7305 7305->7301 7307 588791 7306->7307 7308 58879f 7306->7308 7309 58f04e 4 API calls 7307->7309 7310 5887bc 7308->7310 7311 58f04e 4 API calls 7308->7311 7309->7308 7312 58e819 11 API calls 7310->7312 7311->7310 7313 5887d7 7312->7313 7326 588803 7313->7326 7461 5826b2 gethostbyaddr 7313->7461 7316 5887eb 7318 58e8a1 30 API calls 7316->7318 7316->7326 7318->7326 7321 58f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7321->7326 7322 58e819 11 API calls 7322->7326 7323 5888a0 Sleep 7323->7326 7325 5826b2 2 API calls 7325->7326 7326->7321 7326->7322 7326->7323 7326->7325 7327 58e8a1 30 API calls 7326->7327 7358 588cee 7326->7358 7366 58c4d6 7326->7366 7369 58c4e2 7326->7369 7372 582011 7326->7372 7407 588328 7326->7407 7327->7326 7329 58407d 7328->7329 7330 584084 7328->7330 7331 583ecd 6 API calls 7330->7331 7332 58408f 7331->7332 7333 584000 3 API calls 7332->7333 7334 584095 7333->7334 7335 584130 7334->7335 7336 5840c0 7334->7336 7337 583ecd 6 API calls 7335->7337 7341 583f18 4 API calls 7336->7341 7338 584159 CreateNamedPipeA 7337->7338 7339 584188 ConnectNamedPipe 7338->7339 7340 584167 Sleep 7338->7340 7344 584195 GetLastError 7339->7344 7354 5841ab 7339->7354 7340->7335 7342 584176 CloseHandle 7340->7342 7343 5840da 7341->7343 7342->7339 7345 583f8c 4 API calls 7343->7345 7346 58425e DisconnectNamedPipe 7344->7346 7344->7354 7347 5840ec 7345->7347 7346->7339 7348 584127 CloseHandle 7347->7348 7349 584101 7347->7349 7348->7335 7351 583f18 4 API calls 7349->7351 7350 583f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7350->7354 7352 58411c ExitProcess 7351->7352 7353 583f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7353->7354 7354->7339 7354->7346 7354->7350 7354->7353 7355 58426a CloseHandle CloseHandle 7354->7355 7356 58e318 23 API calls 7355->7356 7357 58427b 7356->7357 7357->7357 7359 588dae 7358->7359 7360 588d02 GetTickCount 7358->7360 7359->7326 7360->7359 7363 588d19 7360->7363 7361 588da1 GetTickCount 7361->7359 7363->7361 7365 588d89 7363->7365 7466 58a677 7363->7466 7469 58a688 7363->7469 7365->7361 7477 58c2dc 7366->7477 7370 58c2dc 142 API calls 7369->7370 7371 58c4ec 7370->7371 7371->7326 7373 582020 7372->7373 7374 58202e 7372->7374 7375 58f04e 4 API calls 7373->7375 7376 58204b 7374->7376 7378 58f04e 4 API calls 7374->7378 7375->7374 7377 58206e GetTickCount 7376->7377 7379 58f04e 4 API calls 7376->7379 7380 5820db GetTickCount 7377->7380 7390 582090 7377->7390 7378->7376 7383 582068 7379->7383 7381 582132 GetTickCount GetTickCount 7380->7381 7382 5820e7 7380->7382 7385 58f04e 4 API calls 7381->7385 7386 58212b GetTickCount 7382->7386 7397 581978 15 API calls 7382->7397 7403 582125 7382->7403 7807 582ef8 7382->7807 7383->7377 7384 5820d4 GetTickCount 7384->7380 7387 582159 7385->7387 7386->7381 7391 58e854 13 API calls 7387->7391 7402 5821b4 7387->7402 7388 582684 2 API calls 7388->7390 7390->7384 7390->7388 7400 5820ce 7390->7400 7817 581978 7390->7817 7393 58218e 7391->7393 7392 58f04e 4 API calls 7395 5821d1 7392->7395 7396 58e819 11 API calls 7393->7396 7398 58ea84 30 API calls 7395->7398 7405 5821f2 7395->7405 7399 58219c 7396->7399 7397->7382 7401 5821ec 7398->7401 7399->7402 7822 581c5f 7399->7822 7400->7384 7404 58f04e 4 API calls 7401->7404 7402->7392 7403->7386 7404->7405 7405->7326 7408 587dd6 6 API calls 7407->7408 7409 58833c 7408->7409 7410 588340 7409->7410 7411 586ec3 2 API calls 7409->7411 7410->7326 7412 58834f 7411->7412 7413 58835c 7412->7413 7416 58846b 7412->7416 7414 5873ff 17 API calls 7413->7414 7435 588373 7414->7435 7415 58675c 21 API calls 7423 5885df 7415->7423 7418 5884a7 RegOpenKeyExA 7416->7418 7449 588450 7416->7449 7417 588626 GetTempPathA 7431 588638 7417->7431 7420 5884c0 RegQueryValueExA 7418->7420 7421 58852f 7418->7421 7424 5884dd 7420->7424 7425 588521 RegCloseKey 7420->7425 7427 588564 RegOpenKeyExA 7421->7427 7441 5885a5 7421->7441 7422 5886ad 7426 588762 7422->7426 7428 587e2f 6 API calls 7422->7428 7423->7417 7429 588768 7423->7429 7451 588671 7423->7451 7424->7425 7432 58ebcc 4 API calls 7424->7432 7425->7421 7426->7429 7430 588573 RegSetValueExA RegCloseKey 7427->7430 7427->7441 7438 5886bb 7428->7438 7429->7410 7434 58ec2e codecvt 4 API calls 7429->7434 7430->7441 7431->7451 7437 5884f0 7432->7437 7433 58875b DeleteFileA 7433->7426 7434->7410 7435->7410 7439 5883ea RegOpenKeyExA 7435->7439 7435->7449 7437->7425 7440 5884f8 RegQueryValueExA 7437->7440 7438->7433 7445 5886e0 lstrcpyA lstrlenA 7438->7445 7442 5883fd RegQueryValueExA 7439->7442 7439->7449 7440->7425 7443 588515 7440->7443 7444 58ec2e codecvt 4 API calls 7441->7444 7441->7449 7446 58842d RegSetValueExA 7442->7446 7447 58841e 7442->7447 7448 58ec2e codecvt 4 API calls 7443->7448 7444->7449 7450 587fcf 64 API calls 7445->7450 7452 588447 RegCloseKey 7446->7452 7447->7446 7447->7452 7453 58851d 7448->7453 7449->7415 7449->7423 7454 588719 CreateProcessA 7450->7454 7894 586ba7 IsBadCodePtr 7451->7894 7452->7449 7453->7425 7455 58873d CloseHandle CloseHandle 7454->7455 7456 58874f 7454->7456 7455->7429 7457 587ee6 64 API calls 7456->7457 7458 588754 7457->7458 7459 587ead 6 API calls 7458->7459 7460 58875a 7459->7460 7460->7433 7462 5826fb 7461->7462 7463 5826cd 7461->7463 7462->7316 7464 5826e1 inet_ntoa 7463->7464 7465 5826de 7463->7465 7464->7465 7465->7316 7472 58a63d 7466->7472 7468 58a685 7468->7363 7470 58a63d GetTickCount 7469->7470 7471 58a696 7470->7471 7471->7363 7473 58a64d 7472->7473 7474 58a645 7472->7474 7475 58a65e GetTickCount 7473->7475 7476 58a66e 7473->7476 7474->7468 7475->7476 7476->7468 7494 58a4c7 GetTickCount 7477->7494 7480 58c47a 7485 58c4ab InterlockedIncrement CreateThread 7480->7485 7486 58c4d2 7480->7486 7481 58c300 GetTickCount 7483 58c337 7481->7483 7482 58c326 7482->7483 7484 58c32b GetTickCount 7482->7484 7483->7480 7488 58c363 GetTickCount 7483->7488 7484->7483 7485->7486 7487 58c4cb CloseHandle 7485->7487 7499 58b535 7485->7499 7486->7326 7487->7486 7488->7480 7489 58c373 7488->7489 7490 58c378 GetTickCount 7489->7490 7491 58c37f 7489->7491 7490->7491 7492 58c43b GetTickCount 7491->7492 7493 58c45e 7492->7493 7493->7480 7495 58a4f7 InterlockedExchange 7494->7495 7496 58a500 7495->7496 7497 58a4e4 GetTickCount 7495->7497 7496->7480 7496->7481 7496->7482 7497->7496 7498 58a4ef Sleep 7497->7498 7498->7495 7500 58b566 7499->7500 7501 58ebcc 4 API calls 7500->7501 7502 58b587 7501->7502 7503 58ebcc 4 API calls 7502->7503 7554 58b590 7503->7554 7504 58bdcd InterlockedDecrement 7505 58bde2 7504->7505 7507 58ec2e codecvt 4 API calls 7505->7507 7508 58bdea 7507->7508 7510 58ec2e codecvt 4 API calls 7508->7510 7509 58bdb7 Sleep 7509->7554 7511 58bdf2 7510->7511 7513 58be05 7511->7513 7514 58ec2e codecvt 4 API calls 7511->7514 7512 58bdcc 7512->7504 7514->7513 7515 58ebed 8 API calls 7515->7554 7518 58b6b6 lstrlenA 7518->7554 7519 5830b5 2 API calls 7519->7554 7520 58e819 11 API calls 7520->7554 7521 58b6ed lstrcpyA 7574 585ce1 7521->7574 7524 58b71f lstrcmpA 7525 58b731 lstrlenA 7524->7525 7524->7554 7525->7554 7526 58b772 GetTickCount 7526->7554 7527 58bd49 InterlockedIncrement 7668 58a628 7527->7668 7530 58b7ce InterlockedIncrement 7584 58acd7 7530->7584 7531 58bc5b InterlockedIncrement 7531->7554 7534 58b912 GetTickCount 7534->7554 7535 58bcdc closesocket 7535->7554 7536 58b932 GetTickCount 7538 58bc6d InterlockedIncrement 7536->7538 7536->7554 7537 58b826 InterlockedIncrement 7537->7526 7538->7554 7539 5838f0 6 API calls 7539->7554 7541 58bba6 InterlockedIncrement 7541->7554 7544 58a7c1 22 API calls 7544->7554 7545 58bc4c closesocket 7545->7554 7547 58ba71 wsprintfA 7602 58a7c1 7547->7602 7548 585ded 12 API calls 7548->7554 7550 585ce1 22 API calls 7550->7554 7552 58ab81 lstrcpynA InterlockedIncrement 7552->7554 7553 58ef1e lstrlenA 7553->7554 7554->7504 7554->7509 7554->7512 7554->7515 7554->7518 7554->7519 7554->7520 7554->7521 7554->7524 7554->7525 7554->7526 7554->7527 7554->7530 7554->7531 7554->7534 7554->7535 7554->7536 7554->7537 7554->7539 7554->7541 7554->7544 7554->7545 7554->7547 7554->7548 7554->7550 7554->7552 7554->7553 7555 58a688 GetTickCount 7554->7555 7556 583e10 7554->7556 7559 583e4f 7554->7559 7562 58384f 7554->7562 7582 58a7a3 inet_ntoa 7554->7582 7589 58abee 7554->7589 7601 581feb GetTickCount 7554->7601 7622 583cfb 7554->7622 7625 58b3c5 7554->7625 7656 58ab81 7554->7656 7555->7554 7557 5830fa 4 API calls 7556->7557 7558 583e1d 7557->7558 7558->7554 7560 5830fa 4 API calls 7559->7560 7561 583e5c 7560->7561 7561->7554 7563 5830fa 4 API calls 7562->7563 7564 583863 7563->7564 7565 5838b9 7564->7565 7566 583889 7564->7566 7573 5838b2 7564->7573 7677 5835f9 7565->7677 7671 583718 7566->7671 7571 5835f9 6 API calls 7571->7573 7572 583718 6 API calls 7572->7573 7573->7554 7575 585cec 7574->7575 7576 585cf4 7574->7576 7683 584bd1 GetTickCount 7575->7683 7578 584bd1 4 API calls 7576->7578 7579 585d02 7578->7579 7688 585472 7579->7688 7583 58a7b9 7582->7583 7583->7554 7585 58f315 14 API calls 7584->7585 7586 58aceb 7585->7586 7587 58acff 7586->7587 7588 58f315 14 API calls 7586->7588 7587->7554 7588->7587 7590 58abfb 7589->7590 7593 58ac65 7590->7593 7751 582f22 7590->7751 7592 58f315 14 API calls 7592->7593 7593->7592 7594 58ac8a 7593->7594 7595 58ac6f 7593->7595 7594->7554 7596 58ab81 2 API calls 7595->7596 7598 58ac81 7596->7598 7597 582684 2 API calls 7599 58ac23 7597->7599 7759 5838f0 7598->7759 7599->7593 7599->7597 7601->7554 7603 58a87d lstrlenA send 7602->7603 7604 58a7df 7602->7604 7605 58a899 7603->7605 7606 58a8bf 7603->7606 7604->7603 7610 58a7fa wsprintfA 7604->7610 7613 58a80a 7604->7613 7615 58a8f2 7604->7615 7607 58a8a5 wsprintfA 7605->7607 7616 58a89e 7605->7616 7608 58a8c4 send 7606->7608 7606->7615 7607->7616 7611 58a8d8 wsprintfA 7608->7611 7608->7615 7609 58a978 recv 7614 58a982 7609->7614 7609->7615 7610->7613 7611->7616 7612 58a9b0 wsprintfA 7612->7616 7613->7603 7614->7616 7617 5830b5 2 API calls 7614->7617 7615->7609 7615->7612 7615->7614 7616->7554 7618 58ab05 7617->7618 7619 58e819 11 API calls 7618->7619 7620 58ab17 7619->7620 7621 58a7a3 inet_ntoa 7620->7621 7621->7616 7623 5830fa 4 API calls 7622->7623 7624 583d0b 7623->7624 7624->7554 7626 585ce1 22 API calls 7625->7626 7627 58b3e6 7626->7627 7628 585ce1 22 API calls 7627->7628 7629 58b404 7628->7629 7630 58b440 7629->7630 7631 58ef7c 3 API calls 7629->7631 7632 58ef7c 3 API calls 7630->7632 7633 58b42b 7631->7633 7634 58b458 wsprintfA 7632->7634 7636 58ef7c 3 API calls 7633->7636 7635 58ef7c 3 API calls 7634->7635 7637 58b480 7635->7637 7636->7630 7638 58ef7c 3 API calls 7637->7638 7639 58b493 7638->7639 7640 58ef7c 3 API calls 7639->7640 7641 58b4bb 7640->7641 7775 58ad89 GetLocalTime SystemTimeToFileTime 7641->7775 7645 58b4cc 7646 58ef7c 3 API calls 7645->7646 7647 58b4dd 7646->7647 7648 58b211 7 API calls 7647->7648 7649 58b4ec 7648->7649 7650 58ef7c 3 API calls 7649->7650 7651 58b4fd 7650->7651 7652 58b211 7 API calls 7651->7652 7653 58b509 7652->7653 7654 58ef7c 3 API calls 7653->7654 7655 58b51a 7654->7655 7655->7554 7657 58abe9 GetTickCount 7656->7657 7659 58ab8c 7656->7659 7661 58a51d 7657->7661 7658 58aba8 lstrcpynA 7658->7659 7659->7657 7659->7658 7660 58abe1 InterlockedIncrement 7659->7660 7660->7659 7662 58a4c7 4 API calls 7661->7662 7663 58a52c 7662->7663 7664 58a542 GetTickCount 7663->7664 7666 58a539 GetTickCount 7663->7666 7664->7666 7667 58a56c 7666->7667 7667->7554 7669 58a4c7 4 API calls 7668->7669 7670 58a633 7669->7670 7670->7554 7672 58f04e 4 API calls 7671->7672 7676 58372a 7672->7676 7673 583847 7673->7572 7673->7573 7674 5837b3 GetCurrentThreadId 7675 5837c8 GetCurrentThreadId 7674->7675 7674->7676 7675->7676 7676->7673 7676->7674 7678 58f04e 4 API calls 7677->7678 7681 58360c 7678->7681 7679 5836f1 7679->7571 7679->7573 7680 5836da GetCurrentThreadId 7680->7679 7682 5836e5 GetCurrentThreadId 7680->7682 7681->7679 7681->7680 7682->7679 7684 584bff InterlockedExchange 7683->7684 7685 584c08 7684->7685 7686 584bec GetTickCount 7684->7686 7685->7576 7686->7685 7687 584bf7 Sleep 7686->7687 7687->7684 7707 584763 7688->7707 7690 58548a 7691 585b58 7690->7691 7701 58558d lstrcpynA 7690->7701 7702 585a9f lstrcpyA 7690->7702 7703 585935 lstrcpynA 7690->7703 7704 584ae6 8 API calls 7690->7704 7705 585472 13 API calls 7690->7705 7706 5858e7 lstrcpyA 7690->7706 7711 584ae6 7690->7711 7715 58ef7c lstrlenA lstrlenA lstrlenA 7690->7715 7717 584699 7691->7717 7694 584763 lstrlenA 7695 585b6e 7694->7695 7738 584f9f 7695->7738 7697 585b79 7697->7554 7699 585549 lstrlenA 7699->7690 7701->7690 7702->7690 7703->7690 7704->7690 7705->7690 7706->7690 7709 58477a 7707->7709 7708 584859 7708->7690 7709->7708 7710 58480d lstrlenA 7709->7710 7710->7709 7712 584af3 7711->7712 7714 584b03 7711->7714 7713 58ebed 8 API calls 7712->7713 7713->7714 7714->7699 7716 58efb4 7715->7716 7716->7690 7743 5845b3 7717->7743 7720 5845b3 7 API calls 7721 5846c6 7720->7721 7722 5845b3 7 API calls 7721->7722 7723 5846d8 7722->7723 7724 5845b3 7 API calls 7723->7724 7725 5846ea 7724->7725 7726 5845b3 7 API calls 7725->7726 7727 5846ff 7726->7727 7728 5845b3 7 API calls 7727->7728 7729 584711 7728->7729 7730 5845b3 7 API calls 7729->7730 7731 584723 7730->7731 7732 58ef7c 3 API calls 7731->7732 7733 584735 7732->7733 7734 58ef7c 3 API calls 7733->7734 7735 58474a 7734->7735 7736 58ef7c 3 API calls 7735->7736 7737 58475c 7736->7737 7737->7694 7739 584fac 7738->7739 7742 584fb0 7738->7742 7739->7697 7740 584ffd 7740->7697 7741 584fd5 IsBadCodePtr 7741->7742 7742->7740 7742->7741 7744 5845c8 7743->7744 7745 5845c1 7743->7745 7747 58ebcc 4 API calls 7744->7747 7749 5845e1 7744->7749 7746 58ebcc 4 API calls 7745->7746 7746->7744 7747->7749 7748 584691 7748->7720 7749->7748 7750 58ef7c 3 API calls 7749->7750 7750->7749 7766 582d21 GetModuleHandleA 7751->7766 7754 582fcf GetProcessHeap HeapFree 7758 582f44 7754->7758 7755 582f85 7755->7754 7755->7755 7756 582f4f 7757 582f6b GetProcessHeap HeapFree 7756->7757 7757->7758 7758->7599 7760 583900 7759->7760 7765 583980 7759->7765 7761 5830fa 4 API calls 7760->7761 7762 58390a 7761->7762 7763 58391b GetCurrentThreadId 7762->7763 7764 583939 GetCurrentThreadId 7762->7764 7762->7765 7763->7762 7764->7762 7765->7594 7767 582d5b GetProcAddress 7766->7767 7768 582d46 LoadLibraryA 7766->7768 7769 582d6b DnsQuery_A 7767->7769 7772 582d54 7767->7772 7768->7767 7768->7772 7770 582d7d 7769->7770 7769->7772 7771 582d97 GetProcessHeap HeapAlloc 7770->7771 7770->7772 7771->7772 7773 582dac 7771->7773 7772->7755 7772->7756 7772->7758 7773->7770 7774 582db5 lstrcpynA 7773->7774 7774->7773 7776 58adbf 7775->7776 7800 58ad08 gethostname 7776->7800 7779 5830b5 2 API calls 7780 58add3 7779->7780 7781 58a7a3 inet_ntoa 7780->7781 7783 58ade4 7780->7783 7781->7783 7782 58ae85 wsprintfA 7784 58ef7c 3 API calls 7782->7784 7783->7782 7785 58ae36 wsprintfA wsprintfA 7783->7785 7786 58aebb 7784->7786 7787 58ef7c 3 API calls 7785->7787 7788 58ef7c 3 API calls 7786->7788 7787->7783 7789 58aed2 7788->7789 7790 58b211 7789->7790 7791 58b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7790->7791 7792 58b2af GetLocalTime 7790->7792 7793 58b2d2 7791->7793 7792->7793 7794 58b2d9 SystemTimeToFileTime 7793->7794 7795 58b31c GetTimeZoneInformation 7793->7795 7796 58b2ec 7794->7796 7798 58b33a wsprintfA 7795->7798 7797 58b312 FileTimeToSystemTime 7796->7797 7797->7795 7798->7645 7801 58ad71 7800->7801 7806 58ad26 lstrlenA 7800->7806 7803 58ad79 lstrcpyA 7801->7803 7804 58ad85 7801->7804 7803->7804 7804->7779 7805 58ad68 lstrlenA 7805->7801 7806->7801 7806->7805 7808 582d21 7 API calls 7807->7808 7809 582f01 7808->7809 7810 582f14 7809->7810 7811 582f06 7809->7811 7813 582684 2 API calls 7810->7813 7830 582df2 GetModuleHandleA 7811->7830 7815 582f1d 7813->7815 7815->7382 7816 582f1f 7816->7382 7818 58f428 14 API calls 7817->7818 7819 58198a 7818->7819 7820 581998 7819->7820 7821 581990 closesocket 7819->7821 7820->7390 7821->7820 7823 581c80 7822->7823 7824 581d1c 7823->7824 7825 581cc2 wsprintfA 7823->7825 7829 581d79 7823->7829 7824->7824 7827 581d47 wsprintfA 7824->7827 7826 582684 2 API calls 7825->7826 7826->7823 7828 582684 2 API calls 7827->7828 7828->7829 7829->7402 7831 582e0b 7830->7831 7832 582e10 LoadLibraryA 7830->7832 7831->7832 7833 582e17 7831->7833 7832->7833 7834 582ef1 7833->7834 7835 582e28 GetProcAddress 7833->7835 7834->7810 7834->7816 7835->7834 7836 582e3e GetProcessHeap HeapAlloc 7835->7836 7838 582e62 7836->7838 7837 582ede GetProcessHeap HeapFree 7837->7834 7838->7834 7838->7837 7839 582e7f htons inet_addr 7838->7839 7840 582ea5 gethostbyname 7838->7840 7842 582ceb 7838->7842 7839->7838 7839->7840 7840->7838 7844 582cf2 7842->7844 7845 582d1c 7844->7845 7846 582d0e Sleep 7844->7846 7847 582a62 GetProcessHeap HeapAlloc 7844->7847 7845->7838 7846->7844 7846->7845 7848 582a99 socket 7847->7848 7849 582a92 7847->7849 7850 582cd3 GetProcessHeap HeapFree 7848->7850 7851 582ab4 7848->7851 7849->7844 7850->7849 7851->7850 7865 582abd 7851->7865 7852 582adb htons 7867 5826ff 7852->7867 7854 582b04 select 7854->7865 7855 582ca4 7856 582cb3 GetProcessHeap HeapFree closesocket 7855->7856 7856->7849 7857 582b3f recv 7857->7865 7858 582b66 htons 7858->7855 7858->7865 7859 582b87 htons 7859->7855 7859->7865 7862 582bf3 GetProcessHeap HeapAlloc 7862->7865 7863 582c17 htons 7882 582871 7863->7882 7865->7852 7865->7854 7865->7855 7865->7856 7865->7857 7865->7858 7865->7859 7865->7862 7865->7863 7866 582c4d GetProcessHeap HeapFree 7865->7866 7874 582923 7865->7874 7886 582904 7865->7886 7866->7865 7868 58271d 7867->7868 7869 582717 7867->7869 7871 58272b GetTickCount htons 7868->7871 7870 58ebcc 4 API calls 7869->7870 7870->7868 7872 5827cc htons htons sendto 7871->7872 7873 58278a 7871->7873 7872->7865 7873->7872 7875 582944 7874->7875 7877 58293d 7874->7877 7890 582816 htons 7875->7890 7877->7865 7878 582871 htons 7881 582950 7878->7881 7879 5829bd htons htons htons 7879->7877 7880 5829f6 GetProcessHeap HeapAlloc 7879->7880 7880->7877 7880->7881 7881->7877 7881->7878 7881->7879 7883 5828e3 7882->7883 7884 582889 7882->7884 7883->7865 7884->7883 7885 5828c3 htons 7884->7885 7885->7883 7885->7884 7887 582908 7886->7887 7888 582921 7886->7888 7889 582909 GetProcessHeap HeapFree 7887->7889 7888->7865 7889->7888 7889->7889 7891 58286b 7890->7891 7892 582836 7890->7892 7891->7881 7892->7891 7893 58285c htons 7892->7893 7893->7891 7893->7892 7895 586bbc 7894->7895 7896 586bc0 7894->7896 7895->7422 7897 58ebcc 4 API calls 7896->7897 7907 586bd4 7896->7907 7898 586be4 7897->7898 7899 586bfc 7898->7899 7900 586c07 CreateFileA 7898->7900 7898->7907 7903 58ec2e codecvt 4 API calls 7899->7903 7901 586c2a 7900->7901 7902 586c34 WriteFile 7900->7902 7904 58ec2e codecvt 4 API calls 7901->7904 7905 586c49 CloseHandle DeleteFileA 7902->7905 7906 586c5a CloseHandle 7902->7906 7903->7907 7904->7907 7905->7901 7908 58ec2e codecvt 4 API calls 7906->7908 7907->7422 7908->7907 8033 584960 8034 58496d 8033->8034 8036 58497d 8033->8036 8035 58ebed 8 API calls 8034->8035 8035->8036 8037 584861 IsBadWritePtr 8038 584876 8037->8038 8039 589961 RegisterServiceCtrlHandlerA 8040 58997d 8039->8040 8047 5899cb 8039->8047 8049 589892 8040->8049 8042 58999a 8043 5899ba 8042->8043 8044 589892 SetServiceStatus 8042->8044 8046 589892 SetServiceStatus 8043->8046 8043->8047 8045 5899aa 8044->8045 8045->8043 8048 5898f2 41 API calls 8045->8048 8046->8047 8048->8043 8050 5898c2 SetServiceStatus 8049->8050 8050->8042 8223 585e21 8224 585e29 8223->8224 8225 585e36 8223->8225 8226 5850dc 17 API calls 8224->8226 8226->8225 8227 5835a5 8228 5830fa 4 API calls 8227->8228 8230 5835b3 8228->8230 8229 5835ea 8230->8229 8234 58355d 8230->8234 8232 5835da 8232->8229 8233 58355d 4 API calls 8232->8233 8233->8229 8235 58f04e 4 API calls 8234->8235 8236 58356a 8235->8236 8236->8232
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0058CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0058CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0058CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0058CCB4
                                                                                            • WriteFile.KERNEL32(0058A4B3,?,-000000E8,?,00000000), ref: 0058CCDC
                                                                                            • CloseHandle.KERNEL32(0058A4B3), ref: 0058CCED
                                                                                            • wsprintfA.USER32 ref: 0058CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0058CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0058CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0058CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0058CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0058CDC4
                                                                                            • CloseHandle.KERNEL32(0058A4B3), ref: 0058CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0058CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0058CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0058D033
                                                                                            • lstrcatA.KERNEL32(?,03D00108), ref: 0058D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0058D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0058D171
                                                                                            • WriteFile.KERNEL32(00000000,03D0012C,?,?,00000000), ref: 0058D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0058D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0058D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0058D231
                                                                                            • lstrcatA.KERNEL32(?,03D00108,?,?,?,?,?,?,?,00000100), ref: 0058D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0058D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0058D2C7
                                                                                            • WriteFile.KERNEL32(00000000,03D0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0058D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0058D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0058D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0058D372
                                                                                            • lstrcatA.KERNEL32(?,03D00108,?,?,?,?,?,?,?,00000100), ref: 0058D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0058D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0058D408
                                                                                            • WriteFile.KERNEL32(00000000,03D0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0058D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0058D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0058D45B
                                                                                            • CreateProcessA.KERNEL32(?,00590264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0058D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0058D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0058D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0058D513
                                                                                            • closesocket.WS2_32(?), ref: 0058D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0058D577
                                                                                            • ExitProcess.KERNEL32 ref: 0058D583
                                                                                            • wsprintfA.USER32 ref: 0058D81F
                                                                                              • Part of subcall function 0058C65C: send.WS2_32(00000000,?,00000000), ref: 0058C74B
                                                                                            • closesocket.WS2_32(?), ref: 0058DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe$X Y$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-2390319092
                                                                                            • Opcode ID: 7781c3d97f396bbb689f91ce98b6baca12b06632dd338128ca108afe067554fb
                                                                                            • Instruction ID: ebe41fa9bd2920666ed8ae82bb2780258b2fd70a5abc89109cfe1e0f33084d6c
                                                                                            • Opcode Fuzzy Hash: 7781c3d97f396bbb689f91ce98b6baca12b06632dd338128ca108afe067554fb
                                                                                            • Instruction Fuzzy Hash: 65B29572900209AFEB21BF64DC49EEE7FBDFB54304F15046AF905B6191E7309A49DB60
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00589A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00589A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00586511), ref: 00589A8A
                                                                                              • Part of subcall function 0058EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0058EC5E
                                                                                              • Part of subcall function 0058EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0058EC72
                                                                                              • Part of subcall function 0058EC54: GetTickCount.KERNEL32 ref: 0058EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00589AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00589ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00589AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00589B99
                                                                                            • ExitProcess.KERNEL32 ref: 00589C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00589CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00589D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00589D8B
                                                                                            • lstrcatA.KERNEL32(?,0059070C), ref: 00589D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00589DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00589E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00589E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00589EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00589ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00589F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00589F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00589F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00589FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00589FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00589FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0058A038
                                                                                            • lstrcatA.KERNEL32(00000022,00590A34), ref: 0058A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0058A072
                                                                                            • lstrcatA.KERNEL32(00000022,00590A34), ref: 0058A08D
                                                                                            • wsprintfA.USER32 ref: 0058A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0058A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0058A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0058A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0058A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0058A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0058A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0058A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0058A1E5
                                                                                              • Part of subcall function 005899D2: lstrcpyA.KERNEL32(?,?,00000100,005922F8,00000000,?,00589E9D,?,00000022,?,?,?,?,?,?,?), ref: 005899DF
                                                                                              • Part of subcall function 005899D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00589E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00589A3C
                                                                                              • Part of subcall function 005899D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00589E9D,?,00000022,?,?,?), ref: 00589A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0058A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0058A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0058A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0058A400
                                                                                            • DeleteFileA.KERNELBASE(005933D8), ref: 0058A407
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0058405E,00000000,00000000,00000000), ref: 0058A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0058A43A
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0058877E,00000000,00000000,00000000), ref: 0058A469
                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 0058A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0058A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0058A4B7
                                                                                            • Sleep.KERNELBASE(00001A90), ref: 0058A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe$D$P$\$miqllcjz
                                                                                            • API String ID: 2089075347-2458650493
                                                                                            • Opcode ID: c407cce1cf1d463f871b37824686967aeb469a5ebb5a7450f306ee685f502e40
                                                                                            • Instruction ID: 060619480c35d2847f1a39acd72aa55dcb010cfcffb5f4d40d3d5e1eb00efafb
                                                                                            • Opcode Fuzzy Hash: c407cce1cf1d463f871b37824686967aeb469a5ebb5a7450f306ee685f502e40
                                                                                            • Instruction Fuzzy Hash: 1B5272B1D40259AFDF21ABA0CC4EEEE7FBCBB54300F1444A6F909B6141E7719A48DB61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 905 58199c-5819cc inet_addr LoadLibraryA 906 5819ce-5819d0 905->906 907 5819d5-5819fe GetProcAddress * 3 905->907 908 581abf-581ac2 906->908 909 581ab3-581ab6 FreeLibrary 907->909 910 581a04-581a06 907->910 912 581abc 909->912 910->909 911 581a0c-581a0e 910->911 911->909 913 581a14-581a28 GetBestInterface GetProcessHeap 911->913 914 581abe 912->914 913->912 915 581a2e-581a40 HeapAlloc 913->915 914->908 915->912 916 581a42-581a50 GetAdaptersInfo 915->916 917 581a62-581a67 916->917 918 581a52-581a60 HeapReAlloc 916->918 919 581a69-581a73 GetAdaptersInfo 917->919 920 581aa1-581aad FreeLibrary 917->920 918->917 919->920 922 581a75 919->922 920->912 921 581aaf-581ab1 920->921 921->914 923 581a77-581a80 922->923 924 581a8a-581a91 923->924 925 581a82-581a86 923->925 927 581a93 924->927 928 581a96-581a9b HeapFree 924->928 925->923 926 581a88 925->926 926->928 927->928 928->920
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 005819B1
                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00581E9E), ref: 005819BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 005819E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 005819ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 005819F9
                                                                                            • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00581E9E), ref: 00581A1B
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00581E9E), ref: 00581A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00581E9E), ref: 00581A36
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00581E9E,?,?,?,?,00000001,00581E9E), ref: 00581A4A
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00581E9E,?,?,?,?,00000001,00581E9E), ref: 00581A5A
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00581E9E,?,?,?,?,00000001,00581E9E), ref: 00581A6E
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00581E9E), ref: 00581A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00581E9E), ref: 00581AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 293628436-270533642
                                                                                            • Opcode ID: 653d066575966717608f986349aab1264b1df42c71b04e7eb88ef034f445f410
                                                                                            • Instruction ID: 3c2e6e288e4c51ba382ed26a09a8759e65afde84ec2090469bf2c65ab81454b0
                                                                                            • Opcode Fuzzy Hash: 653d066575966717608f986349aab1264b1df42c71b04e7eb88ef034f445f410
                                                                                            • Instruction Fuzzy Hash: BA316936A01219AFCF15AFE0CD888BEBFBDFF54311B15096AE901B2160D7304E42EB94

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 696 587a95-587ac2 RegOpenKeyExA 697 587acb-587ae7 GetUserNameA 696->697 698 587ac4-587ac6 696->698 700 587aed-587b1e LookupAccountNameA 697->700 701 587da7-587db3 RegCloseKey 697->701 699 587db4-587db6 698->699 700->701 702 587b24-587b43 RegGetKeySecurity 700->702 701->699 702->701 703 587b49-587b61 GetSecurityDescriptorOwner 702->703 704 587bb8-587bd6 GetSecurityDescriptorDacl 703->704 705 587b63-587b72 EqualSid 703->705 707 587bdc-587be1 704->707 708 587da6 704->708 705->704 706 587b74-587b88 LocalAlloc 705->706 706->704 709 587b8a-587b94 InitializeSecurityDescriptor 706->709 707->708 710 587be7-587bf2 707->710 708->701 711 587bb1-587bb2 LocalFree 709->711 712 587b96-587ba4 SetSecurityDescriptorOwner 709->712 710->708 713 587bf8-587c08 GetAce 710->713 711->704 712->711 714 587ba6-587bab RegSetKeySecurity 712->714 715 587c0e-587c1b 713->715 716 587cc6 713->716 714->711 718 587c1d-587c2f EqualSid 715->718 719 587c4f-587c52 715->719 717 587cc9-587cd3 716->717 717->713 722 587cd9-587cdc 717->722 723 587c31-587c34 718->723 724 587c36-587c38 718->724 720 587c5f-587c71 EqualSid 719->720 721 587c54-587c5e 719->721 725 587c73-587c84 720->725 726 587c86 720->726 721->720 722->708 727 587ce2-587ce8 722->727 723->718 723->724 724->719 728 587c3a-587c4d DeleteAce 724->728 729 587c8b-587c8e 725->729 726->729 730 587d5a-587d6e LocalAlloc 727->730 731 587cea-587cf0 727->731 728->717 732 587c9d-587c9f 729->732 733 587c90-587c96 729->733 730->708 734 587d70-587d7a InitializeSecurityDescriptor 730->734 731->730 735 587cf2-587d0d RegOpenKeyExA 731->735 737 587ca1-587ca5 732->737 738 587ca7-587cc3 732->738 733->732 739 587d7c-587d8a SetSecurityDescriptorDacl 734->739 740 587d9f-587da0 LocalFree 734->740 735->730 736 587d0f-587d16 735->736 741 587d19-587d1e 736->741 737->716 737->738 738->716 739->740 742 587d8c-587d9a RegSetKeySecurity 739->742 740->708 741->741 743 587d20-587d52 call 582544 RegSetValueExA 741->743 742->740 744 587d9c 742->744 743->730 747 587d54 743->747 744->740 747->730
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00587ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00587ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0059070C,?,?,?), ref: 00587B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00587B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00587B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00587B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00587B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00587B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00587B9C
                                                                                            • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00587BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00587BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00587FC9,?,00000000), ref: 00587BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe$D
                                                                                            • API String ID: 2976863881-2072606513
                                                                                            • Opcode ID: 5f3fc819eb4516516f305a968a1468d181cc69e072b252794bce723e18203b28
                                                                                            • Instruction ID: 2d1576e383e4d62c83bf51539e2e72f5bfdc624a34ce739cb5cee7e546d03ff8
                                                                                            • Opcode Fuzzy Hash: 5f3fc819eb4516516f305a968a1468d181cc69e072b252794bce723e18203b28
                                                                                            • Instruction Fuzzy Hash: F2A12971A0421DAFDF119FA0CC88EEEBFB9FB48300F15446AE905B2190E731DA45DB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 748 587809-587837 GetUserNameA 749 58783d-58786e LookupAccountNameA 748->749 750 587a8e-587a94 748->750 749->750 751 587874-5878a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 5878a8-5878c3 GetSecurityDescriptorOwner 751->752 753 58791d-58793b GetSecurityDescriptorDacl 752->753 754 5878c5-5878da EqualSid 752->754 755 587a8d 753->755 756 587941-587946 753->756 754->753 757 5878dc-5878ed LocalAlloc 754->757 755->750 756->755 758 58794c-587955 756->758 757->753 759 5878ef-5878f9 InitializeSecurityDescriptor 757->759 758->755 760 58795b-58796b GetAce 758->760 761 5878fb-587909 SetSecurityDescriptorOwner 759->761 762 587916-587917 LocalFree 759->762 764 587a2a 760->764 765 587971-58797e 760->765 761->762 763 58790b-587910 SetFileSecurityA 761->763 762->753 763->762 768 587a2d-587a37 764->768 766 5879ae-5879b1 765->766 767 587980-587992 EqualSid 765->767 772 5879be-5879d0 EqualSid 766->772 773 5879b3-5879bd 766->773 769 587999-58799b 767->769 770 587994-587997 767->770 768->760 771 587a3d-587a41 768->771 769->766 774 58799d-5879ac DeleteAce 769->774 770->767 770->769 771->755 775 587a43-587a54 LocalAlloc 771->775 776 5879d2-5879e3 772->776 777 5879e5 772->777 773->772 774->768 775->755 779 587a56-587a60 InitializeSecurityDescriptor 775->779 778 5879ea-5879ed 776->778 777->778 780 5879f8-5879fb 778->780 781 5879ef-5879f5 778->781 782 587a62-587a71 SetSecurityDescriptorDacl 779->782 783 587a86-587a87 LocalFree 779->783 784 5879fd-587a01 780->784 785 587a03-587a0e 780->785 781->780 782->783 786 587a73-587a81 SetFileSecurityA 782->786 783->755 784->764 784->785 787 587a19-587a24 785->787 788 587a10-587a17 785->788 786->783 789 587a83 786->789 790 587a27 787->790 788->790 789->783 790->764
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0058782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00587866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00587878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0058789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00587F63,?), ref: 005878B8
                                                                                            • EqualSid.ADVAPI32(?,00587F63), ref: 005878D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 005878E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005878F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00587901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00587910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00587917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00587933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00587963
                                                                                            • EqualSid.ADVAPI32(?,00587F63), ref: 0058798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 005879A3
                                                                                            • EqualSid.ADVAPI32(?,00587F63), ref: 005879C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00587A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00587A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00587A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00587A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00587A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: 70ba1aa99f512af52b12215458bc58d061cb89079081230bef74b2c999e92a0a
                                                                                            • Instruction ID: 058c3d89592fd1c0f6f7ff1b89f802fd3fe2ad26b146cd3568c7aee257e9113e
                                                                                            • Opcode Fuzzy Hash: 70ba1aa99f512af52b12215458bc58d061cb89079081230bef74b2c999e92a0a
                                                                                            • Instruction Fuzzy Hash: 2281277290421EAFDB21DFA4CD49BEEBBB8FB08340F25446AE905F2150E734CA45DB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 588328-58833e call 587dd6 794 588348-588356 call 586ec3 791->794 795 588340-588343 791->795 799 58846b-588474 794->799 800 58835c-588378 call 5873ff 794->800 796 58877b-58877d 795->796 801 58847a-588480 799->801 802 5885c2-5885ce 799->802 812 58837e-588384 800->812 813 588464-588466 800->813 801->802 806 588486-5884ba call 582544 RegOpenKeyExA 801->806 804 5885d0-5885da call 58675c 802->804 805 588615-588620 802->805 815 5885df-5885eb 804->815 810 588626-58864c GetTempPathA call 588274 call 58eca5 805->810 811 5886a7-5886b0 call 586ba7 805->811 821 5884c0-5884db RegQueryValueExA 806->821 822 588543-588571 call 582544 RegOpenKeyExA 806->822 852 58864e-58866f call 58eca5 810->852 853 588671-5886a4 call 582544 call 58ef00 call 58ee2a 810->853 830 588762 811->830 831 5886b6-5886bd call 587e2f 811->831 812->813 819 58838a-58838d 812->819 814 588779-58877a 813->814 814->796 815->805 820 5885ed-5885ef 815->820 819->813 825 588393-588399 819->825 820->805 826 5885f1-5885fa 820->826 828 5884dd-5884e1 821->828 829 588521-58852d RegCloseKey 821->829 846 588573-58857b 822->846 847 5885a5-5885b7 call 58ee2a 822->847 833 58839c-5883a1 825->833 826->805 836 5885fc-58860f call 5824c2 826->836 828->829 838 5884e3-5884e6 828->838 829->822 834 58852f-588541 call 58eed1 829->834 840 588768-58876b 830->840 862 58875b-58875c DeleteFileA 831->862 863 5886c3-58873b call 58ee2a * 2 lstrcpyA lstrlenA call 587fcf CreateProcessA 831->863 833->833 835 5883a3-5883af 833->835 834->822 834->847 843 5883b1 835->843 844 5883b3-5883ba 835->844 836->805 836->840 838->829 848 5884e8-5884f6 call 58ebcc 838->848 850 58876d-588775 call 58ec2e 840->850 851 588776-588778 840->851 843->844 856 588450-58845f call 58ee2a 844->856 857 5883c0-5883fb call 582544 RegOpenKeyExA 844->857 859 58857e-588583 846->859 847->802 879 5885b9-5885c1 call 58ec2e 847->879 848->829 878 5884f8-588513 RegQueryValueExA 848->878 850->851 851->814 852->853 853->811 856->802 857->856 883 5883fd-58841c RegQueryValueExA 857->883 859->859 870 588585-58859f RegSetValueExA RegCloseKey 859->870 862->830 899 58873d-58874d CloseHandle * 2 863->899 900 58874f-58875a call 587ee6 call 587ead 863->900 870->847 878->829 884 588515-58851e call 58ec2e 878->884 879->802 888 58842d-588441 RegSetValueExA 883->888 889 58841e-588421 883->889 884->829 895 588447-58844a RegCloseKey 888->895 889->888 894 588423-588426 889->894 894->888 898 588428-58842b 894->898 895->856 898->888 898->895 899->840 900->862
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 005883F3
                                                                                            • RegQueryValueExA.KERNELBASE(00590750,?,00000000,?,00588893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00588414
                                                                                            • RegSetValueExA.KERNELBASE(00590750,?,00000000,00000004,00588893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00588441
                                                                                            • RegCloseKey.ADVAPI32(00590750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0058844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe$localcfg
                                                                                            • API String ID: 237177642-601414241
                                                                                            • Opcode ID: d8924530179bdae18347da08b1e128527021ed65cb85c22c84ea828631c50754
                                                                                            • Instruction ID: 430f22cf4160da946a2ef43a2b1055f781505ced728d4145907b7326d809b95f
                                                                                            • Opcode Fuzzy Hash: d8924530179bdae18347da08b1e128527021ed65cb85c22c84ea828631c50754
                                                                                            • Instruction Fuzzy Hash: 22C170B2940109BEEF11BBA49C8AEFE7FBCFB54304F540466F905B2091EA715E489B61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 929 581d96-581dce call 58ee2a GetVersionExA 932 581de0 929->932 933 581dd0-581dde 929->933 934 581de3-581e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 581e24-581e59 call 58e819 * 2 934->935 936 581e16-581e21 GetCurrentProcess 934->936 941 581e7a-581ea0 call 58ea84 call 58e819 call 58199c 935->941 942 581e5b-581e77 call 58df70 * 2 935->942 936->935 953 581ea8 941->953 954 581ea2-581ea6 941->954 942->941 955 581eac-581ec1 call 58e819 953->955 954->955 958 581ee0-581ef6 call 58e819 955->958 959 581ec3-581ede call 58f04e call 58ea84 955->959 965 581ef8 call 581b71 958->965 966 581f14-581f2b call 58e819 958->966 959->958 970 581efd-581f11 call 58ea84 965->970 972 581f49-581f65 call 58e819 966->972 973 581f2d call 581bdf 966->973 970->966 981 581f7a-581f8c call 5830b5 972->981 982 581f67-581f77 call 58ea84 972->982 978 581f32-581f46 call 58ea84 973->978 978->972 988 581f8e-581f91 981->988 989 581f93-581f9a 981->989 982->981 992 581fbb-581fc0 988->992 990 581f9c-581fa3 call 586ec3 989->990 991 581fb7 989->991 997 581fae-581fb5 990->997 998 581fa5-581fac 990->998 991->992 994 581fc9-581fea GetTickCount 992->994 995 581fc2 992->995 995->994 997->992 998->992
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00581DC6
                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00581DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00581E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00581E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00581E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00581FC9
                                                                                              • Part of subcall function 00581BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00581C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 41fa7e782ebbd2832583e243fea4ee611d56690d3304ef2b59c841e792021a9f
                                                                                            • Instruction ID: 09bf2267c5aa5562c7239cbd4e0b603ab6ed455c1da86384dcab7694a35bedb1
                                                                                            • Opcode Fuzzy Hash: 41fa7e782ebbd2832583e243fea4ee611d56690d3304ef2b59c841e792021a9f
                                                                                            • Instruction Fuzzy Hash: B551A1B09047456FE720BF758C8AF2BBEECFB94704F040D1DB986A2282D674A904C765

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 999 5873ff-587419 1000 58741b 999->1000 1001 58741d-587422 999->1001 1000->1001 1002 587424 1001->1002 1003 587426-58742b 1001->1003 1002->1003 1004 58742d 1003->1004 1005 587430-587435 1003->1005 1004->1005 1006 58743a-587481 call 586dc2 call 582544 RegOpenKeyExA 1005->1006 1007 587437 1005->1007 1012 5877f9-5877fe call 58ee2a 1006->1012 1013 587487-58749d call 58ee2a 1006->1013 1007->1006 1018 587801 1012->1018 1019 587703-58770e RegEnumKeyA 1013->1019 1020 587804-587808 1018->1020 1021 5874a2-5874b1 call 586cad 1019->1021 1022 587714-58771d RegCloseKey 1019->1022 1025 5876ed-587700 1021->1025 1026 5874b7-5874cc call 58f1a5 1021->1026 1022->1018 1025->1019 1026->1025 1029 5874d2-5874f8 RegOpenKeyExA 1026->1029 1030 5874fe-587530 call 582544 RegQueryValueExA 1029->1030 1031 587727-58772a 1029->1031 1030->1031 1038 587536-58753c 1030->1038 1033 58772c-587740 call 58ef00 1031->1033 1034 587755-587764 call 58ee2a 1031->1034 1042 58774b-58774e 1033->1042 1043 587742-587745 RegCloseKey 1033->1043 1044 5876df-5876e2 1034->1044 1041 58753f-587544 1038->1041 1041->1041 1045 587546-58754b 1041->1045 1046 5877ec-5877f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 5876e4-5876e7 RegCloseKey 1044->1047 1045->1034 1048 587551-58756b call 58ee95 1045->1048 1046->1020 1047->1025 1048->1034 1051 587571-587593 call 582544 call 58ee95 1048->1051 1056 587599-5875a0 1051->1056 1057 587753 1051->1057 1058 5875c8-5875d7 call 58ed03 1056->1058 1059 5875a2-5875c6 call 58ef00 call 58ed03 1056->1059 1057->1034 1065 5875d8-5875da 1058->1065 1059->1065 1067 5875dc 1065->1067 1068 5875df-587623 call 58ee95 call 582544 call 58ee95 call 58ee2a 1065->1068 1067->1068 1077 587626-58762b 1068->1077 1077->1077 1078 58762d-587634 1077->1078 1079 587637-58763c 1078->1079 1079->1079 1080 58763e-587642 1079->1080 1081 58765c-587673 call 58ed23 1080->1081 1082 587644-587656 call 58ed77 1080->1082 1088 587680 1081->1088 1089 587675-58767e 1081->1089 1082->1081 1087 587769-58777c call 58ef00 1082->1087 1094 5877e3-5877e6 RegCloseKey 1087->1094 1091 587683-58768e call 586cad 1088->1091 1089->1091 1096 587722-587725 1091->1096 1097 587694-5876bf call 58f1a5 call 586c96 1091->1097 1094->1046 1099 5876dd 1096->1099 1103 5876d8 1097->1103 1104 5876c1-5876c7 1097->1104 1099->1044 1103->1099 1104->1103 1105 5876c9-5876d2 1104->1105 1105->1103 1106 58777e-587797 GetFileAttributesExA 1105->1106 1107 587799 1106->1107 1108 58779a-58779f 1106->1108 1107->1108 1109 5877a1 1108->1109 1110 5877a3-5877a8 1108->1110 1109->1110 1111 5877aa-5877c0 call 58ee08 1110->1111 1112 5877c4-5877c8 1110->1112 1111->1112 1114 5877ca-5877d6 call 58ef00 1112->1114 1115 5877d7-5877dc 1112->1115 1114->1115 1118 5877de 1115->1118 1119 5877e0-5877e2 1115->1119 1118->1119 1119->1094
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00587472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 005874F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00587528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0058764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 005876E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00587706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00587717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00587745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 005877EF
                                                                                              • Part of subcall function 0058F1A5: lstrlenA.KERNEL32(000000C8,000000E4,005922F8,000000C8,00587150,?), ref: 0058F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0058778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 005877E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: c22eea839b5cd66f703b493ab1960e2f2f83c88037c9c6ee6e960ab25fc89fbf
                                                                                            • Instruction ID: afd85d9e6d04bcc5c676546a0990324f98b86628490a6629ae37d67318d617ab
                                                                                            • Opcode Fuzzy Hash: c22eea839b5cd66f703b493ab1960e2f2f83c88037c9c6ee6e960ab25fc89fbf
                                                                                            • Instruction Fuzzy Hash: 6CC1617290420AAFDB11ABA5DC4ABEE7FB9FF49310F240495F904F6191EB71DA44CB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1121 58675c-586778 1122 58677a-58677e SetFileAttributesA 1121->1122 1123 586784-5867a2 CreateFileA 1121->1123 1122->1123 1124 5867a4-5867b2 CreateFileA 1123->1124 1125 5867b5-5867b8 1123->1125 1124->1125 1126 5867ba-5867bf SetFileAttributesA 1125->1126 1127 5867c5-5867c9 1125->1127 1126->1127 1128 5867cf-5867df GetFileSize 1127->1128 1129 586977-586986 1127->1129 1130 58696b 1128->1130 1131 5867e5-5867e7 1128->1131 1133 58696e-586971 FindCloseChangeNotification 1130->1133 1131->1130 1132 5867ed-58680b ReadFile 1131->1132 1132->1130 1134 586811-586824 SetFilePointer 1132->1134 1133->1129 1134->1130 1135 58682a-586842 ReadFile 1134->1135 1135->1130 1136 586848-586861 SetFilePointer 1135->1136 1136->1130 1137 586867-586876 1136->1137 1138 586878-58688f ReadFile 1137->1138 1139 5868d5-5868df 1137->1139 1140 586891-58689e 1138->1140 1141 5868d2 1138->1141 1139->1133 1142 5868e5-5868eb 1139->1142 1145 5868a0-5868b5 1140->1145 1146 5868b7-5868ba 1140->1146 1141->1139 1143 5868ed 1142->1143 1144 5868f0-5868fe call 58ebcc 1142->1144 1143->1144 1144->1130 1152 586900-58690b SetFilePointer 1144->1152 1148 5868bd-5868c3 1145->1148 1146->1148 1150 5868c8-5868ce 1148->1150 1151 5868c5 1148->1151 1150->1138 1153 5868d0 1150->1153 1151->1150 1154 58695a-586969 call 58ec2e 1152->1154 1155 58690d-586920 ReadFile 1152->1155 1153->1139 1154->1133 1155->1154 1156 586922-586958 1155->1156 1156->1133
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0058677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0058679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 005867B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 005867BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 005867D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00588244,00000000,?,75920F10,00000000), ref: 00586807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0058681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0058683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0058685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00588244,00000000,?,75920F10,00000000), ref: 0058688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00586906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00588244,00000000,?,75920F10,00000000), ref: 0058691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 00586971
                                                                                              • Part of subcall function 0058EC2E: GetProcessHeap.KERNEL32(00000000,'X,00000000,0058EA27,00000000), ref: 0058EC41
                                                                                              • Part of subcall function 0058EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0058EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: 42f8cd85d1d3bb6c91b3409b81e612ddccc991738dacf22fd3087a4223b8b28c
                                                                                            • Instruction ID: a53bf09cd89c69d95c8685b253694d3d9e6a57821334bc3f12c123bc2e4a1c26
                                                                                            • Opcode Fuzzy Hash: 42f8cd85d1d3bb6c91b3409b81e612ddccc991738dacf22fd3087a4223b8b28c
                                                                                            • Instruction Fuzzy Hash: 4D71F571D0021EEFDF11AFA4CC84AEEBBB9FB04314F10456AE915B6190E7309E96DB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1159 58f315-58f332 1160 58f33b-58f372 call 58ee2a htons socket 1159->1160 1161 58f334-58f336 1159->1161 1165 58f382-58f39b ioctlsocket 1160->1165 1166 58f374-58f37d closesocket 1160->1166 1162 58f424-58f427 1161->1162 1167 58f3aa-58f3f0 connect select 1165->1167 1168 58f39d 1165->1168 1166->1162 1170 58f421 1167->1170 1171 58f3f2-58f401 __WSAFDIsSet 1167->1171 1169 58f39f-58f3a8 closesocket 1168->1169 1172 58f423 1169->1172 1170->1172 1171->1169 1173 58f403-58f416 ioctlsocket call 58f26d 1171->1173 1172->1162 1175 58f41b-58f41f 1173->1175 1175->1172
                                                                                            APIs
                                                                                            • htons.WS2_32(0058CA1D), ref: 0058F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0058F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0058F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: dd4657f16ce9f91dfb4f8cbbe5d5ea126d3412df298d9be33060f9e31a790ba5
                                                                                            • Instruction ID: dcc97a26ab9fca7caa1278750a404f593082302e7ee6f39c67ed3525239aa910
                                                                                            • Opcode Fuzzy Hash: dd4657f16ce9f91dfb4f8cbbe5d5ea126d3412df298d9be33060f9e31a790ba5
                                                                                            • Instruction Fuzzy Hash: 42316B76900119AFDB10AFA8DC899EF7BBCFF88310F104566F915E2150E7309A459BA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1176 58405e-58407b CreateEventA 1177 58407d-584081 1176->1177 1178 584084-5840a8 call 583ecd call 584000 1176->1178 1183 5840ae-5840be call 58ee2a 1178->1183 1184 584130-58413e call 58ee2a 1178->1184 1183->1184 1190 5840c0-5840f1 call 58eca5 call 583f18 call 583f8c 1183->1190 1189 58413f-584165 call 583ecd CreateNamedPipeA 1184->1189 1195 584188-584193 ConnectNamedPipe 1189->1195 1196 584167-584174 Sleep 1189->1196 1207 5840f3-5840ff 1190->1207 1208 584127-58412a CloseHandle 1190->1208 1200 5841ab-5841c0 call 583f8c 1195->1200 1201 584195-5841a5 GetLastError 1195->1201 1196->1189 1198 584176-584182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 5841c2-5841f2 call 583f18 call 583f8c 1200->1209 1201->1200 1203 58425e-584265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1208 1210 584101-584121 call 583f18 ExitProcess 1207->1210 1208->1184 1209->1203 1217 5841f4-584200 1209->1217 1217->1203 1218 584202-584215 call 583f8c 1217->1218 1218->1203 1221 584217-58421b 1218->1221 1221->1203 1222 58421d-584230 call 583f8c 1221->1222 1222->1203 1225 584232-584236 1222->1225 1225->1195 1226 58423c-584251 call 583f18 1225->1226 1229 58426a-584276 CloseHandle * 2 call 58e318 1226->1229 1230 584253-584259 1226->1230 1232 58427b 1229->1232 1230->1195 1232->1232
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00584070
                                                                                            • ExitProcess.KERNEL32 ref: 00584121
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: 65c1e5cb14e085bb84b3e5ccbe076626655d7e8ca4e5cbe9454b3e1c7d3c4a1b
                                                                                            • Instruction ID: 7dd3469f2095decf16105d29ffd14f44c5e7757b3ee9d7f587a348bb9f828171
                                                                                            • Opcode Fuzzy Hash: 65c1e5cb14e085bb84b3e5ccbe076626655d7e8ca4e5cbe9454b3e1c7d3c4a1b
                                                                                            • Instruction Fuzzy Hash: 1A517FB1D0021ABAEB20BBA08C4AFAF7E7CFB60714F110055FE05B6190E7358A45DBA1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1233 582d21-582d44 GetModuleHandleA 1234 582d5b-582d69 GetProcAddress 1233->1234 1235 582d46-582d52 LoadLibraryA 1233->1235 1236 582d54-582d56 1234->1236 1237 582d6b-582d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 582dee-582df1 1236->1238 1237->1236 1239 582d7d-582d88 1237->1239 1240 582d8a-582d8b 1239->1240 1241 582deb 1239->1241 1242 582d90-582d95 1240->1242 1241->1238 1243 582de2-582de8 1242->1243 1244 582d97-582daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 582dea 1243->1245 1244->1245 1246 582dac-582dd9 call 58ee2a lstrcpynA 1244->1246 1245->1241 1249 582ddb-582dde 1246->1249 1250 582de0 1246->1250 1249->1243 1250->1243
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00582F01,?,005820FF,00592000), ref: 00582D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00582D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00582D61
                                                                                            • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00582D77
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00582D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00582DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00582DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 233223969-3847274415
                                                                                            • Opcode ID: 275b160afd1f5c4554a106f49e44444578b76f199fe2d99a9002a6836874fd13
                                                                                            • Instruction ID: 8fc6ef1f969d435bfc39289bc99c8c50b3c770afbf91c5fce9fe98f7bec0d583
                                                                                            • Opcode Fuzzy Hash: 275b160afd1f5c4554a106f49e44444578b76f199fe2d99a9002a6836874fd13
                                                                                            • Instruction Fuzzy Hash: 2F218E71902226ABCB21AF64DC489AEBFBCFF18B50F114815FD45F3150D370998697D0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1251 5880c9-5880ed call 586ec3 1254 5880f9-588115 call 58704c 1251->1254 1255 5880ef call 587ee6 1251->1255 1260 588225-58822b 1254->1260 1261 58811b-588121 1254->1261 1258 5880f4 1255->1258 1258->1260 1262 58826c-588273 1260->1262 1263 58822d-588233 1260->1263 1261->1260 1264 588127-58812a 1261->1264 1263->1262 1265 588235-58823f call 58675c 1263->1265 1264->1260 1266 588130-588167 call 582544 RegOpenKeyExA 1264->1266 1269 588244-58824b 1265->1269 1272 58816d-58818b RegQueryValueExA 1266->1272 1273 588216-588222 call 58ee2a 1266->1273 1269->1262 1271 58824d-588269 call 5824c2 call 58ec2e 1269->1271 1271->1262 1275 58818d-588191 1272->1275 1276 5881f7-5881fe 1272->1276 1273->1260 1275->1276 1282 588193-588196 1275->1282 1280 58820d-588210 RegCloseKey 1276->1280 1281 588200-588206 call 58ec2e 1276->1281 1280->1273 1289 58820c 1281->1289 1282->1276 1285 588198-5881a8 call 58ebcc 1282->1285 1285->1280 1291 5881aa-5881c2 RegQueryValueExA 1285->1291 1289->1280 1291->1276 1292 5881c4-5881ca 1291->1292 1293 5881cd-5881d2 1292->1293 1293->1293 1294 5881d4-5881e5 call 58ebcc 1293->1294 1294->1280 1297 5881e7-5881f5 call 58ef00 1294->1297 1297->1289
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0058815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0058A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00588187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0058A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 005881BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00588210
                                                                                              • Part of subcall function 0058675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0058677E
                                                                                              • Part of subcall function 0058675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0058679A
                                                                                              • Part of subcall function 0058675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 005867B0
                                                                                              • Part of subcall function 0058675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 005867BF
                                                                                              • Part of subcall function 0058675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 005867D3
                                                                                              • Part of subcall function 0058675C: ReadFile.KERNELBASE(000000FF,?,00000040,00588244,00000000,?,75920F10,00000000), ref: 00586807
                                                                                              • Part of subcall function 0058675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0058681F
                                                                                              • Part of subcall function 0058675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0058683E
                                                                                              • Part of subcall function 0058675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0058685C
                                                                                              • Part of subcall function 0058EC2E: GetProcessHeap.KERNEL32(00000000,'X,00000000,0058EA27,00000000), ref: 0058EC41
                                                                                              • Part of subcall function 0058EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0058EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\miqllcjz\fzzrueiu.exe
                                                                                            • API String ID: 124786226-3787335913
                                                                                            • Opcode ID: 03eda99383b8268a0778d7df242bdf8a323f480bca13fec8fb102df896d93464
                                                                                            • Instruction ID: 4d07ac069df98068793f2eb67408c42fd03dac09e054bce4db72daee212b4b34
                                                                                            • Opcode Fuzzy Hash: 03eda99383b8268a0778d7df242bdf8a323f480bca13fec8fb102df896d93464
                                                                                            • Instruction Fuzzy Hash: 77417FB6901109BFEB11FBA49D89DBE7F7CFB54300F54086AE906B2051EA309E48DB51

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1300 581ac3-581adc LoadLibraryA 1301 581b6b-581b70 1300->1301 1302 581ae2-581af3 GetProcAddress 1300->1302 1303 581b6a 1302->1303 1304 581af5-581b01 1302->1304 1303->1301 1305 581b1c-581b27 GetAdaptersAddresses 1304->1305 1306 581b29-581b2b 1305->1306 1307 581b03-581b12 call 58ebed 1305->1307 1308 581b5b-581b5e 1306->1308 1309 581b2d-581b32 1306->1309 1307->1306 1315 581b14-581b1b 1307->1315 1312 581b69 1308->1312 1314 581b60-581b68 call 58ec2e 1308->1314 1309->1312 1313 581b34-581b3b 1309->1313 1312->1303 1316 581b3d-581b52 1313->1316 1317 581b54-581b59 1313->1317 1314->1312 1315->1305 1316->1316 1316->1317 1317->1308 1317->1313
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00581AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00581AE9
                                                                                            • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00581B20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 3646706440-1087626847
                                                                                            • Opcode ID: 26eff1b918f4d08515724f96518145624d0cfa770d8afc786edda5f806430965
                                                                                            • Instruction ID: 3a654ddf55c0f9f6426555b01f01966e526172d5df8371c004e70c3946b470c0
                                                                                            • Opcode Fuzzy Hash: 26eff1b918f4d08515724f96518145624d0cfa770d8afc786edda5f806430965
                                                                                            • Instruction Fuzzy Hash: 98110372E01538AFCF11ABA4DC898EDBFBDFB44B12F144456E805B3140E6304E42DB88

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1320 58e3ca-58e3ee RegOpenKeyExA 1321 58e528-58e52d 1320->1321 1322 58e3f4-58e3fb 1320->1322 1323 58e3fe-58e403 1322->1323 1323->1323 1324 58e405-58e40f 1323->1324 1325 58e411-58e413 1324->1325 1326 58e414-58e452 call 58ee08 call 58f1ed RegQueryValueExA 1324->1326 1325->1326 1331 58e458-58e486 call 58f1ed RegQueryValueExA 1326->1331 1332 58e51d-58e527 RegCloseKey 1326->1332 1335 58e488-58e48a 1331->1335 1332->1321 1335->1332 1336 58e490-58e4a1 call 58db2e 1335->1336 1336->1332 1339 58e4a3-58e4a6 1336->1339 1340 58e4a9-58e4d3 call 58f1ed RegQueryValueExA 1339->1340 1343 58e4e8-58e4ea 1340->1343 1344 58e4d5-58e4da 1340->1344 1343->1332 1346 58e4ec-58e516 call 582544 call 58e332 1343->1346 1344->1343 1345 58e4dc-58e4e6 1344->1345 1345->1340 1345->1343 1346->1332
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,0058E5F2,00000000,00020119,0058E5F2,005922F8), ref: 0058E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0058E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0058E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0058E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0058E482
                                                                                            • RegQueryValueExA.ADVAPI32(0058E5F2,?,00000000,?,80000001,?), ref: 0058E4CF
                                                                                            • RegCloseKey.ADVAPI32(0058E5F2,?,?,?,?,000000C8,000000E4), ref: 0058E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: 54e644cccac219e524b0f1731c4c405ab224b9c23887fd3358fd3acd60f7b8df
                                                                                            • Instruction ID: ee392fd0bd90139581b37b30601ac3b4a2f11190b37d37274e10e7f4cd747004
                                                                                            • Opcode Fuzzy Hash: 54e644cccac219e524b0f1731c4c405ab224b9c23887fd3358fd3acd60f7b8df
                                                                                            • Instruction Fuzzy Hash: 8E4107B2D0021ABFDF11AF94DC86DEEBBB9FB58304F544466EA10B2160E3319A159B60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1351 58f26d-58f303 setsockopt * 5
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0058F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0058F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0058F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0058F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0058F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 79054fabe0cb148d5e019f4a20e3de9007cecf1e7f42df2e0df36cfee9a494f4
                                                                                            • Instruction ID: d3936213ddee4e6d3f0ae7ca6b7be78a3f55efaee016c78ede5d77cf4ea10c2f
                                                                                            • Opcode Fuzzy Hash: 79054fabe0cb148d5e019f4a20e3de9007cecf1e7f42df2e0df36cfee9a494f4
                                                                                            • Instruction Fuzzy Hash: 2A11FBB5A40248BAEF11DF94CD45F9E7FBCEB44751F004066BB04EA1D0E6B19A44DB94

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1352 581bdf-581c04 call 581ac3 1354 581c09-581c0b 1352->1354 1355 581c5a-581c5e 1354->1355 1356 581c0d-581c1d GetComputerNameA 1354->1356 1357 581c1f-581c24 1356->1357 1358 581c45-581c57 GetVolumeInformationA 1356->1358 1357->1358 1359 581c26-581c3b 1357->1359 1358->1355 1359->1359 1360 581c3d-581c3f 1359->1360 1360->1358 1361 581c41-581c43 1360->1361 1361->1355
                                                                                            APIs
                                                                                              • Part of subcall function 00581AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00581AD4
                                                                                              • Part of subcall function 00581AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00581AE9
                                                                                              • Part of subcall function 00581AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00581B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00581C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00581C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2794401326-2393279970
                                                                                            • Opcode ID: 5684e109526f56f9a5d6537b146ffb81a7d0438103d6ff83c584b5cfe934645f
                                                                                            • Instruction ID: f49fdb926d54835eb1ab36b78d792f3dcd77d36738eadefaca53b4e511f96c77
                                                                                            • Opcode Fuzzy Hash: 5684e109526f56f9a5d6537b146ffb81a7d0438103d6ff83c584b5cfe934645f
                                                                                            • Instruction Fuzzy Hash: 56018076A40518BFEB10EAE8C8C59EFBBBCBB44745F100876EA02F3140D2309E4587A4
                                                                                            APIs
                                                                                              • Part of subcall function 00581AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00581AD4
                                                                                              • Part of subcall function 00581AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00581AE9
                                                                                              • Part of subcall function 00581AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00581B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00581BA3
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00581EFD,00000000,00000000,00000000,00000000), ref: 00581BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2794401326-1857712256
                                                                                            • Opcode ID: 57543e23e8cbe084c7432cffc31a240ca8ae4305c62b30246b9bf1e8956b395e
                                                                                            • Instruction ID: 0d3b9ac4b0d6d245f421403409f99ef451e6abf9db43cae4fa88ec789ff5e3f3
                                                                                            • Opcode Fuzzy Hash: 57543e23e8cbe084c7432cffc31a240ca8ae4305c62b30246b9bf1e8956b395e
                                                                                            • Instruction Fuzzy Hash: AE018BB7D00108BFEB00ABE9CC869EFFBBCAB98650F150462AA01F3180D5705E0947A0
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00582693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0058269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: b4da168f6d623f848320548380282449580b4f9bdb756941f2b0837f5924ebc7
                                                                                            • Instruction ID: 68eea8ea187767086e5b54ca84c7c8e3edf48b6c7b63fa4dc70b3cc8abddd1e4
                                                                                            • Opcode Fuzzy Hash: b4da168f6d623f848320548380282449580b4f9bdb756941f2b0837f5924ebc7
                                                                                            • Instruction Fuzzy Hash: 26E0C2306040118FDB50AB28F848AC57FE4FF16330F025582F840E71A0EB30DC809780
                                                                                            APIs
                                                                                              • Part of subcall function 0058EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0058EC0A,00000000,80000001,?,0058DB55,7FFF0001), ref: 0058EBAD
                                                                                              • Part of subcall function 0058EBA0: HeapSize.KERNEL32(00000000,?,0058DB55,7FFF0001), ref: 0058EBB4
                                                                                            • GetProcessHeap.KERNEL32(00000000,'X,00000000,0058EA27,00000000), ref: 0058EC41
                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 0058EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$FreeSize
                                                                                            • String ID: 'X
                                                                                            • API String ID: 1305341483-3238454649
                                                                                            • Opcode ID: 8ce98e695d8c2c5ca3f5bd21a43b98af1b3d671d5953ef9fb10f29332ad80292
                                                                                            • Instruction ID: 116344153c44c434d2704976259135cda15c0dc48c530fe32535a4f923e79553
                                                                                            • Opcode Fuzzy Hash: 8ce98e695d8c2c5ca3f5bd21a43b98af1b3d671d5953ef9fb10f29332ad80292
                                                                                            • Instruction Fuzzy Hash: 2EC012329062306FC5513B50BC0EF9B6F2CAF96712F0A080AF8057609487605C40A7E1
                                                                                            APIs
                                                                                              • Part of subcall function 0058DD05: GetTickCount.KERNEL32 ref: 0058DD0F
                                                                                              • Part of subcall function 0058DD05: InterlockedExchange.KERNEL32(005936B4,00000001), ref: 0058DD44
                                                                                              • Part of subcall function 0058DD05: GetCurrentThreadId.KERNEL32 ref: 0058DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0058A445), ref: 0058E558
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,0058A445), ref: 0058E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0058A445), ref: 0058E5B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID:
                                                                                            • API String ID: 3683885500-0
                                                                                            • Opcode ID: 231f32a356e569102fc18f170ff1ec3d495f3ae4a5d2d85b0941d323f39ba708
                                                                                            • Instruction ID: 0d9895854fa968b310085b6f5b62129f870d1fbab5f8e6cf181b308f277bd582
                                                                                            • Opcode Fuzzy Hash: 231f32a356e569102fc18f170ff1ec3d495f3ae4a5d2d85b0941d323f39ba708
                                                                                            • Instruction Fuzzy Hash: 4921B2B26803027AE62077259C4FFAB3E6CFBE5750F110514BE09B51E3EA51E91493F1
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 005888A5
                                                                                              • Part of subcall function 0058F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0058E342,00000000,7508EA50,80000001,00000000,0058E513,?,00000000,00000000,?,000000E4), ref: 0058F089
                                                                                              • Part of subcall function 0058F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0058E342,00000000,7508EA50,80000001,00000000,0058E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0058F093
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$Sleep
                                                                                            • String ID: localcfg$rresolv
                                                                                            • API String ID: 1561729337-486471987
                                                                                            • Opcode ID: 88142fb961e25018511e947993d218f7554837fb001ef81a46843f4f99c1ec53
                                                                                            • Instruction ID: 055d175fa00a7e97c8f756c2b0efa9fc169294c5016535c3915338c12b9b561f
                                                                                            • Opcode Fuzzy Hash: 88142fb961e25018511e947993d218f7554837fb001ef81a46843f4f99c1ec53
                                                                                            • Instruction Fuzzy Hash: 0E2184325483027EF714B7666D4FB7A3EA8FB95724FD1081AFD04B50C3EEA155848BA2
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,005922F8,005842B6,00000000,00000001,005922F8,00000000,?,005898FD), ref: 00584021
                                                                                            • GetLastError.KERNEL32(?,005898FD,00000001,00000100,005922F8,0058A3C7), ref: 0058402C
                                                                                            • Sleep.KERNEL32(000001F4,?,005898FD,00000001,00000100,005922F8,0058A3C7), ref: 00584046
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: a869109e8d2485e37e850764629cb5dbe5c405bbd2946684180826a09a1a539b
                                                                                            • Instruction ID: 3f0e7e87c537b9466001d454c3ef4638e7a9089648de5d293bc55ee1ad44a5c8
                                                                                            • Opcode Fuzzy Hash: a869109e8d2485e37e850764629cb5dbe5c405bbd2946684180826a09a1a539b
                                                                                            • Instruction Fuzzy Hash: 5DF08931240142DED7311B24AC4D71B3A55FB81724F674A15FBB5F90E0C63048855F14
                                                                                            APIs
                                                                                            • GetEnvironmentVariableA.KERNEL32(0058DC19,?,00000104), ref: 0058DB7F
                                                                                            • lstrcpyA.KERNEL32(?,005928F8), ref: 0058DBA4
                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0058DBC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2536392590-0
                                                                                            • Opcode ID: 397721681704cc8534790ef9eed149b8bdac8473227daa948ee6da48b175c8e6
                                                                                            • Instruction ID: 2ae06c628ae9792f2b3160c85e78f5dfb1f4e0436d21c10d68296da1e7dba3a2
                                                                                            • Opcode Fuzzy Hash: 397721681704cc8534790ef9eed149b8bdac8473227daa948ee6da48b175c8e6
                                                                                            • Instruction Fuzzy Hash: 8EF0B470100209AFEF10DF64DC49FD93BA9BB10308F504594BB51A40D0D7F2D549DF20
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0058EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0058EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0058EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 9949af495af00d75c3138f62790467b83b6ab317c87e462caa4078e2df4c54d8
                                                                                            • Instruction ID: a5c3581bff09d8dd0ce6b482981ff08c59eecbbdba9fc42a1ec8783a6fb049d6
                                                                                            • Opcode Fuzzy Hash: 9949af495af00d75c3138f62790467b83b6ab317c87e462caa4078e2df4c54d8
                                                                                            • Instruction Fuzzy Hash: A5E09AF5810204BFEB01ABB0DC4EE6B77BCEB18314F910A51B911D60E0DA749A089B60
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 005830D8
                                                                                            • gethostbyname.WS2_32(?), ref: 005830E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynamegethostname
                                                                                            • String ID:
                                                                                            • API String ID: 3961807697-0
                                                                                            • Opcode ID: 3f48e61a82d1159d543afbc26c30126292fbbf07ff6c9cc2d96380dd7dcea2cd
                                                                                            • Instruction ID: 5aa6fc86dfef7240d0e35904f1ddef87f6e34f272a0b83742789848b1999a0ab
                                                                                            • Opcode Fuzzy Hash: 3f48e61a82d1159d543afbc26c30126292fbbf07ff6c9cc2d96380dd7dcea2cd
                                                                                            • Instruction Fuzzy Hash: 15E065759001199FCF10ABA8EC89F9A7BACBB04304F080461F905E3290EA34E5088790
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0058EBFE,7FFF0001,?,0058DB55,7FFF0001), ref: 0058EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0058DB55,7FFF0001), ref: 0058EBDA
                                                                                              • Part of subcall function 0058EB74: GetProcessHeap.KERNEL32(00000000,00000000,0058EC28,00000000,?,0058DB55,7FFF0001), ref: 0058EB81
                                                                                              • Part of subcall function 0058EB74: HeapSize.KERNEL32(00000000,?,0058DB55,7FFF0001), ref: 0058EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: 98411cf3d67f69e0ad4c252b904f1b7641645929c5408e194547f73e2af2f4c0
                                                                                            • Instruction ID: dcc1498a7338356231033e67841fce421bc9d49d246a5e689540b32524ec787c
                                                                                            • Opcode Fuzzy Hash: 98411cf3d67f69e0ad4c252b904f1b7641645929c5408e194547f73e2af2f4c0
                                                                                            • Instruction Fuzzy Hash: 2BC080321042206FC60137E47C0DE9A3E5CEF84363F050405F505C11B4C7304840E795
                                                                                            APIs
                                                                                            • recv.WS2_32(000000C8,?,00000000,0058CA44), ref: 0058F476
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: recv
                                                                                            • String ID:
                                                                                            • API String ID: 1507349165-0
                                                                                            • Opcode ID: 784a89f9832504f2e9d3ca350d0028e39c3cae4640b79d949674e3201021d7d1
                                                                                            • Instruction ID: 79252aa8416410431230d8ae3e24bb48414f5cbf62036cb17d5ee4cfe2ea9cac
                                                                                            • Opcode Fuzzy Hash: 784a89f9832504f2e9d3ca350d0028e39c3cae4640b79d949674e3201021d7d1
                                                                                            • Instruction Fuzzy Hash: 65F01C7320155EAB9F11AE9ADC84CAB3FAEFBCD3507050522FE14E7120D631E8259BA0
                                                                                            APIs
                                                                                            • closesocket.WS2_32(00000000), ref: 00581992
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesocket
                                                                                            • String ID:
                                                                                            • API String ID: 2781271927-0
                                                                                            • Opcode ID: e62d2514b6c0b0a7fe278ccb62bf71cadad2b1cbe003997f7fddd7002c76d7dc
                                                                                            • Instruction ID: 9d2ea11be347b334f87c9a553fa7473cc0962e908aeb96b23f01320d3d9627a8
                                                                                            • Opcode Fuzzy Hash: e62d2514b6c0b0a7fe278ccb62bf71cadad2b1cbe003997f7fddd7002c76d7dc
                                                                                            • Instruction Fuzzy Hash: 63D012261486326A56513759BC0947FBF9CEF49662712942BFC49D0160D634CC429395
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0058DDB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 1586166983-0
                                                                                            • Opcode ID: f2c4335bfc6271ddc632fd08a7e5547a6f6cd56328da5098bc7c32ab9fe213dc
                                                                                            • Instruction ID: a039f6b1d8eb8c64209f406d12d3d9fd3ab6eff63ce387b117377e73c456468d
                                                                                            • Opcode Fuzzy Hash: f2c4335bfc6271ddc632fd08a7e5547a6f6cd56328da5098bc7c32ab9fe213dc
                                                                                            • Instruction Fuzzy Hash: CEF08231202202DFCB20EE249848656BBF4FF55325F15483EE959E22D0D730DC49CB31
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00589816,EntryPoint), ref: 0058638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00589816,EntryPoint), ref: 005863A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 005863CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 005863EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: ff4733b02c8d15779f74a55f7a7b2e247b1b73b51573a4d44f1cbf5439558e36
                                                                                            • Instruction ID: 6e36afcbc618f23341d4f0000c2daed73a6a9186beab278be52527c5d8a02040
                                                                                            • Opcode Fuzzy Hash: ff4733b02c8d15779f74a55f7a7b2e247b1b73b51573a4d44f1cbf5439558e36
                                                                                            • Instruction Fuzzy Hash: 7A118FB2600219BFEB119F65DC4AF9B3FA8FB047A4F114425FD05A7290DA70DC009BA0
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00581839,00589646), ref: 00581012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 005810C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 005810E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00581101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00581121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00581140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00581160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00581180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0058119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 005811BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 005811DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 005811FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0058121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 71cdb96c97ff4a4772c801c3d3c06410d9b8bbdeb802f437ad289af56116d2c0
                                                                                            • Instruction ID: 760f84a82c17406a18f67e904f2edb1facd354211d53ad7c83229d3763cd5b02
                                                                                            • Opcode Fuzzy Hash: 71cdb96c97ff4a4772c801c3d3c06410d9b8bbdeb802f437ad289af56116d2c0
                                                                                            • Instruction Fuzzy Hash: DA516371542E12E7DB11AFADED447523AACB758720F1603179821E21F0D7F0CACAEB59
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0058B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0058B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0058B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0058B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0058B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0058B329
                                                                                            • wsprintfA.USER32 ref: 0058B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: 8df962e5a5ed2238e5d8ca81b71ddea00a3b11ddffd8873295c1cb5dc2219c59
                                                                                            • Instruction ID: 3358392a09b55c14324a4d110afaf39b2b83e5bdf108194a5dc0c2e53d3628bb
                                                                                            • Opcode Fuzzy Hash: 8df962e5a5ed2238e5d8ca81b71ddea00a3b11ddffd8873295c1cb5dc2219c59
                                                                                            • Instruction Fuzzy Hash: 615115B2D00219AEDF14DFD4D8898EEFFF9BF48304F10592AEA11B6190D7744A89DB90
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: 22df7f1dc009ceeaad4dfec3365cc6ba9bf6408e0f03357c4ef1035247ecb874
                                                                                            • Instruction ID: 4f197fa4edca83a8073b96d808b8fecd3faa41b8f4179f612baaacd96c21a6a4
                                                                                            • Opcode Fuzzy Hash: 22df7f1dc009ceeaad4dfec3365cc6ba9bf6408e0f03357c4ef1035247ecb874
                                                                                            • Instruction Fuzzy Hash: DD614D72940208AFDF60AFA4DC45FEA7BF9FF48300F144469F969D21A1EA7199449F50
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0058A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0058A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0058A893
                                                                                            • wsprintfA.USER32 ref: 0058A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0058A8D2
                                                                                            • wsprintfA.USER32 ref: 0058A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0058A97C
                                                                                            • wsprintfA.USER32 ref: 0058A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: 8fac655bf3e0ff4981a58dd1e6ac843a5dfe7c37ce601be9873e8b8c68eaab4d
                                                                                            • Instruction ID: 8a8142843913b1fe53941b573688a38f4d6547f9818cc5ffd4f93dc4e8ed06cb
                                                                                            • Opcode Fuzzy Hash: 8fac655bf3e0ff4981a58dd1e6ac843a5dfe7c37ce601be9873e8b8c68eaab4d
                                                                                            • Instruction Fuzzy Hash: 42A1D372944205AEFF21BA54DC8AFAE3F69BB50304F280827FD05B60D1EA619D48DB57
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0058139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00581571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-3716895483
                                                                                            • Opcode ID: 9ea12e8d5b09865ae326b85666fccf4e84c52048710533e685544c7d3cec8d03
                                                                                            • Instruction ID: 553c70ddcf64b81f9674e5f42099f7789e88b6e0f6d42569f1ed9c03e11b646f
                                                                                            • Opcode Fuzzy Hash: 9ea12e8d5b09865ae326b85666fccf4e84c52048710533e685544c7d3cec8d03
                                                                                            • Instruction Fuzzy Hash: 00F1ACB5508741DFD720EF64C888B6BBBE8FB98300F00491EF986E7290D7749949CB56
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00582A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00582A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00582AA0
                                                                                            • htons.WS2_32(00000000), ref: 00582ADB
                                                                                            • select.WS2_32 ref: 00582B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00582B4A
                                                                                            • htons.WS2_32(?), ref: 00582B71
                                                                                            • htons.WS2_32(?), ref: 00582B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00582BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 4449857efd79638d833f381134f7e18ff0f3e2a170765639336327519c75a277
                                                                                            • Instruction ID: 96c8998922e1954c37d7c790f772e3515f409a1c6b0907abea3ed34a8120f0ea
                                                                                            • Opcode Fuzzy Hash: 4449857efd79638d833f381134f7e18ff0f3e2a170765639336327519c75a277
                                                                                            • Instruction Fuzzy Hash: ED619BB1904305AFD720AF65DC49B7EBFE8FB98751F01080AFD89A7191D7B09C449BA2
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 005870C2
                                                                                            • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0058719E
                                                                                            • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 005871B2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00587208
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00587291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 005872C2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 005872D0
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00587314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0058738D
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 005873D8
                                                                                              • Part of subcall function 0058F1A5: lstrlenA.KERNEL32(000000C8,000000E4,005922F8,000000C8,00587150,?), ref: 0058F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 1391e50a61f47965a6226dd8890b7dc41e1a87555c9fcac81b5bf4b011665c2a
                                                                                            • Instruction ID: 479f842311eb4366dbd4b862dee05c62f2502bd010e79d331c36bb29729262e3
                                                                                            • Opcode Fuzzy Hash: 1391e50a61f47965a6226dd8890b7dc41e1a87555c9fcac81b5bf4b011665c2a
                                                                                            • Instruction Fuzzy Hash: E6B1657290420EAEDF15BFA4DC49AEE7FB8BF58300F200466F915F6090EB719A44DB65
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0058AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0058ADA6
                                                                                              • Part of subcall function 0058AD08: gethostname.WS2_32(?,00000080), ref: 0058AD1C
                                                                                              • Part of subcall function 0058AD08: lstrlenA.KERNEL32(00000000), ref: 0058AD60
                                                                                              • Part of subcall function 0058AD08: lstrlenA.KERNEL32(00000000), ref: 0058AD69
                                                                                              • Part of subcall function 0058AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0058AD7F
                                                                                              • Part of subcall function 005830B5: gethostname.WS2_32(?,00000080), ref: 005830D8
                                                                                              • Part of subcall function 005830B5: gethostbyname.WS2_32(?), ref: 005830E2
                                                                                            • wsprintfA.USER32 ref: 0058AEA5
                                                                                              • Part of subcall function 0058A7A3: inet_ntoa.WS2_32(?), ref: 0058A7A9
                                                                                            • wsprintfA.USER32 ref: 0058AE4F
                                                                                            • wsprintfA.USER32 ref: 0058AE5E
                                                                                              • Part of subcall function 0058EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0058EF92
                                                                                              • Part of subcall function 0058EF7C: lstrlenA.KERNEL32(?), ref: 0058EF99
                                                                                              • Part of subcall function 0058EF7C: lstrlenA.KERNEL32(00000000), ref: 0058EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: 02a85955d71b407740b450cf3d5d7bd6c64725403022cecdfa34a03b5822c9fe
                                                                                            • Instruction ID: 0d10eaa15e2ae3bbce8702c0774d1215092f7c6183bc77deb9acbf17f042c5b8
                                                                                            • Opcode Fuzzy Hash: 02a85955d71b407740b450cf3d5d7bd6c64725403022cecdfa34a03b5822c9fe
                                                                                            • Instruction Fuzzy Hash: 13410EB290024DAFDF25BFA0DC4AEEE3FADFB48300F14481ABD15A2191E671D9549B51
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00582F0F,?,005820FF,00592000), ref: 00582E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00582F0F,?,005820FF,00592000), ref: 00582E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00582E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00582F0F,?,005820FF,00592000), ref: 00582E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00582F0F,?,005820FF,00592000), ref: 00582E4F
                                                                                            • htons.WS2_32(00000035), ref: 00582E88
                                                                                            • inet_addr.WS2_32(?), ref: 00582E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00582EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00582F0F,?,005820FF,00592000), ref: 00582EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00582F0F,?,005820FF,00592000), ref: 00582EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: d9c7bfcae719d037a8c456171df2c77e5f8ed8c45256260c6ecb78f340eb3425
                                                                                            • Instruction ID: 922341dc86f8fee69e06b6784460e9446518025c1c33af9fac31699d24d2f1e5
                                                                                            • Opcode Fuzzy Hash: d9c7bfcae719d037a8c456171df2c77e5f8ed8c45256260c6ecb78f340eb3425
                                                                                            • Instruction Fuzzy Hash: EE318D32A0020AAFDF10ABA89C48A7E7FBCBF14361F150516ED14F72D0DB30D941AB58
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00589DD7,?,00000022,?,?,00000000,00000001), ref: 00589340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00589DD7,?,00000022,?,?,00000000,00000001), ref: 0058936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00589DD7,?,00000022,?,?,00000000,00000001), ref: 00589375
                                                                                            • wsprintfA.USER32 ref: 005893CE
                                                                                            • wsprintfA.USER32 ref: 0058940C
                                                                                            • wsprintfA.USER32 ref: 0058948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 005894F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00589526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00589571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: 00c52bfc8d07393e2ee36d5c073c120c4b1bc342ba8625653e85aa9147598510
                                                                                            • Instruction ID: dda31c8ea1ddfcd8f85cd4c86518c0433070af75a94b5544b158b9adadf57d30
                                                                                            • Opcode Fuzzy Hash: 00c52bfc8d07393e2ee36d5c073c120c4b1bc342ba8625653e85aa9147598510
                                                                                            • Instruction Fuzzy Hash: F7A171B2940209AFEF21AFA1CC49FEE3FACFB54740F140416FE05A6192E7759944DBA1
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0058B467
                                                                                              • Part of subcall function 0058EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0058EF92
                                                                                              • Part of subcall function 0058EF7C: lstrlenA.KERNEL32(?), ref: 0058EF99
                                                                                              • Part of subcall function 0058EF7C: lstrlenA.KERNEL32(00000000), ref: 0058EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: 550da56052a332197d61d973ae641d01593661ea6dde2b7ac54ae43945a6e2c9
                                                                                            • Instruction ID: a5fd2bece3a14e6443a8deb4a92119614e483fbda733bd03286e83eaadd342bc
                                                                                            • Opcode Fuzzy Hash: 550da56052a332197d61d973ae641d01593661ea6dde2b7ac54ae43945a6e2c9
                                                                                            • Instruction Fuzzy Hash: 8C413DB254021A7EDF01BAA4CCC6CBFBE7CFE89748B140515FE04B2182DB74AE1587A1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00582078
                                                                                            • GetTickCount.KERNEL32 ref: 005820D4
                                                                                            • GetTickCount.KERNEL32 ref: 005820DB
                                                                                            • GetTickCount.KERNEL32 ref: 0058212B
                                                                                            • GetTickCount.KERNEL32 ref: 00582132
                                                                                            • GetTickCount.KERNEL32 ref: 00582142
                                                                                              • Part of subcall function 0058F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0058E342,00000000,7508EA50,80000001,00000000,0058E513,?,00000000,00000000,?,000000E4), ref: 0058F089
                                                                                              • Part of subcall function 0058F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0058E342,00000000,7508EA50,80000001,00000000,0058E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0058F093
                                                                                              • Part of subcall function 0058E854: lstrcpyA.KERNEL32(00000001,?,?,0058D8DF,00000001,localcfg,except_info,00100000,00590264), ref: 0058E88B
                                                                                              • Part of subcall function 0058E854: lstrlenA.KERNEL32(00000001,?,0058D8DF,00000001,localcfg,except_info,00100000,00590264), ref: 0058E899
                                                                                              • Part of subcall function 00581C5F: wsprintfA.USER32 ref: 00581CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: 404083959c85139f3fbd42d7225cd49592e306704fde37444b0a146232a7aa52
                                                                                            • Instruction ID: 47d0f3a502894e2279d3771d85feafe4a07d8c57dcb838b89f86806a69e6ed4e
                                                                                            • Opcode Fuzzy Hash: 404083959c85139f3fbd42d7225cd49592e306704fde37444b0a146232a7aa52
                                                                                            • Instruction Fuzzy Hash: 3C512674905346AEEB28FF34ED4EB563FD4BB64314F11042BEA05A61E1DBB4988CEB11
                                                                                            APIs
                                                                                              • Part of subcall function 0058A4C7: GetTickCount.KERNEL32 ref: 0058A4D1
                                                                                              • Part of subcall function 0058A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0058A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0058C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0058C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0058C363
                                                                                            • GetTickCount.KERNEL32 ref: 0058C378
                                                                                            • GetTickCount.KERNEL32 ref: 0058C44D
                                                                                            • InterlockedIncrement.KERNEL32(0058C4E4), ref: 0058C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0058B535,00000000,?,0058C4E0), ref: 0058C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0058C4E0,00593588,00588810), ref: 0058C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: 8bc622da80b490ba786fcb44202681e06fa404c70ba1aaef715262113e20872c
                                                                                            • Instruction ID: 97891160370a199d5e581f3bc1fa0a84a983d5dbd71871dea645b45ff048eb0a
                                                                                            • Opcode Fuzzy Hash: 8bc622da80b490ba786fcb44202681e06fa404c70ba1aaef715262113e20872c
                                                                                            • Instruction Fuzzy Hash: B5515EB1500B418FDB24AF69C5D552ABFE9FB48300B509D3ED98BD7AA0DB74F8458B20
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0058BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0058BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0058BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0058BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0058BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0058BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: aa671871660117ce68c784f0eb4c1b095526a378c90ab4636c058e2d63d7d965
                                                                                            • Instruction ID: 86473c76f3e1bba70ef8501b2d155f0a5d5c9c22e8d734e88bbe89c2b00be43d
                                                                                            • Opcode Fuzzy Hash: aa671871660117ce68c784f0eb4c1b095526a378c90ab4636c058e2d63d7d965
                                                                                            • Instruction Fuzzy Hash: 87517A71A0021AEFEF11AB64CC85AAABFADBF44344F045465EE45BB251D730ED458F90
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00589A60,?,?,00589E9D), ref: 00586A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00589E9D,00589A60,?,?,?,005922F8,?,?,?,00589A60,?,?,00589E9D), ref: 00586ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00589A60,?,?,00589E9D), ref: 00586B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00589A60,?,?,00589E9D), ref: 00586B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00589A60,?,?,00589E9D), ref: 00586B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00589A60,?,?,00589E9D), ref: 00586B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00589A60,?,?,00589E9D), ref: 00586B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00589A60,?,?,00589E9D), ref: 00586B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00589A60,?,?,00589E9D,?,?,?,?,?,00589E9D,?,00000022,?), ref: 00586B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 02d6e1065936b2608d10ab96a197519942a0b8c56fd75817e675a799eef356fb
                                                                                            • Instruction ID: 8486b0a6dedbd9e4ac7f84e34f73afccdab1783e0dbb7cbcc894e1ee5bcc9cb1
                                                                                            • Opcode Fuzzy Hash: 02d6e1065936b2608d10ab96a197519942a0b8c56fd75817e675a799eef356fb
                                                                                            • Instruction Fuzzy Hash: FC31DFB2900149BFCB01AFA48C49A9E7FB9FB94314F154466EA51F3261D6308949EB61
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0058D7C3), ref: 00586F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0058D7C3), ref: 00586FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00586FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0058701F
                                                                                            • wsprintfA.USER32 ref: 00587036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: 06c42d0b892617f50f2ccd297672de3892fbf12a1038d2013a1cd71c65604e07
                                                                                            • Instruction ID: 7fda37788c16446d3a160edba88621aeba8d5f86c07d0feb99746b1131e8e20c
                                                                                            • Opcode Fuzzy Hash: 06c42d0b892617f50f2ccd297672de3892fbf12a1038d2013a1cd71c65604e07
                                                                                            • Instruction Fuzzy Hash: 07310972904109AFDB01EFA8DC49ADA7FBCFF04354F148466F959EB141EA35DA088B94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,005922F8,000000E4,00586DDC,000000C8), ref: 00586CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00586CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00586D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00586D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 3e0c0f6df8e374853d603ad65f17263fcf35bffec466a4d828886019e756b253
                                                                                            • Instruction ID: 20281cc739d2c0c4f640394f5e80df93a0415dac9d11723a567c1cde0e75c7c5
                                                                                            • Opcode Fuzzy Hash: 3e0c0f6df8e374853d603ad65f17263fcf35bffec466a4d828886019e756b253
                                                                                            • Instruction Fuzzy Hash: 7221F3617862457EFB2277219CCEF772E9CAB62740F0D0445FD04BA1D1CB958849D3E6
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00589947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,005922F8), ref: 005897B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,005922F8), ref: 005897EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,005922F8), ref: 005897F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,005922F8), ref: 00589831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,005922F8), ref: 0058984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,005922F8), ref: 0058985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: 817a5e33f359481e819e265d4e35db13a45351d38b72c77169792bee0bd7cb7b
                                                                                            • Instruction ID: 797188381c998a87cc4c0dc519e57a24a41638df8dbc6265b30887a70454f660
                                                                                            • Opcode Fuzzy Hash: 817a5e33f359481e819e265d4e35db13a45351d38b72c77169792bee0bd7cb7b
                                                                                            • Instruction Fuzzy Hash: 2E21EA71901219ABDB21AFA1DC49EEF7FBCFF09754F440461BA19F1190EB709A44DBA0
                                                                                            APIs
                                                                                              • Part of subcall function 0058DD05: GetTickCount.KERNEL32 ref: 0058DD0F
                                                                                              • Part of subcall function 0058DD05: InterlockedExchange.KERNEL32(005936B4,00000001), ref: 0058DD44
                                                                                              • Part of subcall function 0058DD05: GetCurrentThreadId.KERNEL32 ref: 0058DD53
                                                                                              • Part of subcall function 0058DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0058DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00581E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0058EAAA,?,?), ref: 0058E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0058EAAA,?,?,00000001,?,00581E84,?), ref: 0058E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0058EAAA,?,?,00000001,?,00581E84,?,0000000A), ref: 0058E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0058EAAA,?,?,00000001,?,00581E84,?), ref: 0058E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 9ce001ec6d1a79ae145146ebf108fea99df14da154d6fb23b56734258e90859d
                                                                                            • Instruction ID: a854e1771fd1a42c0ca285dd3241f0634fcf48e21b99736dddfcfca687e3eafc
                                                                                            • Opcode Fuzzy Hash: 9ce001ec6d1a79ae145146ebf108fea99df14da154d6fb23b56734258e90859d
                                                                                            • Instruction Fuzzy Hash: 4C51207290020AAFCF11EFA8CD89DAEBBF9FF44304F14456AE805B7251D775EA149B60
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: b032bb4e97f39ca72972c9906ef33d60368b5c84d9adf9ad03698b315619aa15
                                                                                            • Instruction ID: 12c8daea056196986fb341e0a13e32cd8ed8486905098459be465acaa6a4e9f9
                                                                                            • Opcode Fuzzy Hash: b032bb4e97f39ca72972c9906ef33d60368b5c84d9adf9ad03698b315619aa15
                                                                                            • Instruction Fuzzy Hash: F0218C76105116FFDB11ABA0ED8EEAF3EACFB44365B214816F942F1090EA319E04A774
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,005922F8), ref: 0058907B
                                                                                            • wsprintfA.USER32 ref: 005890E9
                                                                                            • CreateFileA.KERNEL32(005922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0058910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00589122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0058912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00589134
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 1b9fde78902aa13736f894aa8007790280a78a4b49ad4ecafd151559407fb37f
                                                                                            • Instruction ID: a738861740f94c023ab5ee22cd81e25c337bfb6171f61680b1f03aa5a790fcc9
                                                                                            • Opcode Fuzzy Hash: 1b9fde78902aa13736f894aa8007790280a78a4b49ad4ecafd151559407fb37f
                                                                                            • Instruction Fuzzy Hash: 361160B6A401157EEB247762DC0FEAF3A7EEFD4B00F008465BB0AB5091EA704E0597A4
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0058DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0058DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0058DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0058E538,?,75920F10,?,00000000,?,0058A445), ref: 0058DD3B
                                                                                            • InterlockedExchange.KERNEL32(005936B4,00000001), ref: 0058DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0058DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 3341d9d940a0e40184520be392eecd07e12051e6e0ecd16cec8a8a8add3c1a34
                                                                                            • Instruction ID: d239cd33ed94e708f43b261c5686271b9352b27746e2662e1d2647c366efaf60
                                                                                            • Opcode Fuzzy Hash: 3341d9d940a0e40184520be392eecd07e12051e6e0ecd16cec8a8a8add3c1a34
                                                                                            • Instruction Fuzzy Hash: E7F03A7210A204EFDB807B65EC88B297BBDB764352F520817E909D22E1C620554DAB72
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0058AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0058AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0058AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0058AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: d1334e7e346efccfb67e56f11ec45cb030e63fe983f017198343dae4e9b67a9a
                                                                                            • Instruction ID: f6d23e2f0ab6bc1a61baded4a398bbfb9a0efff2e5028dd009830524873fb863
                                                                                            • Opcode Fuzzy Hash: d1334e7e346efccfb67e56f11ec45cb030e63fe983f017198343dae4e9b67a9a
                                                                                            • Instruction Fuzzy Hash: 7801492084718A5DFF312638C849BA83F657B96706F501057DCC0FB552E75488478393
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,005898FD,00000001,00000100,005922F8,0058A3C7), ref: 00584290
                                                                                            • CloseHandle.KERNEL32(0058A3C7), ref: 005843AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 005843AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 8e663a4919ce21789db47b93a822a11e95de8e9a393db1a0baf550b1586e138a
                                                                                            • Instruction ID: 8ed10c0d01bd3a70c843a1ceabe46b79eab774362ee8db5b925d5696853f6cf8
                                                                                            • Opcode Fuzzy Hash: 8e663a4919ce21789db47b93a822a11e95de8e9a393db1a0baf550b1586e138a
                                                                                            • Instruction Fuzzy Hash: 14415271D0020ABADB11BBA1CD4AFAFBFB8FF50324F104555FA15B6191DB349A41DBA0
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,005864CF,00000000), ref: 0058609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,005864CF,00000000), ref: 005860C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0058614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0058619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: 7417b5062ec8b780af2576205f51cb3f6dd7606426fb71b98cbec1f5e51fe893
                                                                                            • Instruction ID: 2c23cd3d660cae4e92103472210dded9d80780ad075a09ff250d2f7d6265e6d9
                                                                                            • Opcode Fuzzy Hash: 7417b5062ec8b780af2576205f51cb3f6dd7606426fb71b98cbec1f5e51fe893
                                                                                            • Instruction Fuzzy Hash: C9417E71A0020AEFEB14EF54C889B69BBB5FF54354F248469EC15E7292D730ED44DB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6b8ed515d95014c9f12c195973792b191e6655b7135165835591cc256dc8ec6d
                                                                                            • Instruction ID: 6c7acacdf30916735746126e511b2849d38917e08f4b1ef8a700bc547f0ad9c7
                                                                                            • Opcode Fuzzy Hash: 6b8ed515d95014c9f12c195973792b191e6655b7135165835591cc256dc8ec6d
                                                                                            • Instruction Fuzzy Hash: A831A271900309ABCB21AFA5CC86ABEBFF4FF88701F10445AF904F6241E374D6419B54
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0058272E
                                                                                            • htons.WS2_32(00000001), ref: 00582752
                                                                                            • htons.WS2_32(0000000F), ref: 005827D5
                                                                                            • htons.WS2_32(00000001), ref: 005827E3
                                                                                            • sendto.WS2_32(?,00592BF8,00000009,00000000,00000010,00000010), ref: 00582802
                                                                                              • Part of subcall function 0058EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0058EBFE,7FFF0001,?,0058DB55,7FFF0001), ref: 0058EBD3
                                                                                              • Part of subcall function 0058EBCC: RtlAllocateHeap.NTDLL(00000000,?,0058DB55,7FFF0001), ref: 0058EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6b4ac34e46d69064742db03da368e433e806df5773486b07820e3e258c1c9f74
                                                                                            • Instruction ID: a0e03ce6bb1e1962ea972e9dfa4345a0d6219e2a288a0babf4e75a31aee6b6c4
                                                                                            • Opcode Fuzzy Hash: 6b4ac34e46d69064742db03da368e433e806df5773486b07820e3e258c1c9f74
                                                                                            • Instruction Fuzzy Hash: D7315834248382AFD710AF75DC80AA17FA1FF29314F1A405EEC55DB362D232D846EB40
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,005922F8), ref: 0058915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00589166
                                                                                            • CharToOemA.USER32(?,?), ref: 00589174
                                                                                            • wsprintfA.USER32 ref: 005891A9
                                                                                              • Part of subcall function 00589064: GetTempPathA.KERNEL32(00000400,?,00000000,005922F8), ref: 0058907B
                                                                                              • Part of subcall function 00589064: wsprintfA.USER32 ref: 005890E9
                                                                                              • Part of subcall function 00589064: CreateFileA.KERNEL32(005922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0058910E
                                                                                              • Part of subcall function 00589064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00589122
                                                                                              • Part of subcall function 00589064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0058912D
                                                                                              • Part of subcall function 00589064: CloseHandle.KERNEL32(00000000), ref: 00589134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 005891E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 91da892636d35ff38e1f150f3662612a038ac529670e557179a7a8debd4df691
                                                                                            • Instruction ID: 7ea5455e05a7b2fddbd0b01b9bd2270055816c6270c4dec458befefc8539a1d0
                                                                                            • Opcode Fuzzy Hash: 91da892636d35ff38e1f150f3662612a038ac529670e557179a7a8debd4df691
                                                                                            • Instruction Fuzzy Hash: EC0140F79401597BDB20A7619D4DEEF7A7CEB95701F000492BB49E2080D6709689DF70
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00582491,?,?,?,0058E844,-00000030,?,?,?,00000001), ref: 00582429
                                                                                            • lstrlenA.KERNEL32(?,?,00582491,?,?,?,0058E844,-00000030,?,?,?,00000001,00581E3D,00000001,localcfg,lid_file_upd), ref: 0058243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00582452
                                                                                            • lstrlenA.KERNEL32(?,?,00582491,?,?,?,0058E844,-00000030,?,?,?,00000001,00581E3D,00000001,localcfg,lid_file_upd), ref: 00582467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: 05d59d671057383c5fe8364570ded2ea5f8ab37adda341bc29f5a88abc438164
                                                                                            • Instruction ID: b4763c10ac74ea25fac23482522455bffd9e2aeaf56f79cff36af7c6a7f468ea
                                                                                            • Opcode Fuzzy Hash: 05d59d671057383c5fe8364570ded2ea5f8ab37adda341bc29f5a88abc438164
                                                                                            • Instruction Fuzzy Hash: 54011632600218AF8F11EF69CC848DE7FA9FF44394B41C426EC59A7221E330EA449BA0
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00586F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*pX), ref: 00586F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00586F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *pX
                                                                                            • API String ID: 3429775523-2148842004
                                                                                            • Opcode ID: 4881acc55ebea0d4f38da4ad6dd78fe5aab788cda045f44b9808cccd0cb2e288
                                                                                            • Instruction ID: bf60d1d7a0064ee5dcd7cf18446fb517f99209cc8872dba001024e59d94828a8
                                                                                            • Opcode Fuzzy Hash: 4881acc55ebea0d4f38da4ad6dd78fe5aab788cda045f44b9808cccd0cb2e288
                                                                                            • Instruction Fuzzy Hash: 7A012171900208BFDB10EFE4EDCDAAEBBB8FB14340F50586AE605E2191E7749948DB50
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 3815ade6c678e87d29aea3915de10795e644cc3b414b66c6fae1c24f966c2de3
                                                                                            • Instruction ID: b4971b48a1925d251b48dccaca37b61c4f1780e84641dcb2a1a074b2f7f8dc0d
                                                                                            • Opcode Fuzzy Hash: 3815ade6c678e87d29aea3915de10795e644cc3b414b66c6fae1c24f966c2de3
                                                                                            • Instruction Fuzzy Hash: 634179729042999FDB21AF798845BEE3FECAF49310F240456FDA4E3152D634DA05CBA4
                                                                                            APIs
                                                                                              • Part of subcall function 0058DD05: GetTickCount.KERNEL32 ref: 0058DD0F
                                                                                              • Part of subcall function 0058DD05: InterlockedExchange.KERNEL32(005936B4,00000001), ref: 0058DD44
                                                                                              • Part of subcall function 0058DD05: GetCurrentThreadId.KERNEL32 ref: 0058DD53
                                                                                            • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00585EC1), ref: 0058E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00585EC1), ref: 0058E6E9
                                                                                            • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,00585EC1), ref: 0058E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: 89ABCDEF
                                                                                            • API String ID: 3343386518-71641322
                                                                                            • Opcode ID: ba9ba0bd13f64bbbf955937741172d7d9a857fe90e79aea4a58b190c6f703fd3
                                                                                            • Instruction ID: 109382ba19e10e92be05a398aa9774a3a3589488974f1a92780cbbcfc06506b7
                                                                                            • Opcode Fuzzy Hash: ba9ba0bd13f64bbbf955937741172d7d9a857fe90e79aea4a58b190c6f703fd3
                                                                                            • Instruction Fuzzy Hash: 2931AE31600742EBDF31AF66E88A7667FF4FB21714F10482AE855A7591E770EC84CB91
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0058E2A3,00000000,00000000,00000000,00020106,00000000,0058E2A3,00000000,000000E4), ref: 0058E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0058E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,005922F8), ref: 0058E127
                                                                                            • RegDeleteValueA.ADVAPI32(0058E2A3,?,?,?,?,?,000000C8,005922F8), ref: 0058E158
                                                                                            • RegCloseKey.ADVAPI32(0058E2A3,?,?,?,?,000000C8,005922F8,?,?,?,?,?,?,?,?,0058E2A3), ref: 0058E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 9f43d1895c7e8e49df73bf3c525528f3bd75261aa3ae7265d93bba60e1a1ec81
                                                                                            • Instruction ID: 7ca3b6f40124935734289f0850a53d58ec32c59f42c0bc622bd4e97b0c00cfb5
                                                                                            • Opcode Fuzzy Hash: 9f43d1895c7e8e49df73bf3c525528f3bd75261aa3ae7265d93bba60e1a1ec81
                                                                                            • Instruction Fuzzy Hash: B7214A72A0021ABBDF21AEA4DC8EE9E7FB9EF09750F004061FD04A6151E6718A14DBA0
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0058A3C7,00000000,00000000,000007D0,00000001), ref: 00583F44
                                                                                            • GetLastError.KERNEL32 ref: 00583F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00583F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00583F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: d21991177029c399b3d2b8021275696ab5592b009a3a0fb8940bb2fca6691c30
                                                                                            • Instruction ID: d624ca7e7ac0ad00abd4afdc45f23b853dd35bf7342907deebc47493c730e8c0
                                                                                            • Opcode Fuzzy Hash: d21991177029c399b3d2b8021275696ab5592b009a3a0fb8940bb2fca6691c30
                                                                                            • Instruction Fuzzy Hash: 27011372910119AFDB01EF90DD89BEE3BBCFB14765F504426FA01E2090D7389A549BA2
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0058A3C7,00000000,00000000,000007D0,00000001), ref: 00583FB8
                                                                                            • GetLastError.KERNEL32 ref: 00583FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00583FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00583FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 143ec55763df65574b2e4c38084b8a6add5195312defc412ebfde8fdc90f019e
                                                                                            • Instruction ID: 1e24af0eaaf1f14eae8e32c82e581ee4e163c7076320dcf7abf02c088f85d9c1
                                                                                            • Opcode Fuzzy Hash: 143ec55763df65574b2e4c38084b8a6add5195312defc412ebfde8fdc90f019e
                                                                                            • Instruction Fuzzy Hash: 3A01177291010AAFDF01EF90DD49BEE3BBCFB14755F404412FE02E2050DB349A149BA1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0058A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0058A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0058C2E9,0058C4E0,00000000,localcfg,?,0058C4E0,00593588,00588810), ref: 0058A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0058A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 9b4bc59cdc4e81de29b5722bb297efedeabe73cce6198cca60468a244ce331fb
                                                                                            • Instruction ID: 35b78d7372b3bf73720778e6ee65f245a67f5b353360daa2c3e61f8afcc96c69
                                                                                            • Opcode Fuzzy Hash: 9b4bc59cdc4e81de29b5722bb297efedeabe73cce6198cca60468a244ce331fb
                                                                                            • Instruction Fuzzy Hash: 1DE026332012145BDE0037A5AC88F6A3B88BB59761F520423FE04E3181C65AA84552B3
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00584E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00584EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00584EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00584EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: ce6ea6e3e1b6457d2dcd1246f9062e50ac9c8e41623d89c66b691c48607538ad
                                                                                            • Instruction ID: 31816c615e92a82c30745d30cf8128938994f5740e80e69fe8703ee8b8630fd7
                                                                                            • Opcode Fuzzy Hash: ce6ea6e3e1b6457d2dcd1246f9062e50ac9c8e41623d89c66b691c48607538ad
                                                                                            • Instruction Fuzzy Hash: 68E086323012155BDA1037B9AC88F566A4DBB65361F420932EE09E21C0D55698565AB2
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00584BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00584BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,02C1B1A4,005850F2), ref: 00584BF9
                                                                                            • InterlockedExchange.KERNEL32(02C1B198,00000001), ref: 00584C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: e6790b64c17f6cf3ea7d5e2bcbe68a4c7932bd0b28c1956b98515fdee0f2547e
                                                                                            • Instruction ID: 815bcdab91302747cf0324a065ce6bb653f4f020dec8ba6866d5480b5290bbc5
                                                                                            • Opcode Fuzzy Hash: e6790b64c17f6cf3ea7d5e2bcbe68a4c7932bd0b28c1956b98515fdee0f2547e
                                                                                            • Instruction Fuzzy Hash: 4BE086322412155BCA1037A65C88F667B9CAB65362F470863FE08E2190C556D8455AB1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00583103
                                                                                            • GetTickCount.KERNEL32 ref: 0058310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0058311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00583128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: e3801b31ed2d7e18ae7222f15feeaa4832a4727d973fed973e74718878171cec
                                                                                            • Instruction ID: f347e40ea8e750aded507908fc42ea070c85173012e208e55f1db5fad4083c8c
                                                                                            • Opcode Fuzzy Hash: e3801b31ed2d7e18ae7222f15feeaa4832a4727d973fed973e74718878171cec
                                                                                            • Instruction Fuzzy Hash: 1BE0C231200215AFDF007B75AD4CB496E5EEFA4F61F021832FA05E20E0C5504D04DA71
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00589A60,?,?,00000000,00000000,00589A60,?,00000000), ref: 005869F9
                                                                                            • WriteFile.KERNEL32(00589A60,?,00589A60,00000000,00000000), ref: 00586A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,kX
                                                                                            • API String ID: 3934441357-766446908
                                                                                            • Opcode ID: 89f6dd7bf88ec9d0993cf4bc3a714d28e869839243ab049c6530bb3f0824a856
                                                                                            • Instruction ID: 551325a3a12dc3137fe35f92833f27e0a24946d5c8bc066526dc19d6c365b3d2
                                                                                            • Opcode Fuzzy Hash: 89f6dd7bf88ec9d0993cf4bc3a714d28e869839243ab049c6530bb3f0824a856
                                                                                            • Instruction Fuzzy Hash: A1311A72A00209EFDB24EF58D984BAA7BF4FB14315F11846AE805F7240D770EE54DB61
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: 8979ab0e950ed3dec3906cf6327ff1bbbe81d62520f8ace6e79a5af0d4af69bd
                                                                                            • Instruction ID: bb625317a0aece82bb9da39e46c9823caafe211c88907e4f96305b73c30f15b6
                                                                                            • Opcode Fuzzy Hash: 8979ab0e950ed3dec3906cf6327ff1bbbe81d62520f8ace6e79a5af0d4af69bd
                                                                                            • Instruction Fuzzy Hash: 6B21C032A12515AFDB10AB64CC8567ABFB9FF20310BAA059AD801FB192DF24ED44D750
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0058C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: f859310123432ae3d6d7625cf507408198be198a903e8f1c79c3ec7a573f3759
                                                                                            • Instruction ID: 5e1ba422ffc782ea90c085b193e9dc34ca9dcb5387bb180acdee412c688563eb
                                                                                            • Opcode Fuzzy Hash: f859310123432ae3d6d7625cf507408198be198a903e8f1c79c3ec7a573f3759
                                                                                            • Instruction Fuzzy Hash: F7119772100100FFDB429BA9CD48E567FA6FF88318B34959CF6188E166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 005830FA: GetTickCount.KERNEL32 ref: 00583103
                                                                                              • Part of subcall function 005830FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00583128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00583929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00583939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: 6ad77a60f01890b875d1d41492954f3dc4d232c97a6cd9a9ed2180f922f463ea
                                                                                            • Instruction ID: 942b9e91a825bb50f0535bb2116cc5c14f91ddd91f34dce6b4b57007254baf30
                                                                                            • Opcode Fuzzy Hash: 6ad77a60f01890b875d1d41492954f3dc4d232c97a6cd9a9ed2180f922f463ea
                                                                                            • Instruction Fuzzy Hash: 82113A71900215EFDB20EF19D485A5CFBF4FB44B15F11855EE844A7291C7B0AB84DFA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0058BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0058ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00593640), ref: 0058ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 5365ef512a4cf386cd6ae4bf41b7fb28eded17692f6d7dd433ba83c61a505c58
                                                                                            • Instruction ID: 448eb612cfbd5bd5826d80624b811563f165f13a484ae6dce9a978b6847103c8
                                                                                            • Opcode Fuzzy Hash: 5365ef512a4cf386cd6ae4bf41b7fb28eded17692f6d7dd433ba83c61a505c58
                                                                                            • Instruction Fuzzy Hash: 4A01DE315082C4AFEB11DF18C885E967FA6BF15310F150886E9C097243C370EA54CB92
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 005826C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 005826E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: 733d67618a5d9cc1b5b6701a143e44742264012678c59314441e38710e9c3057
                                                                                            • Instruction ID: c628adac2cdd6a99af951da8a049d16bfac41526c08247e47e838d957d2334d7
                                                                                            • Opcode Fuzzy Hash: 733d67618a5d9cc1b5b6701a143e44742264012678c59314441e38710e9c3057
                                                                                            • Instruction Fuzzy Hash: 6AF012761482096FEF017FA5EC0AA9A3F9CEF05750F244426FE08EA090EB71D9409798
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0058EB54,_alldiv,0058F0B7,80000001,00000000,00989680,00000000,?,?,?,0058E342,00000000,7508EA50,80000001,00000000), ref: 0058EAF2
                                                                                            • GetProcAddress.KERNEL32(76E80000,00000000), ref: 0058EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: 8e6e06c7558750a1ad83c595d3406a65834ef7cbde7adb9250f2cef5361a6fed
                                                                                            • Instruction ID: ba2d27b83aff272e1f946c75a0baa71f167c3c772065968d448fa8cf0a6903da
                                                                                            • Opcode Fuzzy Hash: 8e6e06c7558750a1ad83c595d3406a65834ef7cbde7adb9250f2cef5361a6fed
                                                                                            • Instruction Fuzzy Hash: 05D0C935600302ABCF125FA5EE0F90A7AA8BB70742B814416A806D1260E730D94CFB00
                                                                                            APIs
                                                                                              • Part of subcall function 00582D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00582F01,?,005820FF,00592000), ref: 00582D3A
                                                                                              • Part of subcall function 00582D21: LoadLibraryA.KERNEL32(?), ref: 00582D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00582F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00582F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000012.00000002.3312549089.0000000000580000.00000040.00000400.00020000.00000000.sdmp, Offset: 00580000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_18_2_580000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 16ae6e11ea641eefda1b6fb03ecbb5fd1937459cee1e705a20da0c5ed0a7ab8d
                                                                                            • Instruction ID: def97f928de5e8bad377f987667f7f5327d8168d8582f0daa6cacf893c57d474
                                                                                            • Opcode Fuzzy Hash: 16ae6e11ea641eefda1b6fb03ecbb5fd1937459cee1e705a20da0c5ed0a7ab8d
                                                                                            • Instruction Fuzzy Hash: 30519D7190020AEFDF02AF64D8899B9BBB9FF15304F104569ED96E7211E7329A19CB90