Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
igvdwmhd.exe

Overview

General Information

Sample name:igvdwmhd.exe
Analysis ID:1488276
MD5:c9bc1db6a4cbaea0905f847035b8df57
SHA1:4c719e43ae5aa3aedc3c495ea87bcf91c9a3f1f1
SHA256:0af8466115f0b1e17bc2d35d10acbbec1a2162bbf497e1acacf2bd17b926f068
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Windows Defender Exclusions Added - Registry
Uses SMTP (mail sending)
Yara signature match

Classification

  • System is w10x64
  • svchost.exe (PID: 7180 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 7556 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • igvdwmhd.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\igvdwmhd.exe" MD5: C9BC1DB6A4CBAEA0905F847035B8DF57)
    • cmd.exe (PID: 7536 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptcoklzf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7592 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\ptcoklzf\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7644 cmdline: "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7700 cmdline: "C:\Windows\System32\sc.exe" description ptcoklzf "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7756 cmdline: "C:\Windows\System32\sc.exe" start ptcoklzf MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7820 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1232 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7472 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ybyrikeu.exe (PID: 7800 cmdline: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d"C:\Users\user\Desktop\igvdwmhd.exe" MD5: 4E044BA5CE650DE4D036125F371C831D)
    • svchost.exe (PID: 7952 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 7992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 544 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7836 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7904 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7348 -ip 7348 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7968 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7800 -ip 7800 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 1240 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      15.2.ybyrikeu.exe.28e0e67.1.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        15.2.ybyrikeu.exe.28e0e67.1.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        15.2.ybyrikeu.exe.28e0e67.1.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        15.2.ybyrikeu.exe.2950000.2.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
          15.2.ybyrikeu.exe.2950000.2.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
          • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
          • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
          Click to see the 39 entries

          System Summary

          barindex
          Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d"C:\Users\user\Desktop\igvdwmhd.exe", ParentImage: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe, ParentProcessId: 7800, ParentProcessName: ybyrikeu.exe, ProcessCommandLine: svchost.exe, ProcessId: 7952, ProcessName: svchost.exe
          Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\igvdwmhd.exe", ParentImage: C:\Users\user\Desktop\igvdwmhd.exe, ParentProcessId: 7348, ParentProcessName: igvdwmhd.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7644, ProcessName: sc.exe
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.40.26, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 7952, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d"C:\Users\user\Desktop\igvdwmhd.exe", ParentImage: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe, ParentProcessId: 7800, ParentProcessName: ybyrikeu.exe, ProcessCommandLine: svchost.exe, ProcessId: 7952, ProcessName: svchost.exe
          Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\ptcoklzf\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\ptcoklzf\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\igvdwmhd.exe", ParentImage: C:\Users\user\Desktop\igvdwmhd.exe, ParentProcessId: 7348, ParentProcessName: igvdwmhd.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\ptcoklzf\, ProcessId: 7592, ProcessName: cmd.exe
          Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7952, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\ptcoklzf
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\igvdwmhd.exe", ParentImage: C:\Users\user\Desktop\igvdwmhd.exe, ParentProcessId: 7348, ParentProcessName: igvdwmhd.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7644, ProcessName: sc.exe
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc, CommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc, ProcessId: 7180, ProcessName: svchost.exe
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
          Source: jotunheim.name:443Avira URL Cloud: Label: malware
          Source: 15.3.ybyrikeu.exe.2910000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
          Source: igvdwmhd.exeReversingLabs: Detection: 47%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
          Source: C:\Users\user\AppData\Local\Temp\ybyrikeu.exeJoe Sandbox ML: detected
          Source: igvdwmhd.exeJoe Sandbox ML: detected

          Compliance

          barindex
          Source: C:\Users\user\Desktop\igvdwmhd.exeUnpacked PE file: 2.2.igvdwmhd.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeUnpacked PE file: 15.2.ybyrikeu.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\igvdwmhd.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Change of critical system settings

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\ptcoklzfJump to behavior

          Networking

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 108.177.15.27 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.110 25Jump to behavior
          Source: Malware configuration extractorURLs: vanaheim.cn:443
          Source: Malware configuration extractorURLs: jotunheim.name:443
          Source: Joe Sandbox ViewIP Address: 52.101.40.26 52.101.40.26
          Source: Joe Sandbox ViewIP Address: 213.226.112.95 213.226.112.95
          Source: Joe Sandbox ViewIP Address: 67.195.228.110 67.195.228.110
          Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
          Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
          Source: Joe Sandbox ViewASN Name: RETN-ASEU RETN-ASEU
          Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
          Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
          Source: global trafficTCP traffic: 192.168.2.7:49701 -> 52.101.40.26:25
          Source: global trafficTCP traffic: 192.168.2.7:49708 -> 67.195.228.110:25
          Source: global trafficTCP traffic: 192.168.2.7:49709 -> 108.177.15.27:25
          Source: global trafficTCP traffic: 192.168.2.7:49712 -> 94.100.180.31:25
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,2_2_00402A62
          Source: global trafficDNS traffic detected: DNS query: time.windows.com
          Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
          Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
          Source: global trafficDNS traffic detected: DNS query: yahoo.com
          Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
          Source: global trafficDNS traffic detected: DNS query: google.com
          Source: global trafficDNS traffic detected: DNS query: smtp.google.com
          Source: global trafficDNS traffic detected: DNS query: mail.ru
          Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.28e0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.2950000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.2950000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.igvdwmhd.exe.2af0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.svchost.exe.2b80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.svchost.exe.2b80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.3.ybyrikeu.exe.2910000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: igvdwmhd.exe PID: 7348, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: ybyrikeu.exe PID: 7800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR

          System Summary

          barindex
          Source: 15.2.ybyrikeu.exe.28e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 15.2.ybyrikeu.exe.28e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 15.2.ybyrikeu.exe.2950000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 15.2.ybyrikeu.exe.2950000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 15.2.ybyrikeu.exe.2950000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 15.2.ybyrikeu.exe.2950000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 2.3.igvdwmhd.exe.2af0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 2.3.igvdwmhd.exe.2af0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 2.2.igvdwmhd.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 2.2.igvdwmhd.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 21.2.svchost.exe.2b80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 21.2.svchost.exe.2b80000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 2.3.igvdwmhd.exe.2af0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 2.3.igvdwmhd.exe.2af0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 15.3.ybyrikeu.exe.2910000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 15.3.ybyrikeu.exe.2910000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 15.2.ybyrikeu.exe.28e0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 15.2.ybyrikeu.exe.28e0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 15.2.ybyrikeu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 15.2.ybyrikeu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 2.2.igvdwmhd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 2.2.igvdwmhd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 2.2.igvdwmhd.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 2.2.igvdwmhd.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 15.2.ybyrikeu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 15.2.ybyrikeu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 21.2.svchost.exe.2b80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 21.2.svchost.exe.2b80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 15.3.ybyrikeu.exe.2910000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 15.3.ybyrikeu.exe.2910000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 2.2.igvdwmhd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 2.2.igvdwmhd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000F.00000002.1368074204.00000000029B2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 00000002.00000002.1351232837.0000000002BB9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
          Source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
          Source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
          Source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,2_2_00408E26
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,2_2_00401280
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ptcoklzf\Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_0040C9132_2_0040C913
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeCode function: 15_2_0040C91315_2_0040C913
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 21_2_02B8C91321_2_02B8C913
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: String function: 029B27AB appears 35 times
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: String function: 0040EE2A appears 40 times
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: String function: 00402544 appears 53 times
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7348 -ip 7348
          Source: igvdwmhd.exe, 00000002.00000002.1350362984.000000000282C000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamesOdilesigo: vs igvdwmhd.exe
          Source: igvdwmhd.exe, 00000002.00000002.1351269613.0000000002C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOdilesigo: vs igvdwmhd.exe
          Source: igvdwmhd.exeBinary or memory string: OriginalFilenamesOdilesigo: vs igvdwmhd.exe
          Source: 15.2.ybyrikeu.exe.28e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 15.2.ybyrikeu.exe.28e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 15.2.ybyrikeu.exe.2950000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 15.2.ybyrikeu.exe.2950000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 15.2.ybyrikeu.exe.2950000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 15.2.ybyrikeu.exe.2950000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 2.3.igvdwmhd.exe.2af0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 2.3.igvdwmhd.exe.2af0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 2.2.igvdwmhd.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 2.2.igvdwmhd.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 21.2.svchost.exe.2b80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 21.2.svchost.exe.2b80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 2.3.igvdwmhd.exe.2af0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 2.3.igvdwmhd.exe.2af0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 15.3.ybyrikeu.exe.2910000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 15.3.ybyrikeu.exe.2910000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 15.2.ybyrikeu.exe.28e0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 15.2.ybyrikeu.exe.28e0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 15.2.ybyrikeu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 15.2.ybyrikeu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 2.2.igvdwmhd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 2.2.igvdwmhd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 2.2.igvdwmhd.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 2.2.igvdwmhd.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 15.2.ybyrikeu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 15.2.ybyrikeu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 21.2.svchost.exe.2b80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 21.2.svchost.exe.2b80000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 15.3.ybyrikeu.exe.2910000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 15.3.ybyrikeu.exe.2910000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 2.2.igvdwmhd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 2.2.igvdwmhd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000F.00000002.1368074204.00000000029B2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 00000002.00000002.1351232837.0000000002BB9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
          Source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
          Source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
          Source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
          Source: classification engineClassification label: mal100.troj.evad.winEXE@37/4@10/5
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,2_2_00406A60
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_02BBE348 CreateToolhelp32Snapshot,Module32First,2_2_02BBE348
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,2_2_00409A6B
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,2_2_00409A6B
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeCode function: 15_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 21_2_02B89A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,21_2_02B89A6B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7584:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7968:64:WilError_03
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7904:64:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
          Source: C:\Users\user\Desktop\igvdwmhd.exeFile created: C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exeJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: igvdwmhd.exeReversingLabs: Detection: 47%
          Source: C:\Users\user\Desktop\igvdwmhd.exeFile read: C:\Users\user\Desktop\igvdwmhd.exeJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_2-14491
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_15-14636
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
          Source: unknownProcess created: C:\Users\user\Desktop\igvdwmhd.exe "C:\Users\user\Desktop\igvdwmhd.exe"
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptcoklzf\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\ptcoklzf\
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description ptcoklzf "wifi internet conection"
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ptcoklzf
          Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d"C:\Users\user\Desktop\igvdwmhd.exe"
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7348 -ip 7348
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1232
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7800 -ip 7800
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 544
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptcoklzf\Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\ptcoklzf\Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description ptcoklzf "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ptcoklzfJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7348 -ip 7348Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1232Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7800 -ip 7800Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 544Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeSection loaded: msimg32.dllJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeSection loaded: msvcr100.dllJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
          Source: igvdwmhd.exeStatic file information: File size 14508544 > 1048576
          Source: C:\Users\user\Desktop\igvdwmhd.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

          Data Obfuscation

          barindex
          Source: C:\Users\user\Desktop\igvdwmhd.exeUnpacked PE file: 2.2.igvdwmhd.exe.400000.0.unpack .text:ER;.data:W;.xevaj:R;.zac:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeUnpacked PE file: 15.2.ybyrikeu.exe.400000.0.unpack .text:ER;.data:W;.xevaj:R;.zac:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
          Source: C:\Users\user\Desktop\igvdwmhd.exeUnpacked PE file: 2.2.igvdwmhd.exe.400000.0.unpack
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeUnpacked PE file: 15.2.ybyrikeu.exe.400000.0.unpack
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,2_2_00406069

          Persistence and Installation Behavior

          barindex
          Source: unknownExecutable created and started: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe
          Source: C:\Users\user\Desktop\igvdwmhd.exeFile created: C:\Users\user\AppData\Local\Temp\ybyrikeu.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe (copy)Jump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe (copy)Jump to dropped file
          Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,2_2_00409A6B
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support"

          Hooking and other Techniques for Hiding and Protection

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\igvdwmhd.exeJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00401000
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,21_2_02B8199C
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_15-15060
          Source: C:\Users\user\Desktop\igvdwmhd.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-15933
          Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_21-6989
          Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_21-6131
          Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_21-7318
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_15-15017
          Source: C:\Users\user\Desktop\igvdwmhd.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-14924
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_15-14651
          Source: C:\Users\user\Desktop\igvdwmhd.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-14506
          Source: C:\Users\user\Desktop\igvdwmhd.exeAPI coverage: 5.4 %
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeAPI coverage: 3.9 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7988Thread sleep count: 33 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7988Thread sleep time: -33000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,2_2_00401D96
          Source: svchost.exe, 00000015.00000002.2523329859.0000000003000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
          Source: svchost.exe, 00000004.00000002.2523386989.000002104C631000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\igvdwmhd.exeAPI call chain: ExitProcess graph end nodegraph_2-14936
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeAPI call chain: ExitProcess graph end nodegraph_15-15020

          Anti Debugging

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_21-7483
          Source: C:\Users\user\Desktop\igvdwmhd.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_2-15994
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,2_2_00406069
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_029B0D90 mov eax, dword ptr fs:[00000030h]2_2_029B0D90
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_029B092B mov eax, dword ptr fs:[00000030h]2_2_029B092B
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_02BBDC25 push dword ptr fs:[00000030h]2_2_02BBDC25
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeCode function: 15_2_028E0D90 mov eax, dword ptr fs:[00000030h]15_2_028E0D90
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeCode function: 15_2_028E092B mov eax, dword ptr fs:[00000030h]15_2_028E092B
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeCode function: 15_2_029B6A3D push dword ptr fs:[00000030h]15_2_029B6A3D
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_0040EBCC GetProcessHeap,RtlAllocateHeap,2_2_0040EBCC
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,2_2_00409A6B
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeCode function: 15_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_00409A6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 21_2_02B89A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,21_2_02B89A6B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 108.177.15.27 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.110 25Jump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2B80000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B80000 value starts with: 4D5AJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B80000Jump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2DF9008Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptcoklzf\Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\ptcoklzf\Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description ptcoklzf "wifi internet conection"Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start ptcoklzfJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7348 -ip 7348Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1232Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7800 -ip 7800Jump to behavior
          Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 544Jump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,2_2_00407809
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,2_2_00406EDD
          Source: C:\Users\user\Desktop\igvdwmhd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,2_2_0040405E
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,2_2_0040EC54
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,2_2_00407809
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,2_2_0040B211
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,2_2_00409326

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: C:\Users\user\Desktop\igvdwmhd.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          Source: svchost.exe, 00000001.00000002.2523985177.00000210D2302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
          Source: svchost.exe, 00000001.00000002.2523985177.00000210D2302000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
          Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.28e0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.2950000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.2950000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.igvdwmhd.exe.2af0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.svchost.exe.2b80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.svchost.exe.2b80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.3.ybyrikeu.exe.2910000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: igvdwmhd.exe PID: 7348, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: ybyrikeu.exe PID: 7800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.28e0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.2950000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.2950000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.3.igvdwmhd.exe.2af0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.svchost.exe.2b80000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.svchost.exe.2b80000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ybyrikeu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.3.ybyrikeu.exe.2910000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.igvdwmhd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: igvdwmhd.exe PID: 7348, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: ybyrikeu.exe PID: 7800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7952, type: MEMORYSTR
          Source: C:\Users\user\Desktop\igvdwmhd.exeCode function: 2_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,2_2_004088B0
          Source: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exeCode function: 15_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,15_2_004088B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 21_2_02B888B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,21_2_02B888B0
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts
          1
          Windows Management Instrumentation
          1
          DLL Side-Loading
          1
          DLL Side-Loading
          4
          Disable or Modify Tools
          OS Credential Dumping2
          System Time Discovery
          Remote Services1
          Archive Collected Data
          1
          Ingress Tool Transfer
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts41
          Native API
          1
          Valid Accounts
          1
          Valid Accounts
          1
          Deobfuscate/Decode Files or Information
          LSASS Memory1
          Account Discovery
          Remote Desktop ProtocolData from Removable Media12
          Encrypted Channel
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter
          14
          Windows Service
          1
          Access Token Manipulation
          1
          Obfuscated Files or Information
          Security Account Manager1
          File and Directory Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts3
          Service Execution
          Login Hook14
          Windows Service
          2
          Software Packing
          NTDS15
          System Information Discovery
          Distributed Component Object ModelInput Capture112
          Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
          Process Injection
          1
          DLL Side-Loading
          LSA Secrets131
          Security Software Discovery
          SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          File Deletion
          Cached Domain Credentials11
          Virtualization/Sandbox Evasion
          VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Masquerading
          DCSync1
          Process Discovery
          Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Valid Accounts
          Proc Filesystem1
          System Owner/User Discovery
          Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
          Virtualization/Sandbox Evasion
          /etc/passwd and /etc/shadow1
          System Network Configuration Discovery
          Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Access Token Manipulation
          Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
          Process Injection
          Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488276 Sample: igvdwmhd.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 vanaheim.cn 2->59 61 7 other IPs or domains 2->61 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 75 9 other signatures 2->75 8 ybyrikeu.exe 2->8         started        11 igvdwmhd.exe 2 2->11         started        14 svchost.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 85 Detected unpacking (changes PE section rights) 8->85 87 Detected unpacking (overwrites its own PE header) 8->87 89 Writes to foreign memory regions 8->89 99 2 other signatures 8->99 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        55 C:\Users\user\AppData\Local\...\ybyrikeu.exe, PE32 11->55 dropped 91 Found API chain indicative of debugger detection 11->91 93 Uses netsh to modify the Windows network and firewall settings 11->93 95 Modifies the windows firewall 11->95 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        37 4 other processes 11->37 97 Changes security center settings (notifications, updates, antivirus, firewall) 14->97 31 MpCmdRun.exe 2 14->31         started        33 WerFault.exe 2 16->33         started        35 WerFault.exe 2 16->35         started        signatures6 process7 dnsIp8 63 mta5.am0.yahoodns.net 67.195.228.110, 25 YAHOO-GQ1US United States 18->63 65 vanaheim.cn 213.226.112.95, 443, 49702, 49710 RETN-ASEU Russian Federation 18->65 67 3 other IPs or domains 18->67 77 System process connects to network (likely due to code injection or exploit) 18->77 79 Found API chain indicative of debugger detection 18->79 81 Deletes itself after installation 18->81 83 Adds extensions / path to Windows Defender exclusion list (Registry) 18->83 53 C:\Windows\SysWOW64\...\ybyrikeu.exe (copy), PE32 24->53 dropped 39 conhost.exe 24->39         started        41 conhost.exe 27->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 37->47         started        49 conhost.exe 37->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          igvdwmhd.exe47%ReversingLabsWin32.Trojan.BotX
          igvdwmhd.exe100%Joe Sandbox ML
          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\ybyrikeu.exe100%Joe Sandbox ML
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          vanaheim.cn:443100%Avira URL Cloudphishing
          jotunheim.name:443100%Avira URL Cloudmalware
          NameIPActiveMaliciousAntivirus DetectionReputation
          mxs.mail.ru
          94.100.180.31
          truetrue
            unknown
            mta5.am0.yahoodns.net
            67.195.228.110
            truetrue
              unknown
              microsoft-com.mail.protection.outlook.com
              52.101.40.26
              truetrue
                unknown
                vanaheim.cn
                213.226.112.95
                truetrue
                  unknown
                  smtp.google.com
                  108.177.15.27
                  truefalse
                    unknown
                    google.com
                    unknown
                    unknowntrue
                      unknown
                      time.windows.com
                      unknown
                      unknowntrue
                        unknown
                        yahoo.com
                        unknown
                        unknowntrue
                          unknown
                          mail.ru
                          unknown
                          unknowntrue
                            unknown
                            NameMaliciousAntivirus DetectionReputation
                            vanaheim.cn:443true
                            • Avira URL Cloud: phishing
                            unknown
                            jotunheim.name:443true
                            • Avira URL Cloud: malware
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            52.101.40.26
                            microsoft-com.mail.protection.outlook.comUnited States
                            8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                            213.226.112.95
                            vanaheim.cnRussian Federation
                            9002RETN-ASEUtrue
                            108.177.15.27
                            smtp.google.comUnited States
                            15169GOOGLEUSfalse
                            67.195.228.110
                            mta5.am0.yahoodns.netUnited States
                            36647YAHOO-GQ1UStrue
                            94.100.180.31
                            mxs.mail.ruRussian Federation
                            47764MAILRU-ASMailRuRUtrue
                            Joe Sandbox version:40.0.0 Tourmaline
                            Analysis ID:1488276
                            Start date and time:2024-08-05 19:51:12 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 35s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:29
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:igvdwmhd.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@37/4@10/5
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 62
                            • Number of non-executed functions: 256
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe
                            • Excluded IPs from analysis (whitelisted): 40.119.148.38, 20.76.201.171, 20.70.246.20, 20.112.250.133, 20.236.44.162, 20.231.239.246
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtEnumerateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: igvdwmhd.exe
                            TimeTypeDescription
                            15:33:32API Interceptor6x Sleep call for process: svchost.exe modified
                            15:33:40API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            52.101.40.26 .exeGet hashmaliciousUnknownBrowse
                              setup.exeGet hashmaliciousTofseeBrowse
                                lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                  DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                      L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                        file.exeGet hashmaliciousTofseeBrowse
                                          U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                            t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                              lhs31fcc2k0lmr.exeGet hashmaliciousTofseeBrowse
                                                213.226.112.95fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                        rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                          67.195.228.110I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                            OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                              file.exeGet hashmaliciousPhorpiexBrowse
                                                                file.exeGet hashmaliciousPhorpiexBrowse
                                                                  gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                      data.log.exeGet hashmaliciousUnknownBrowse
                                                                        Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                                                                          Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                                            Update-KB6340-x86.exeGet hashmaliciousUnknownBrowse
                                                                              94.100.180.31fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                  setup.exeGet hashmaliciousTofseeBrowse
                                                                                    m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                      SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                        vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                              .exeGet hashmaliciousUnknownBrowse
                                                                                                ydbWyoxHsd.exeGet hashmaliciousUnknownBrowse
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  mxs.mail.rufdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 94.100.180.31
                                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 217.69.139.150
                                                                                                  Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 217.69.139.150
                                                                                                  ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 217.69.139.150
                                                                                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 94.100.180.31
                                                                                                  setup.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 94.100.180.31
                                                                                                  5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                                                                  • 94.100.180.31
                                                                                                  m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 94.100.180.31
                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 217.69.139.150
                                                                                                  SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 94.100.180.31
                                                                                                  mta5.am0.yahoodns.netfdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 67.195.228.94
                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 98.136.96.91
                                                                                                  vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 67.195.204.72
                                                                                                  lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 98.136.96.91
                                                                                                  I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                                  • 67.195.204.73
                                                                                                  file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                  • 67.195.228.110
                                                                                                  file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                  • 98.136.96.74
                                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 98.136.96.77
                                                                                                  newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                                                  • 67.195.204.77
                                                                                                  file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 67.195.228.110
                                                                                                  microsoft-com.mail.protection.outlook.comfdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 52.101.42.0
                                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 52.101.11.0
                                                                                                  .exeGet hashmaliciousUnknownBrowse
                                                                                                  • 52.101.40.26
                                                                                                  Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 52.101.42.0
                                                                                                  ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 52.101.8.49
                                                                                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 52.101.42.0
                                                                                                  setup.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 52.101.40.26
                                                                                                  m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 104.47.53.36
                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 104.47.54.36
                                                                                                  SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 104.47.53.36
                                                                                                  vanaheim.cnfdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  setup.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 185.218.0.41
                                                                                                  m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 195.133.13.231
                                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 195.133.13.231
                                                                                                  SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 195.133.13.231
                                                                                                  vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 195.133.13.231
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  RETN-ASEUfdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  http://baghoorg.xyzGet hashmaliciousUnknownBrowse
                                                                                                  • 139.45.197.153
                                                                                                  ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 139.45.197.236
                                                                                                  LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 139.45.197.236
                                                                                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 213.226.112.95
                                                                                                  https://ky.codzika.xyz/pubg/Get hashmaliciousUnknownBrowse
                                                                                                  • 139.45.197.250
                                                                                                  https://plcr.com.ng/atm.php?user=21003&ref=21003Get hashmaliciousUnknownBrowse
                                                                                                  • 139.45.197.237
                                                                                                  YAHOO-GQ1USfdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 67.195.228.94
                                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 67.195.228.106
                                                                                                  .exeGet hashmaliciousUnknownBrowse
                                                                                                  • 67.195.228.84
                                                                                                  botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 98.137.77.194
                                                                                                  qD7cj0t7Ag.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                  • 98.137.186.234
                                                                                                  AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 67.195.228.94
                                                                                                  I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 67.195.228.110
                                                                                                  https://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                                                  • 98.137.11.164
                                                                                                  dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 67.195.228.94
                                                                                                  GK9sEyIS4f.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 98.136.201.234
                                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSfdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 52.101.42.0
                                                                                                  https://www.google.com/aclk?sa=l&ai=DChcSEwiOgc__s96HAxWtIa0GHQSaKnoYABAAGgJwdg&co=1&ase=2&gclid=Cj0KCQjw8MG1BhCoARIsAHxSiQnsGgXsF9N-CTUdvkZ2OgloHU2xKGwSfDGxLDHi9ENt3nSRslGk5Z4aAjQUEALw_wcB&sig=AOD64_30gJrlZCnbDWmeAyph6Mlb_4IJhA&q&nis=4&adurl&ved=2ahUKEwjassj_s96HAxXDLkQIHVr9KdQQ0Qx6BAgtEAEGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.246.60
                                                                                                  ATT78758.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 13.107.246.60
                                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 52.101.11.0
                                                                                                  BWISE Solution #24-2000091.pdfGet hashmaliciousUnknownBrowse
                                                                                                  • 52.146.76.30
                                                                                                  https://www.templatent.com/eur/53d926b2-0373-4a76-8641-e3f5488f632d/768e4d81-78b7-4fd9-a857-c5bae5c87179/8806a07c-707c-445d-b36c-c08aabe89fc9/login?id=eHZ4eG45M1NGWG40b2QvVmpHbE5UdUJZSWtJNTkrbE9YcjlKZERpV1VUZ3Zlbk5sM3MwTWYzMjJ0ZWpYb2VpekdKaCtMclNhd3hFRDdtd2VKSi9HM3M2bDFHRkdDd0YrdW1DNWlqTFQwc1BRd0Y5Q0lDZ0tLdys2RHVCZ2NXemVQUDdZa0laUFJlbFJsTnlkdWZsUHR4SnVUV2pZN3QyNkJXaDJSeEdWN3JJT2hHaUYwd2xqMmJ4Y05kSSsxU0ppVkc5QURXSkJKUlMxNEgvT0FIWUQvWGZFZHBvbFdhcVBXRzQxWnJ3M0RwMElNQkpsaWtXWGRMV3Y1ZHNmREVCMkxVa05HeW1qb1BSRkMrSmxpNS80Z2FWaGtJZWthYXZ6WWtaeGNIWjU5VitKZ1Vzd1pHN0VyOTJqTDFvZUYvTURlWUdvRysxd0dZZjgySXduSXM2enIwWDlmWWsxcTk2L1BvV1dGZERCcUxHazluS0kwRU9oK3lKKzJPeFU1NDRVN2N2ZVhPRHRDb3k2c1ZyTkdlR2YyUT09Get hashmaliciousUnknownBrowse
                                                                                                  • 13.107.246.60
                                                                                                  https://grace-barr.filemail.com/t/Fc9Dus5dGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 52.98.241.162
                                                                                                  001original.emlGet hashmaliciousUnknownBrowse
                                                                                                  • 104.208.16.91
                                                                                                  Saic Benefits_Enrollment.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 13.107.246.60
                                                                                                  FW Quote.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                  • 52.109.76.243
                                                                                                  MAILRU-ASMailRuRUfdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 94.100.180.31
                                                                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 217.69.139.150
                                                                                                  Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 217.69.139.150
                                                                                                  SecuriteInfo.com.Trojan.Crypt.28917.30010.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 5.61.236.163
                                                                                                  IISz6QDXkY.elfGet hashmaliciousMiraiBrowse
                                                                                                  • 5.61.23.77
                                                                                                  ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 217.69.139.150
                                                                                                  7Y18r(123).exeGet hashmaliciousUnknownBrowse
                                                                                                  • 94.100.180.106
                                                                                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 94.100.180.31
                                                                                                  setup.exeGet hashmaliciousTofseeBrowse
                                                                                                  • 94.100.180.31
                                                                                                  SecuriteInfo.com.W32.Kryptik.CI.tr.21358.1519.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 5.61.236.163
                                                                                                  No context
                                                                                                  No context
                                                                                                  Process:C:\Users\user\Desktop\igvdwmhd.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):15572992
                                                                                                  Entropy (8bit):4.713302845034789
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:gIbasG14OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOX:gItG1
                                                                                                  MD5:4E044BA5CE650DE4D036125F371C831D
                                                                                                  SHA1:FB01D78149115F4C4C297CC6575502F5365DD418
                                                                                                  SHA-256:97C0608034E227257A2FBDBEC942D18E466D0B170AF0E50442793C4309D7E38C
                                                                                                  SHA-512:83EA7BE9EE27D643E88D0CD3D09E9A3EE0569792E6F3D88572D956BAFF0A88EFF6CA88360BEF3114159A686CF936DDD010DBF360D6A61AA5535B741CBF4E4CE0
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d......................A......[............@..........................`C.....Ta.........................................P.....B.............................................................A..@............................................text...0........................... ..`.data...T.?......|..................@....xevaj........B......0..............@..@.zac..........B......4..............@....rsrc........B..h...8..............@..@........................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):2464
                                                                                                  Entropy (8bit):3.247704476547741
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:QOaqdmuF3r3V+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxU:FaqdF7F+AAHdKoqKFxcxkFF
                                                                                                  MD5:9064B33E48E036AF7DB5B5302FDDE36D
                                                                                                  SHA1:AD85B41EFE2A4EA2223C87F242449433E842FE51
                                                                                                  SHA-256:4B3E23FE316D61D5E6C8B1EBF2F1FA262EC6A559CD740F9AB7CBDF52117AC83F
                                                                                                  SHA-512:1A73EBB4ED2D52C127788020D9E442D2A8BD8F0A44F81A832A24FE0C1D1753EEB4F3946F0F001904091DA34F3AA57DEC7D81729CF5984EDCEB35338E5EFD0D07
                                                                                                  Malicious:false
                                                                                                  Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. M.o.n. .. A.u.g. .. 0.5. .. 2.0.2.4. .1.5.:.3.3.:.4.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.
                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15572992
                                                                                                  Entropy (8bit):4.713302845034789
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:gIbasG14OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOX:gItG1
                                                                                                  MD5:4E044BA5CE650DE4D036125F371C831D
                                                                                                  SHA1:FB01D78149115F4C4C297CC6575502F5365DD418
                                                                                                  SHA-256:97C0608034E227257A2FBDBEC942D18E466D0B170AF0E50442793C4309D7E38C
                                                                                                  SHA-512:83EA7BE9EE27D643E88D0CD3D09E9A3EE0569792E6F3D88572D956BAFF0A88EFF6CA88360BEF3114159A686CF936DDD010DBF360D6A61AA5535B741CBF4E4CE0
                                                                                                  Malicious:true
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d......................A......[............@..........................`C.....Ta.........................................P.....B.............................................................A..@............................................text...0........................... ..`.data...T.?......|..................@....xevaj........B......0..............@..@.zac..........B......4..............@....rsrc........B..h...8..............@..@........................................................................................................................................................................................................................................................................................................................................
                                                                                                  Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3773
                                                                                                  Entropy (8bit):4.7109073551842435
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                  MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                  SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                  SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                  SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                  Malicious:false
                                                                                                  Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):4.7146578323586645
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:igvdwmhd.exe
                                                                                                  File size:14'508'544 bytes
                                                                                                  MD5:c9bc1db6a4cbaea0905f847035b8df57
                                                                                                  SHA1:4c719e43ae5aa3aedc3c495ea87bcf91c9a3f1f1
                                                                                                  SHA256:0af8466115f0b1e17bc2d35d10acbbec1a2162bbf497e1acacf2bd17b926f068
                                                                                                  SHA512:cf25a1f8532dbcb00bbce76ded3a9f04bdd3cb455f754ed25d58db143f03f897e974ad6ca04511eda5afa5b8edd9ab7e01f2342f33eb70ea484daf80283e33bc
                                                                                                  SSDEEP:24576:eIbasG14OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO:eItG1
                                                                                                  TLSH:18E6E4503AEDD499E6F24B745974F3ED212BBCABB864825F36643F0B3831746284172E
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*~TQK..QK..QK..>=..rK..>=..pK..>=...K..X3..VK..QK..-K..>=..PK..>=..PK..>=..PK..RichQK..........PE..L....".d...................
                                                                                                  Icon Hash:cd4d3d2e4e054d07
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Aug 5, 2024 19:52:18.159456015 CEST4970125192.168.2.752.101.40.26
                                                                                                  Aug 5, 2024 19:52:19.163780928 CEST4970125192.168.2.752.101.40.26
                                                                                                  Aug 5, 2024 19:52:21.163851976 CEST4970125192.168.2.752.101.40.26
                                                                                                  Aug 5, 2024 19:52:21.348467112 CEST49702443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:52:21.348505020 CEST44349702213.226.112.95192.168.2.7
                                                                                                  Aug 5, 2024 19:52:21.348573923 CEST49702443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:52:25.163817883 CEST4970125192.168.2.752.101.40.26
                                                                                                  Aug 5, 2024 19:52:33.163877010 CEST4970125192.168.2.752.101.40.26
                                                                                                  Aug 5, 2024 19:52:38.182869911 CEST4970825192.168.2.767.195.228.110
                                                                                                  Aug 5, 2024 19:52:39.179490089 CEST4970825192.168.2.767.195.228.110
                                                                                                  Aug 5, 2024 19:52:41.195132971 CEST4970825192.168.2.767.195.228.110
                                                                                                  Aug 5, 2024 19:52:45.210851908 CEST4970825192.168.2.767.195.228.110
                                                                                                  Aug 5, 2024 19:52:53.210906029 CEST4970825192.168.2.767.195.228.110
                                                                                                  Aug 5, 2024 19:52:58.216710091 CEST4970925192.168.2.7108.177.15.27
                                                                                                  Aug 5, 2024 19:52:59.226716042 CEST4970925192.168.2.7108.177.15.27
                                                                                                  Aug 5, 2024 19:53:01.226531029 CEST4970925192.168.2.7108.177.15.27
                                                                                                  Aug 5, 2024 19:53:01.336157084 CEST49702443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:53:01.336227894 CEST44349702213.226.112.95192.168.2.7
                                                                                                  Aug 5, 2024 19:53:01.336363077 CEST49702443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:53:01.446445942 CEST49710443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:53:01.446492910 CEST44349710213.226.112.95192.168.2.7
                                                                                                  Aug 5, 2024 19:53:01.446647882 CEST49710443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:53:05.226470947 CEST4970925192.168.2.7108.177.15.27
                                                                                                  Aug 5, 2024 19:53:13.226589918 CEST4970925192.168.2.7108.177.15.27
                                                                                                  Aug 5, 2024 19:53:18.236073017 CEST4971225192.168.2.794.100.180.31
                                                                                                  Aug 5, 2024 19:53:19.242182970 CEST4971225192.168.2.794.100.180.31
                                                                                                  Aug 5, 2024 19:53:21.242254972 CEST4971225192.168.2.794.100.180.31
                                                                                                  Aug 5, 2024 19:53:25.257911921 CEST4971225192.168.2.794.100.180.31
                                                                                                  Aug 5, 2024 19:53:33.257894993 CEST4971225192.168.2.794.100.180.31
                                                                                                  Aug 5, 2024 19:53:41.445718050 CEST49710443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:53:41.445811033 CEST44349710213.226.112.95192.168.2.7
                                                                                                  Aug 5, 2024 19:53:41.445967913 CEST49710443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:53:41.555610895 CEST49713443192.168.2.7213.226.112.95
                                                                                                  Aug 5, 2024 19:53:41.555666924 CEST44349713213.226.112.95192.168.2.7
                                                                                                  Aug 5, 2024 19:53:41.555751085 CEST49713443192.168.2.7213.226.112.95
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Aug 5, 2024 19:52:12.721364975 CEST5129753192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:52:18.122225046 CEST5534053192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:52:18.158596992 CEST53553401.1.1.1192.168.2.7
                                                                                                  Aug 5, 2024 19:52:21.056119919 CEST5902153192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:52:21.346550941 CEST53590211.1.1.1192.168.2.7
                                                                                                  Aug 5, 2024 19:52:38.164603949 CEST6397253192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:52:38.172527075 CEST53639721.1.1.1192.168.2.7
                                                                                                  Aug 5, 2024 19:52:38.173639059 CEST5334953192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST53533491.1.1.1192.168.2.7
                                                                                                  Aug 5, 2024 19:52:58.195938110 CEST6065853192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:52:58.205764055 CEST53606581.1.1.1192.168.2.7
                                                                                                  Aug 5, 2024 19:52:58.206578016 CEST6267753192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:52:58.216089964 CEST53626771.1.1.1192.168.2.7
                                                                                                  Aug 5, 2024 19:53:18.211545944 CEST5353553192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:53:18.226720095 CEST53535351.1.1.1192.168.2.7
                                                                                                  Aug 5, 2024 19:53:18.227549076 CEST5365453192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:53:18.235491037 CEST53536541.1.1.1192.168.2.7
                                                                                                  Aug 5, 2024 19:54:14.765954018 CEST5977653192.168.2.71.1.1.1
                                                                                                  Aug 5, 2024 19:54:14.808582067 CEST53597761.1.1.1192.168.2.7
                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Aug 5, 2024 19:52:12.721364975 CEST192.168.2.71.1.1.10x25b2Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:18.122225046 CEST192.168.2.71.1.1.10x4c34Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:21.056119919 CEST192.168.2.71.1.1.10x350Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.164603949 CEST192.168.2.71.1.1.10x84e1Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.173639059 CEST192.168.2.71.1.1.10x7c30Standard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:58.195938110 CEST192.168.2.71.1.1.10x270fStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:58.206578016 CEST192.168.2.71.1.1.10x4358Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:53:18.211545944 CEST192.168.2.71.1.1.10x910aStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:53:18.227549076 CEST192.168.2.71.1.1.10xd59aStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:54:14.765954018 CEST192.168.2.71.1.1.10xad3bStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Aug 5, 2024 19:52:12.728830099 CEST1.1.1.1192.168.2.70x25b2No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:18.158596992 CEST1.1.1.1192.168.2.70x4c34No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:18.158596992 CEST1.1.1.1192.168.2.70x4c34No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:18.158596992 CEST1.1.1.1192.168.2.70x4c34No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:18.158596992 CEST1.1.1.1192.168.2.70x4c34No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:21.346550941 CEST1.1.1.1192.168.2.70x350No error (0)vanaheim.cn213.226.112.95A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.172527075 CEST1.1.1.1192.168.2.70x84e1No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.172527075 CEST1.1.1.1192.168.2.70x84e1No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.172527075 CEST1.1.1.1192.168.2.70x84e1No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST1.1.1.1192.168.2.70x7c30No error (0)mta5.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST1.1.1.1192.168.2.70x7c30No error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST1.1.1.1192.168.2.70x7c30No error (0)mta5.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST1.1.1.1192.168.2.70x7c30No error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST1.1.1.1192.168.2.70x7c30No error (0)mta5.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST1.1.1.1192.168.2.70x7c30No error (0)mta5.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST1.1.1.1192.168.2.70x7c30No error (0)mta5.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:38.182168007 CEST1.1.1.1192.168.2.70x7c30No error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:58.205764055 CEST1.1.1.1192.168.2.70x270fNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:58.216089964 CEST1.1.1.1192.168.2.70x4358No error (0)smtp.google.com108.177.15.27A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:58.216089964 CEST1.1.1.1192.168.2.70x4358No error (0)smtp.google.com173.194.76.26A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:58.216089964 CEST1.1.1.1192.168.2.70x4358No error (0)smtp.google.com108.177.15.26A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:58.216089964 CEST1.1.1.1192.168.2.70x4358No error (0)smtp.google.com74.125.133.27A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:52:58.216089964 CEST1.1.1.1192.168.2.70x4358No error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:53:18.226720095 CEST1.1.1.1192.168.2.70x910aNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:53:18.235491037 CEST1.1.1.1192.168.2.70xd59aNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:53:18.235491037 CEST1.1.1.1192.168.2.70xd59aNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:54:14.808582067 CEST1.1.1.1192.168.2.70xad3bNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:54:14.808582067 CEST1.1.1.1192.168.2.70xad3bNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:54:14.808582067 CEST1.1.1.1192.168.2.70xad3bNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                  Aug 5, 2024 19:54:14.808582067 CEST1.1.1.1192.168.2.70xad3bNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false

                                                                                                  Click to jump to process

                                                                                                  Click to jump to process

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Click to jump to process

                                                                                                  Target ID:1
                                                                                                  Start time:13:52:08
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  Target ID:2
                                                                                                  Start time:13:52:09
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Users\user\Desktop\igvdwmhd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\igvdwmhd.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:14'508'544 bytes
                                                                                                  MD5 hash:C9BC1DB6A4CBAEA0905F847035B8DF57
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
                                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Author: ditekSHen
                                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000002.00000003.1308349259.0000000002AF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.1351232837.0000000002BB9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  Target ID:4
                                                                                                  Start time:13:52:12
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  Target ID:5
                                                                                                  Start time:13:52:12
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ptcoklzf\
                                                                                                  Imagebase:0x410000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:6
                                                                                                  Start time:13:52:12
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:7
                                                                                                  Start time:13:52:13
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\ybyrikeu.exe" C:\Windows\SysWOW64\ptcoklzf\
                                                                                                  Imagebase:0x410000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:8
                                                                                                  Start time:13:52:13
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0xeb0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:9
                                                                                                  Start time:13:52:13
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\sc.exe" create ptcoklzf binPath= "C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d\"C:\Users\user\Desktop\igvdwmhd.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                  Imagebase:0x10000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  Target ID:10
                                                                                                  Start time:13:52:13
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:11
                                                                                                  Start time:13:52:14
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\sc.exe" description ptcoklzf "wifi internet conection"
                                                                                                  Imagebase:0x10000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  Target ID:12
                                                                                                  Start time:13:52:14
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:13
                                                                                                  Start time:13:52:14
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\sc.exe" start ptcoklzf
                                                                                                  Imagebase:0x10000
                                                                                                  File size:61'440 bytes
                                                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  Target ID:14
                                                                                                  Start time:13:52:14
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Target ID:15
                                                                                                  Start time:13:52:14
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe /d"C:\Users\user\Desktop\igvdwmhd.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:15'572'992 bytes
                                                                                                  MD5 hash:4E044BA5CE650DE4D036125F371C831D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000F.00000002.1367995778.0000000002950000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000F.00000003.1363366443.0000000002910000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.1368074204.00000000029B2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                  Has exited:true

                                                                                                  Target ID:16
                                                                                                  Start time:13:52:15
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                  Imagebase:0x1770000
                                                                                                  File size:82'432 bytes
                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Target ID:17
                                                                                                  Start time:13:52:15
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Target ID:18
                                                                                                  Start time:13:52:15
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  Target ID:19
                                                                                                  Start time:13:52:15
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7348 -ip 7348
                                                                                                  Imagebase:0x8e0000
                                                                                                  File size:483'680 bytes
                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Target ID:20
                                                                                                  Start time:13:52:15
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7348 -s 1232
                                                                                                  Imagebase:0x8e0000
                                                                                                  File size:483'680 bytes
                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Target ID:21
                                                                                                  Start time:13:52:17
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:svchost.exe
                                                                                                  Imagebase:0x610000
                                                                                                  File size:46'504 bytes
                                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                  Has exited:false

                                                                                                  Target ID:22
                                                                                                  Start time:13:52:17
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7800 -ip 7800
                                                                                                  Imagebase:0x8e0000
                                                                                                  File size:483'680 bytes
                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Target ID:23
                                                                                                  Start time:13:52:17
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 544
                                                                                                  Imagebase:0x8e0000
                                                                                                  File size:483'680 bytes
                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Target ID:25
                                                                                                  Start time:15:33:25
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  Target ID:26
                                                                                                  Start time:15:33:40
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                  Imagebase:0x7ff7b8970000
                                                                                                  File size:468'120 bytes
                                                                                                  MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Target ID:27
                                                                                                  Start time:15:33:40
                                                                                                  Start date:05/08/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff75da10000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:3.7%
                                                                                                    Dynamic/Decrypted Code Coverage:31%
                                                                                                    Signature Coverage:25.4%
                                                                                                    Total number of Nodes:1562
                                                                                                    Total number of Limit Nodes:18
                                                                                                    execution_graph 14459 2bbdba8 14460 2bbdbb7 14459->14460 14463 2bbe348 14460->14463 14465 2bbe363 14463->14465 14464 2bbe36c CreateToolhelp32Snapshot 14464->14465 14466 2bbe388 Module32First 14464->14466 14465->14464 14465->14466 14467 2bbdbc0 14466->14467 14468 2bbe397 14466->14468 14470 2bbe007 14468->14470 14471 2bbe032 14470->14471 14472 2bbe07b 14471->14472 14473 2bbe043 VirtualAlloc 14471->14473 14472->14472 14473->14472 17860 2bbdba0 17861 2bbdba8 17860->17861 17862 2bbe348 3 API calls 17861->17862 17863 2bbdbc0 17862->17863 14474 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14592 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14474->14592 14476 409a95 14477 409aa3 GetModuleHandleA GetModuleFileNameA 14476->14477 14483 40a3c7 14476->14483 14490 409ac4 14477->14490 14478 40a41c CreateThread WSAStartup 14761 40e52e 14478->14761 15640 40405e CreateEventA 14478->15640 14480 409afd GetCommandLineA 14491 409b22 14480->14491 14481 40a406 DeleteFileA 14481->14483 14484 40a40d 14481->14484 14482 40a445 14780 40eaaf 14482->14780 14483->14478 14483->14481 14483->14484 14486 40a3ed GetLastError 14483->14486 14484->14478 14486->14484 14488 40a3f8 Sleep 14486->14488 14487 40a44d 14784 401d96 14487->14784 14488->14481 14490->14480 14494 409c0c 14491->14494 14501 409b47 14491->14501 14492 40a457 14832 4080c9 14492->14832 14593 4096aa 14494->14593 14505 409b96 lstrlenA 14501->14505 14508 409b58 14501->14508 14502 40a1d2 14509 40a1e3 GetCommandLineA 14502->14509 14503 409c39 14506 40a167 GetModuleHandleA GetModuleFileNameA 14503->14506 14599 404280 CreateEventA 14503->14599 14505->14508 14507 409c05 ExitProcess 14506->14507 14511 40a189 14506->14511 14508->14507 14515 40675c 21 API calls 14508->14515 14535 40a205 14509->14535 14511->14507 14517 40a1b2 GetDriveTypeA 14511->14517 14518 409be3 14515->14518 14517->14507 14520 40a1c5 14517->14520 14518->14507 14698 406a60 CreateFileA 14518->14698 14742 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14520->14742 14526 40a491 14527 40a49f GetTickCount 14526->14527 14529 40a4be Sleep 14526->14529 14534 40a4b7 GetTickCount 14526->14534 14878 40c913 14526->14878 14527->14526 14527->14529 14529->14526 14531 409ca0 GetTempPathA 14532 409e3e 14531->14532 14533 409cba 14531->14533 14538 409e6b GetEnvironmentVariableA 14532->14538 14542 409e04 14532->14542 14654 4099d2 lstrcpyA 14533->14654 14534->14529 14539 40a285 lstrlenA 14535->14539 14551 40a239 14535->14551 14538->14542 14543 409e7d 14538->14543 14539->14551 14737 40ec2e 14542->14737 14544 4099d2 16 API calls 14543->14544 14545 409e9d 14544->14545 14545->14542 14550 409eb0 lstrcpyA lstrlenA 14545->14550 14548 409d5f 14717 406cc9 14548->14717 14549 40a3c2 14754 4098f2 14549->14754 14554 409ef4 14550->14554 14750 406ec3 14551->14750 14558 406dc2 6 API calls 14554->14558 14560 409f03 14554->14560 14555 40a39d StartServiceCtrlDispatcherA 14555->14549 14557 40a35f 14557->14549 14557->14557 14563 40a37b 14557->14563 14558->14560 14559 409cf6 14661 409326 14559->14661 14561 409f32 RegOpenKeyExA 14560->14561 14562 409f48 RegSetValueExA RegCloseKey 14561->14562 14566 409f70 14561->14566 14562->14566 14563->14555 14572 409f9d GetModuleHandleA GetModuleFileNameA 14566->14572 14567 409e0c DeleteFileA 14567->14532 14568 409dde GetFileAttributesExA 14568->14567 14570 409df7 14568->14570 14570->14542 14571 409dff 14570->14571 14727 4096ff 14571->14727 14574 409fc2 14572->14574 14575 40a093 14572->14575 14574->14575 14580 409ff1 GetDriveTypeA 14574->14580 14576 40a103 CreateProcessA 14575->14576 14579 40a0a4 wsprintfA 14575->14579 14577 40a13a 14576->14577 14578 40a12a DeleteFileA 14576->14578 14577->14542 14584 4096ff 3 API calls 14577->14584 14578->14577 14733 402544 14579->14733 14580->14575 14582 40a00d 14580->14582 14587 40a02d lstrcatA 14582->14587 14584->14542 14588 40a046 14587->14588 14589 40a052 lstrcatA 14588->14589 14590 40a064 lstrcatA 14588->14590 14589->14590 14590->14575 14591 40a081 lstrcatA 14590->14591 14591->14575 14592->14476 14594 4096b9 14593->14594 14981 4073ff 14594->14981 14596 4096e2 14597 4096f7 14596->14597 15001 40704c 14596->15001 14597->14502 14597->14503 14600 4042a5 14599->14600 14601 40429d 14599->14601 15026 403ecd 14600->15026 14601->14506 14626 40675c 14601->14626 14603 4042b0 15030 404000 14603->15030 14606 4043c1 CloseHandle 14606->14601 14607 4042ce 15036 403f18 WriteFile 14607->15036 14612 4043ba CloseHandle 14612->14606 14613 404318 14614 403f18 4 API calls 14613->14614 14615 404331 14614->14615 14616 403f18 4 API calls 14615->14616 14617 40434a 14616->14617 15044 40ebcc GetProcessHeap RtlAllocateHeap 14617->15044 14620 403f18 4 API calls 14621 404389 14620->14621 14622 40ec2e codecvt 4 API calls 14621->14622 14623 40438f 14622->14623 14624 403f8c 4 API calls 14623->14624 14625 40439f CloseHandle CloseHandle 14624->14625 14625->14601 14627 406784 CreateFileA 14626->14627 14628 40677a SetFileAttributesA 14626->14628 14629 4067a4 CreateFileA 14627->14629 14630 4067b5 14627->14630 14628->14627 14629->14630 14631 4067c5 14630->14631 14632 4067ba SetFileAttributesA 14630->14632 14633 406977 14631->14633 14634 4067cf GetFileSize 14631->14634 14632->14631 14633->14506 14633->14531 14633->14532 14635 4067e5 14634->14635 14636 406965 14634->14636 14635->14636 14638 4067ed ReadFile 14635->14638 14637 40696e FindCloseChangeNotification 14636->14637 14637->14633 14638->14636 14639 406811 SetFilePointer 14638->14639 14639->14636 14640 40682a ReadFile 14639->14640 14640->14636 14641 406848 SetFilePointer 14640->14641 14641->14636 14642 406867 14641->14642 14643 4068d5 14642->14643 14644 406878 ReadFile 14642->14644 14643->14637 14646 40ebcc 4 API calls 14643->14646 14645 4068d0 14644->14645 14648 406891 14644->14648 14645->14643 14647 4068f8 14646->14647 14647->14636 14649 406900 SetFilePointer 14647->14649 14648->14644 14648->14645 14650 40695a 14649->14650 14651 40690d ReadFile 14649->14651 14653 40ec2e codecvt 4 API calls 14650->14653 14651->14650 14652 406922 14651->14652 14652->14637 14653->14636 14655 4099eb 14654->14655 14656 409a2f lstrcatA 14655->14656 14657 40ee2a 14656->14657 14658 409a4b lstrcatA 14657->14658 14659 406a60 13 API calls 14658->14659 14660 409a60 14659->14660 14660->14532 14660->14559 14711 406dc2 14660->14711 15050 401910 14661->15050 14664 40934a GetModuleHandleA GetModuleFileNameA 14666 40937f 14664->14666 14667 4093a4 14666->14667 14668 4093d9 14666->14668 14670 4093c3 wsprintfA 14667->14670 14669 409401 wsprintfA 14668->14669 14672 409415 14669->14672 14670->14672 14671 4094a0 15052 406edd 14671->15052 14672->14671 14675 406cc9 5 API calls 14672->14675 14674 4094ac 14676 40962f 14674->14676 14677 4094e8 RegOpenKeyExA 14674->14677 14681 409439 14675->14681 14682 409646 14676->14682 15080 401820 14676->15080 14679 409502 14677->14679 14680 4094fb 14677->14680 14685 40951f RegQueryValueExA 14679->14685 14680->14676 14684 40958a 14680->14684 15065 40ef1e lstrlenA 14681->15065 14691 4095d6 14682->14691 15060 4091eb 14682->15060 14684->14682 14687 409593 14684->14687 14688 409530 14685->14688 14689 409539 14685->14689 14687->14691 15067 40f0e4 14687->15067 14692 40956e RegCloseKey 14688->14692 14693 409556 RegQueryValueExA 14689->14693 14690 409462 14694 40947e wsprintfA 14690->14694 14691->14567 14691->14568 14692->14680 14693->14688 14693->14692 14694->14671 14696 4095bb 14696->14691 15074 4018e0 14696->15074 14699 406b8c GetLastError 14698->14699 14700 406a8f GetDiskFreeSpaceA 14698->14700 14701 406b86 14699->14701 14702 406ac5 14700->14702 14710 406ad7 14700->14710 14701->14507 15129 40eb0e 14702->15129 14706 406b56 FindCloseChangeNotification 14706->14701 14708 406b65 GetLastError CloseHandle 14706->14708 14707 406b36 GetLastError CloseHandle 14709 406b7f DeleteFileA 14707->14709 14708->14709 14709->14701 15123 406987 14710->15123 14712 406dd7 14711->14712 14716 406e24 14711->14716 14713 406cc9 5 API calls 14712->14713 14714 406ddc 14713->14714 14714->14714 14715 406e02 GetVolumeInformationA 14714->14715 14714->14716 14715->14716 14716->14548 14718 406cdc GetModuleHandleA GetProcAddress 14717->14718 14719 406dbe lstrcpyA lstrcatA lstrcatA 14717->14719 14720 406d12 GetSystemDirectoryA 14718->14720 14721 406cfd 14718->14721 14719->14559 14722 406d27 GetWindowsDirectoryA 14720->14722 14723 406d1e 14720->14723 14721->14720 14724 406d8b 14721->14724 14725 406d42 14722->14725 14723->14722 14723->14724 14724->14719 14726 40ef1e lstrlenA 14725->14726 14726->14724 14728 402544 14727->14728 14729 40972d RegOpenKeyExA 14728->14729 14730 409740 14729->14730 14732 409765 14729->14732 14731 40974f RegDeleteValueA RegCloseKey 14730->14731 14731->14732 14732->14542 14734 402554 lstrcatA 14733->14734 14735 40ee2a 14734->14735 14736 40a0ec lstrcatA 14735->14736 14736->14576 14738 40ec37 14737->14738 14739 40a15d 14737->14739 15137 40eba0 14738->15137 14739->14506 14739->14507 14743 402544 14742->14743 14744 40919e wsprintfA 14743->14744 14745 4091bb 14744->14745 15140 409064 GetTempPathA 14745->15140 14748 4091d5 ShellExecuteA 14749 4091e7 14748->14749 14749->14507 14751 406ed5 14750->14751 14752 406ecc 14750->14752 14751->14557 14753 406e36 2 API calls 14752->14753 14753->14751 14755 4098f6 14754->14755 14756 404280 30 API calls 14755->14756 14757 409904 Sleep 14755->14757 14759 409915 14755->14759 14756->14755 14757->14755 14757->14759 14758 409947 14758->14483 14759->14758 15147 40977c 14759->15147 15169 40dd05 GetTickCount 14761->15169 14763 40e538 15176 40dbcf 14763->15176 14765 40e544 14766 40e555 GetFileSize 14765->14766 14771 40e5b8 14765->14771 14767 40e5b1 CloseHandle 14766->14767 14768 40e566 14766->14768 14767->14771 15186 40db2e 14768->15186 15195 40e3ca RegOpenKeyExA 14771->15195 14772 40e576 ReadFile 14772->14767 14773 40e58d 14772->14773 15190 40e332 14773->15190 14776 40e5f2 14778 40e3ca 19 API calls 14776->14778 14779 40e629 14776->14779 14778->14779 14779->14482 14781 40eabe 14780->14781 14783 40eaba 14780->14783 14782 40dd05 6 API calls 14781->14782 14781->14783 14782->14783 14783->14487 14785 40ee2a 14784->14785 14786 401db4 GetVersionExA 14785->14786 14787 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14786->14787 14789 401e24 14787->14789 14790 401e16 GetCurrentProcess 14787->14790 15248 40e819 14789->15248 14790->14789 14792 401e3d 14793 40e819 11 API calls 14792->14793 14794 401e4e 14793->14794 14795 401e77 14794->14795 15255 40df70 14794->15255 15264 40ea84 14795->15264 14799 401e6c 14800 40df70 12 API calls 14799->14800 14800->14795 14801 40e819 11 API calls 14802 401e93 14801->14802 15268 40199c inet_addr LoadLibraryA 14802->15268 14805 40e819 11 API calls 14806 401eb9 14805->14806 14808 40f04e 4 API calls 14806->14808 14813 401ed8 14806->14813 14807 40e819 11 API calls 14810 401eee 14807->14810 14809 401ec9 14808->14809 14811 40ea84 30 API calls 14809->14811 14812 401f0a 14810->14812 15281 401b71 14810->15281 14811->14813 14815 40e819 11 API calls 14812->14815 14813->14807 14817 401f23 14815->14817 14816 401efd 14818 40ea84 30 API calls 14816->14818 14819 401f3f 14817->14819 15285 401bdf 14817->15285 14818->14812 14820 40e819 11 API calls 14819->14820 14823 401f5e 14820->14823 14825 401f77 14823->14825 14826 40ea84 30 API calls 14823->14826 14824 40ea84 30 API calls 14824->14819 15292 4030b5 14825->15292 14826->14825 14830 406ec3 2 API calls 14831 401f8e GetTickCount 14830->14831 14831->14492 14833 406ec3 2 API calls 14832->14833 14834 4080eb 14833->14834 14835 4080f9 14834->14835 14836 4080ef 14834->14836 14838 40704c 16 API calls 14835->14838 15340 407ee6 14836->15340 14840 408110 14838->14840 14839 408269 CreateThread 14857 405e6c 14839->14857 15669 40877e 14839->15669 14842 408156 RegOpenKeyExA 14840->14842 14843 4080f4 14840->14843 14841 40675c 21 API calls 14847 408244 14841->14847 14842->14843 14844 40816d RegQueryValueExA 14842->14844 14843->14839 14843->14841 14845 4081f7 14844->14845 14846 40818d 14844->14846 14848 40820d RegCloseKey 14845->14848 14850 40ec2e codecvt 4 API calls 14845->14850 14846->14845 14851 40ebcc 4 API calls 14846->14851 14847->14839 14849 40ec2e codecvt 4 API calls 14847->14849 14848->14843 14849->14839 14856 4081dd 14850->14856 14852 4081a0 14851->14852 14852->14848 14853 4081aa RegQueryValueExA 14852->14853 14853->14845 14854 4081c4 14853->14854 14855 40ebcc 4 API calls 14854->14855 14855->14856 14856->14848 15408 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14857->15408 14859 405e71 15409 40e654 14859->15409 14861 405ec1 14862 403132 14861->14862 14863 40df70 12 API calls 14862->14863 14864 40313b 14863->14864 14865 40c125 14864->14865 15420 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14865->15420 14867 40c12d 14868 40e654 13 API calls 14867->14868 14869 40c2bd 14868->14869 14870 40e654 13 API calls 14869->14870 14871 40c2c9 14870->14871 14872 40e654 13 API calls 14871->14872 14873 40a47a 14872->14873 14874 408db1 14873->14874 14875 408dbc 14874->14875 14876 40e654 13 API calls 14875->14876 14877 408dec Sleep 14876->14877 14877->14526 14879 40c92f 14878->14879 14880 40c93c 14879->14880 15421 40c517 14879->15421 14882 40ca2b 14880->14882 14883 40e819 11 API calls 14880->14883 14882->14526 14884 40c96a 14883->14884 14885 40e819 11 API calls 14884->14885 14886 40c97d 14885->14886 14887 40e819 11 API calls 14886->14887 14888 40c990 14887->14888 14889 40c9aa 14888->14889 14890 40ebcc 4 API calls 14888->14890 14889->14882 15438 402684 14889->15438 14890->14889 14895 40ca26 15445 40c8aa 14895->15445 14898 40ca44 14899 40ca4b closesocket 14898->14899 14900 40ca83 14898->14900 14899->14895 14901 40ea84 30 API calls 14900->14901 14902 40caac 14901->14902 14903 40f04e 4 API calls 14902->14903 14904 40cab2 14903->14904 14905 40ea84 30 API calls 14904->14905 14906 40caca 14905->14906 14907 40ea84 30 API calls 14906->14907 14908 40cad9 14907->14908 15453 40c65c 14908->15453 14911 40cb60 closesocket 14911->14882 14913 40dad2 closesocket 14914 40e318 23 API calls 14913->14914 14914->14882 14915 40df4c 20 API calls 14928 40cb70 14915->14928 14920 40e654 13 API calls 14920->14928 14922 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 14922->14928 14924 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 14924->14928 14928->14913 14928->14915 14928->14920 14928->14922 14928->14924 14929 40ea84 30 API calls 14928->14929 14930 40cc1c GetTempPathA 14928->14930 14931 40d569 closesocket Sleep 14928->14931 14932 40d815 wsprintfA 14928->14932 14933 40c517 23 API calls 14928->14933 14935 40e8a1 30 API calls 14928->14935 14937 40cfe3 GetSystemDirectoryA 14928->14937 14938 40cfad GetEnvironmentVariableA 14928->14938 14939 40675c 21 API calls 14928->14939 14940 40d027 GetSystemDirectoryA 14928->14940 14941 40d105 lstrcatA 14928->14941 14942 40ef1e lstrlenA 14928->14942 14943 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 14928->14943 14944 40cc9f CreateFileA 14928->14944 14946 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 14928->14946 14947 40d15b CreateFileA 14928->14947 14951 40d149 SetFileAttributesA 14928->14951 14953 40d36e GetEnvironmentVariableA 14928->14953 14954 40d1bf SetFileAttributesA 14928->14954 14956 407ead 6 API calls 14928->14956 14957 40d22d GetEnvironmentVariableA 14928->14957 14958 40d3af lstrcatA 14928->14958 14960 407fcf 64 API calls 14928->14960 14961 40d3f2 CreateFileA 14928->14961 14969 40d4b1 CreateProcessA 14928->14969 14970 40d3e0 SetFileAttributesA 14928->14970 14971 40d26e lstrcatA 14928->14971 14973 40d2b1 CreateFileA 14928->14973 14974 407ee6 64 API calls 14928->14974 14975 40d452 SetFileAttributesA 14928->14975 14978 40d29f SetFileAttributesA 14928->14978 14980 40d31d SetFileAttributesA 14928->14980 15461 40c75d 14928->15461 15473 407e2f 14928->15473 15495 407ead 14928->15495 15505 4031d0 14928->15505 15522 403c09 14928->15522 15532 403a00 14928->15532 15536 40e7b4 14928->15536 15539 40c06c 14928->15539 15545 406f5f GetUserNameA 14928->15545 15556 40e854 14928->15556 15566 407dd6 14928->15566 14929->14928 14930->14928 15500 40e318 14931->15500 14932->14928 14933->14928 14935->14928 14936 40d582 ExitProcess 14937->14928 14938->14928 14939->14928 14940->14928 14941->14928 14942->14928 14943->14928 14944->14928 14945 40ccc6 WriteFile 14944->14945 14949 40cdcc CloseHandle 14945->14949 14950 40cced CloseHandle 14945->14950 14946->14928 14947->14928 14948 40d182 WriteFile CloseHandle 14947->14948 14948->14928 14949->14928 14955 40cd2f 14950->14955 14951->14947 14952 40cd16 wsprintfA 14952->14955 14953->14928 14954->14928 14955->14952 15482 407fcf 14955->15482 14956->14928 14957->14928 14958->14928 14958->14961 14960->14928 14961->14928 14963 40d415 WriteFile CloseHandle 14961->14963 14963->14928 14964 40cd81 WaitForSingleObject CloseHandle CloseHandle 14967 40f04e 4 API calls 14964->14967 14965 40cda5 14966 407ee6 64 API calls 14965->14966 14968 40cdbd DeleteFileA 14966->14968 14967->14965 14968->14928 14969->14928 14972 40d4e8 CloseHandle CloseHandle 14969->14972 14970->14961 14971->14928 14971->14973 14972->14928 14973->14928 14976 40d2d8 WriteFile CloseHandle 14973->14976 14974->14928 14975->14928 14976->14928 14978->14973 14980->14928 14982 40741b 14981->14982 14983 406dc2 6 API calls 14982->14983 14984 40743f 14983->14984 14985 407469 RegOpenKeyExA 14984->14985 14986 4077f9 14985->14986 14997 407487 ___ascii_stricmp 14985->14997 14986->14596 14987 407703 RegEnumKeyA 14988 407714 RegCloseKey 14987->14988 14987->14997 14988->14986 14989 40f1a5 lstrlenA 14989->14997 14990 4074d2 RegOpenKeyExA 14990->14997 14991 40772c 14993 407742 RegCloseKey 14991->14993 14994 40774b 14991->14994 14992 407521 RegQueryValueExA 14992->14997 14993->14994 14996 4077ec RegCloseKey 14994->14996 14995 4076e4 RegCloseKey 14995->14997 14996->14986 14997->14987 14997->14989 14997->14990 14997->14991 14997->14992 14997->14995 14999 40777e GetFileAttributesExA 14997->14999 15000 407769 14997->15000 14998 4077e3 RegCloseKey 14998->14996 14999->15000 15000->14998 15002 407073 15001->15002 15003 4070b9 RegOpenKeyExA 15002->15003 15004 4070d0 15003->15004 15018 4071b8 15003->15018 15005 406dc2 6 API calls 15004->15005 15008 4070d5 15005->15008 15006 40719b RegEnumValueA 15007 4071af RegCloseKey 15006->15007 15006->15008 15007->15018 15008->15006 15010 4071d0 15008->15010 15024 40f1a5 lstrlenA 15008->15024 15011 407205 RegCloseKey 15010->15011 15012 407227 15010->15012 15011->15018 15013 4072b8 ___ascii_stricmp 15012->15013 15014 40728e RegCloseKey 15012->15014 15015 4072cd RegCloseKey 15013->15015 15016 4072dd 15013->15016 15014->15018 15015->15018 15017 407311 RegCloseKey 15016->15017 15020 407335 15016->15020 15017->15018 15018->14597 15019 4073d5 RegCloseKey 15021 4073e4 15019->15021 15020->15019 15022 40737e GetFileAttributesExA 15020->15022 15023 407397 15020->15023 15022->15023 15023->15019 15025 40f1c3 15024->15025 15025->15008 15027 403ee2 15026->15027 15028 403edc 15026->15028 15027->14603 15029 406dc2 6 API calls 15028->15029 15029->15027 15031 40400b CreateFileA 15030->15031 15032 40402c GetLastError 15031->15032 15033 404052 15031->15033 15032->15033 15034 404037 15032->15034 15033->14601 15033->14606 15033->14607 15034->15033 15035 404041 Sleep 15034->15035 15035->15031 15035->15033 15037 403f7c 15036->15037 15038 403f4e GetLastError 15036->15038 15040 403f8c ReadFile 15037->15040 15038->15037 15039 403f5b WaitForSingleObject GetOverlappedResult 15038->15039 15039->15037 15041 403ff0 15040->15041 15042 403fc2 GetLastError 15040->15042 15041->14612 15041->14613 15042->15041 15043 403fcf WaitForSingleObject GetOverlappedResult 15042->15043 15043->15041 15047 40eb74 15044->15047 15048 40eb7b GetProcessHeap HeapSize 15047->15048 15049 404350 15047->15049 15048->15049 15049->14620 15051 401924 GetVersionExA 15050->15051 15051->14664 15053 406f55 15052->15053 15054 406eef AllocateAndInitializeSid 15052->15054 15053->14674 15055 406f44 15054->15055 15056 406f1c CheckTokenMembership 15054->15056 15055->15053 15086 406e36 GetUserNameW 15055->15086 15057 406f3b FreeSid 15056->15057 15058 406f2e 15056->15058 15057->15055 15058->15057 15062 40920e 15060->15062 15064 409308 15060->15064 15061 4092f1 Sleep 15061->15062 15062->15061 15063 4092bf ShellExecuteA 15062->15063 15062->15064 15063->15062 15063->15064 15064->14691 15066 40ef32 15065->15066 15066->14690 15068 40f0f1 15067->15068 15069 40f0ed 15067->15069 15070 40f119 15068->15070 15071 40f0fa lstrlenA SysAllocStringByteLen 15068->15071 15069->14696 15072 40f11c MultiByteToWideChar 15070->15072 15071->15072 15073 40f117 15071->15073 15072->15073 15073->14696 15075 401820 17 API calls 15074->15075 15076 4018f2 15075->15076 15077 4018f9 15076->15077 15089 401280 15076->15089 15077->14691 15079 401908 15079->14691 15102 401000 15080->15102 15082 401839 15083 401851 GetCurrentProcess 15082->15083 15084 40183d 15082->15084 15085 401864 15083->15085 15084->14682 15085->14682 15087 406e5f LookupAccountNameW 15086->15087 15088 406e97 15086->15088 15087->15088 15088->15053 15092 4012e1 ShellExecuteExW 15089->15092 15091 4016f9 GetLastError 15093 401699 15091->15093 15092->15091 15099 4013a8 15092->15099 15093->15079 15094 401570 lstrlenW 15094->15099 15095 4015be GetStartupInfoW 15095->15099 15096 4015ff CreateProcessWithLogonW 15097 4016bf GetLastError 15096->15097 15098 40163f WaitForSingleObject 15096->15098 15097->15093 15098->15099 15100 401659 CloseHandle 15098->15100 15099->15093 15099->15094 15099->15095 15099->15096 15101 401668 CloseHandle 15099->15101 15100->15099 15101->15099 15103 40100d LoadLibraryA 15102->15103 15105 401023 15102->15105 15104 401021 15103->15104 15103->15105 15104->15082 15106 4010b5 GetProcAddress 15105->15106 15122 4010ae 15105->15122 15107 4010d1 GetProcAddress 15106->15107 15108 40127b 15106->15108 15107->15108 15109 4010f0 GetProcAddress 15107->15109 15108->15082 15109->15108 15110 401110 GetProcAddress 15109->15110 15110->15108 15111 401130 GetProcAddress 15110->15111 15111->15108 15112 40114f GetProcAddress 15111->15112 15112->15108 15113 40116f GetProcAddress 15112->15113 15113->15108 15114 40118f GetProcAddress 15113->15114 15114->15108 15115 4011ae GetProcAddress 15114->15115 15115->15108 15116 4011ce GetProcAddress 15115->15116 15116->15108 15117 4011ee GetProcAddress 15116->15117 15117->15108 15118 401209 GetProcAddress 15117->15118 15118->15108 15119 401225 GetProcAddress 15118->15119 15119->15108 15120 401241 GetProcAddress 15119->15120 15120->15108 15121 40125c GetProcAddress 15120->15121 15121->15108 15122->15082 15127 4069b9 WriteFile 15123->15127 15125 406a3c 15125->14706 15125->14707 15126 4069ff 15126->15125 15128 406a10 WriteFile 15126->15128 15127->15125 15127->15126 15128->15125 15128->15126 15130 40eb17 15129->15130 15131 40eb21 15129->15131 15133 40eae4 15130->15133 15131->14710 15134 40eb02 GetProcAddress 15133->15134 15135 40eaed LoadLibraryA 15133->15135 15134->15131 15135->15134 15136 40eb01 15135->15136 15136->15131 15138 40eba7 GetProcessHeap HeapSize 15137->15138 15139 40ebbf GetProcessHeap HeapFree 15137->15139 15138->15139 15139->14739 15141 40908d 15140->15141 15142 4090e2 wsprintfA 15141->15142 15143 40ee2a 15142->15143 15144 4090fd CreateFileA 15143->15144 15145 40911a lstrlenA WriteFile CloseHandle 15144->15145 15146 40913f 15144->15146 15145->15146 15146->14748 15146->14749 15148 40ee2a 15147->15148 15149 409794 CreateProcessA 15148->15149 15150 4097c2 15149->15150 15151 4097bb 15149->15151 15152 4097d4 GetThreadContext 15150->15152 15151->14758 15153 409801 15152->15153 15154 4097f5 15152->15154 15161 40637c 15153->15161 15155 4097f6 TerminateProcess 15154->15155 15155->15151 15157 409816 15157->15155 15158 40981e WriteProcessMemory 15157->15158 15158->15154 15159 40983b SetThreadContext 15158->15159 15159->15154 15160 409858 ResumeThread 15159->15160 15160->15151 15162 406386 15161->15162 15163 40638a GetModuleHandleA VirtualAlloc 15161->15163 15162->15157 15164 4063f5 15163->15164 15165 4063b6 15163->15165 15164->15157 15166 4063be VirtualAllocEx 15165->15166 15166->15164 15167 4063d6 15166->15167 15168 4063df WriteProcessMemory 15167->15168 15168->15164 15170 40dd41 InterlockedExchange 15169->15170 15171 40dd20 GetCurrentThreadId 15170->15171 15175 40dd4a 15170->15175 15172 40dd53 GetCurrentThreadId 15171->15172 15173 40dd2e GetTickCount 15171->15173 15172->14763 15174 40dd39 Sleep 15173->15174 15173->15175 15174->15170 15175->15172 15177 40dbf0 15176->15177 15209 40db67 GetEnvironmentVariableA 15177->15209 15179 40dc19 15180 40dcda 15179->15180 15181 40db67 3 API calls 15179->15181 15180->14765 15182 40dc5c 15181->15182 15182->15180 15183 40db67 3 API calls 15182->15183 15184 40dc9b 15183->15184 15184->15180 15185 40db67 3 API calls 15184->15185 15185->15180 15187 40db3a 15186->15187 15189 40db55 15186->15189 15213 40ebed 15187->15213 15189->14767 15189->14772 15222 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15190->15222 15192 40e3be 15192->14767 15193 40e342 15193->15192 15225 40de24 15193->15225 15196 40e528 15195->15196 15197 40e3f4 15195->15197 15196->14776 15198 40e434 RegQueryValueExA 15197->15198 15199 40e458 15198->15199 15200 40e51d RegCloseKey 15198->15200 15201 40e46e RegQueryValueExA 15199->15201 15200->15196 15201->15199 15202 40e488 15201->15202 15202->15200 15203 40db2e 8 API calls 15202->15203 15204 40e499 15203->15204 15204->15200 15205 40e4b9 RegQueryValueExA 15204->15205 15206 40e4e8 15204->15206 15205->15204 15205->15206 15206->15200 15207 40e332 14 API calls 15206->15207 15208 40e513 15207->15208 15208->15200 15210 40db89 lstrcpyA CreateFileA 15209->15210 15211 40dbca 15209->15211 15210->15179 15211->15179 15214 40ec01 15213->15214 15215 40ebf6 15213->15215 15217 40eba0 codecvt 2 API calls 15214->15217 15216 40ebcc 4 API calls 15215->15216 15218 40ebfe 15216->15218 15219 40ec0a GetProcessHeap HeapReAlloc 15217->15219 15218->15189 15220 40eb74 2 API calls 15219->15220 15221 40ec28 15220->15221 15221->15189 15236 40eb41 15222->15236 15226 40de3a 15225->15226 15229 40de4e 15226->15229 15240 40dd84 15226->15240 15229->15193 15230 40de9e 15230->15229 15232 40ebed 8 API calls 15230->15232 15231 40de76 15244 40ddcf 15231->15244 15234 40def6 15232->15234 15234->15229 15235 40ddcf lstrcmpA 15234->15235 15235->15229 15237 40eb54 15236->15237 15238 40eb4a 15236->15238 15237->15193 15239 40eae4 2 API calls 15238->15239 15239->15237 15241 40ddc5 15240->15241 15242 40dd96 15240->15242 15241->15230 15241->15231 15242->15241 15243 40ddad lstrcmpiA 15242->15243 15243->15241 15243->15242 15245 40dddd 15244->15245 15247 40de20 15244->15247 15246 40ddfa lstrcmpA 15245->15246 15245->15247 15246->15245 15247->15229 15249 40dd05 6 API calls 15248->15249 15250 40e821 15249->15250 15251 40dd84 lstrcmpiA 15250->15251 15252 40e82c 15251->15252 15254 40e844 15252->15254 15296 402480 15252->15296 15254->14792 15256 40dd05 6 API calls 15255->15256 15257 40df7c 15256->15257 15258 40dd84 lstrcmpiA 15257->15258 15262 40df89 15258->15262 15259 40dfc4 15259->14799 15260 40ddcf lstrcmpA 15260->15262 15261 40ec2e codecvt 4 API calls 15261->15262 15262->15259 15262->15260 15262->15261 15263 40dd84 lstrcmpiA 15262->15263 15263->15262 15265 40ea98 15264->15265 15305 40e8a1 15265->15305 15267 401e84 15267->14801 15269 4019d5 GetProcAddress GetProcAddress GetProcAddress 15268->15269 15272 4019ce 15268->15272 15270 401ab3 FreeLibrary 15269->15270 15271 401a04 15269->15271 15270->15272 15271->15270 15273 401a14 GetProcessHeap 15271->15273 15272->14805 15273->15272 15275 401a2e HeapAlloc 15273->15275 15275->15272 15276 401a42 15275->15276 15277 401a52 HeapReAlloc 15276->15277 15279 401a62 15276->15279 15277->15279 15278 401aa1 FreeLibrary 15278->15272 15279->15278 15280 401a96 HeapFree 15279->15280 15280->15278 15333 401ac3 LoadLibraryA 15281->15333 15284 401bcf 15284->14816 15286 401ac3 12 API calls 15285->15286 15287 401c09 15286->15287 15288 401c41 15287->15288 15289 401c0d GetComputerNameA 15287->15289 15288->14824 15290 401c45 GetVolumeInformationA 15289->15290 15291 401c1f 15289->15291 15290->15288 15291->15288 15291->15290 15293 40ee2a 15292->15293 15294 4030d0 gethostname gethostbyname 15293->15294 15295 401f82 15294->15295 15295->14830 15295->14831 15299 402419 lstrlenA 15296->15299 15298 402491 15298->15254 15300 402474 15299->15300 15301 40243d lstrlenA 15299->15301 15300->15298 15302 402464 lstrlenA 15301->15302 15303 40244e lstrcmpiA 15301->15303 15302->15300 15302->15301 15303->15302 15304 40245c 15303->15304 15304->15300 15304->15302 15306 40dd05 6 API calls 15305->15306 15307 40e8b4 15306->15307 15308 40dd84 lstrcmpiA 15307->15308 15309 40e8c0 15308->15309 15310 40e90a 15309->15310 15311 40e8c8 lstrcpynA 15309->15311 15313 402419 4 API calls 15310->15313 15321 40ea27 15310->15321 15312 40e8f5 15311->15312 15326 40df4c 15312->15326 15314 40e926 lstrlenA lstrlenA 15313->15314 15316 40e96a 15314->15316 15317 40e94c lstrlenA 15314->15317 15320 40ebcc 4 API calls 15316->15320 15316->15321 15317->15316 15318 40e901 15319 40dd84 lstrcmpiA 15318->15319 15319->15310 15322 40e98f 15320->15322 15321->15267 15322->15321 15323 40df4c 20 API calls 15322->15323 15324 40ea1e 15323->15324 15325 40ec2e codecvt 4 API calls 15324->15325 15325->15321 15327 40dd05 6 API calls 15326->15327 15328 40df51 15327->15328 15329 40f04e 4 API calls 15328->15329 15330 40df58 15329->15330 15331 40de24 10 API calls 15330->15331 15332 40df63 15331->15332 15332->15318 15334 401ae2 GetProcAddress 15333->15334 15339 401b68 GetComputerNameA GetVolumeInformationA 15333->15339 15335 401af5 15334->15335 15334->15339 15336 40ebed 8 API calls 15335->15336 15337 401b29 15335->15337 15336->15335 15337->15337 15338 40ec2e codecvt 4 API calls 15337->15338 15337->15339 15338->15339 15339->15284 15341 406ec3 2 API calls 15340->15341 15342 407ef4 15341->15342 15343 4073ff 17 API calls 15342->15343 15344 407fc9 15342->15344 15345 407f16 15343->15345 15344->14843 15345->15344 15353 407809 GetUserNameA 15345->15353 15347 407f63 15347->15344 15348 40ef1e lstrlenA 15347->15348 15349 407fa6 15348->15349 15350 40ef1e lstrlenA 15349->15350 15351 407fb7 15350->15351 15377 407a95 RegOpenKeyExA 15351->15377 15354 40783d LookupAccountNameA 15353->15354 15355 407a8d 15353->15355 15354->15355 15356 407874 GetLengthSid GetFileSecurityA 15354->15356 15355->15347 15356->15355 15357 4078a8 GetSecurityDescriptorOwner 15356->15357 15358 4078c5 EqualSid 15357->15358 15359 40791d GetSecurityDescriptorDacl 15357->15359 15358->15359 15360 4078dc LocalAlloc 15358->15360 15359->15355 15372 407941 15359->15372 15360->15359 15361 4078ef InitializeSecurityDescriptor 15360->15361 15363 407916 LocalFree 15361->15363 15364 4078fb SetSecurityDescriptorOwner 15361->15364 15362 40795b GetAce 15362->15372 15363->15359 15364->15363 15365 40790b SetFileSecurityA 15364->15365 15365->15363 15366 407980 EqualSid 15366->15372 15367 407a3d 15367->15355 15370 407a43 LocalAlloc 15367->15370 15368 4079be EqualSid 15368->15372 15369 40799d DeleteAce 15369->15372 15370->15355 15371 407a56 InitializeSecurityDescriptor 15370->15371 15373 407a62 SetSecurityDescriptorDacl 15371->15373 15374 407a86 LocalFree 15371->15374 15372->15355 15372->15362 15372->15366 15372->15367 15372->15368 15372->15369 15373->15374 15375 407a73 SetFileSecurityA 15373->15375 15374->15355 15375->15374 15376 407a83 15375->15376 15376->15374 15378 407ac4 15377->15378 15379 407acb GetUserNameA 15377->15379 15378->15344 15380 407da7 RegCloseKey 15379->15380 15381 407aed LookupAccountNameA 15379->15381 15380->15378 15381->15380 15382 407b24 RegGetKeySecurity 15381->15382 15382->15380 15383 407b49 GetSecurityDescriptorOwner 15382->15383 15384 407b63 EqualSid 15383->15384 15385 407bb8 GetSecurityDescriptorDacl 15383->15385 15384->15385 15386 407b74 LocalAlloc 15384->15386 15387 407da6 15385->15387 15398 407bdc 15385->15398 15386->15385 15388 407b8a InitializeSecurityDescriptor 15386->15388 15387->15380 15389 407bb1 LocalFree 15388->15389 15390 407b96 SetSecurityDescriptorOwner 15388->15390 15389->15385 15390->15389 15392 407ba6 RegSetKeySecurity 15390->15392 15391 407bf8 GetAce 15391->15398 15392->15389 15393 407c1d EqualSid 15393->15398 15394 407cd9 15394->15387 15397 407d5a LocalAlloc 15394->15397 15399 407cf2 RegOpenKeyExA 15394->15399 15395 407c5f EqualSid 15395->15398 15396 407c3a DeleteAce 15396->15398 15397->15387 15400 407d70 InitializeSecurityDescriptor 15397->15400 15398->15387 15398->15391 15398->15393 15398->15394 15398->15395 15398->15396 15399->15397 15405 407d0f 15399->15405 15401 407d7c SetSecurityDescriptorDacl 15400->15401 15402 407d9f LocalFree 15400->15402 15401->15402 15403 407d8c RegSetKeySecurity 15401->15403 15402->15387 15403->15402 15404 407d9c 15403->15404 15404->15402 15406 407d43 RegSetValueExA 15405->15406 15406->15397 15407 407d54 15406->15407 15407->15397 15408->14859 15410 40dd05 6 API calls 15409->15410 15413 40e65f 15410->15413 15411 40e6a5 15412 40ebcc 4 API calls 15411->15412 15418 40e6f5 15411->15418 15415 40e6b0 15412->15415 15413->15411 15414 40e68c lstrcmpA 15413->15414 15414->15413 15416 40e6b7 15415->15416 15417 40e6e0 lstrcpynA 15415->15417 15415->15418 15416->14861 15417->15418 15418->15416 15419 40e71d lstrcmpA 15418->15419 15419->15418 15420->14867 15422 40c525 15421->15422 15423 40c532 15421->15423 15422->15423 15426 40ec2e codecvt 4 API calls 15422->15426 15424 40c548 15423->15424 15573 40e7ff 15423->15573 15427 40e7ff lstrcmpiA 15424->15427 15434 40c54f 15424->15434 15426->15423 15428 40c615 15427->15428 15429 40ebcc 4 API calls 15428->15429 15428->15434 15429->15434 15430 40c5d1 15433 40ebcc 4 API calls 15430->15433 15432 40e819 11 API calls 15435 40c5b7 15432->15435 15433->15434 15434->14880 15436 40f04e 4 API calls 15435->15436 15437 40c5bf 15436->15437 15437->15424 15437->15430 15439 402692 inet_addr 15438->15439 15440 40268e 15438->15440 15439->15440 15441 40269e gethostbyname 15439->15441 15442 40f428 15440->15442 15441->15440 15576 40f315 15442->15576 15447 40c8d2 15445->15447 15446 40c907 15446->14882 15447->15446 15448 40c517 23 API calls 15447->15448 15448->15446 15449 40f43e 15450 40f473 recv 15449->15450 15451 40f458 15450->15451 15452 40f47c 15450->15452 15451->15450 15451->15452 15452->14898 15454 40c670 15453->15454 15455 40c67d 15453->15455 15456 40ebcc 4 API calls 15454->15456 15457 40ebcc 4 API calls 15455->15457 15459 40c699 15455->15459 15456->15455 15457->15459 15458 40c6f3 15458->14911 15458->14928 15459->15458 15460 40c73c send 15459->15460 15460->15458 15462 40c770 15461->15462 15463 40c77d 15461->15463 15465 40ebcc 4 API calls 15462->15465 15464 40c799 15463->15464 15466 40ebcc 4 API calls 15463->15466 15467 40c7b5 15464->15467 15468 40ebcc 4 API calls 15464->15468 15465->15463 15466->15464 15469 40f43e recv 15467->15469 15468->15467 15470 40c7cb 15469->15470 15471 40c7d3 15470->15471 15472 40f43e recv 15470->15472 15471->14928 15472->15471 15589 407db7 15473->15589 15476 407e70 15478 407e96 15476->15478 15480 40f04e 4 API calls 15476->15480 15477 40f04e 4 API calls 15479 407e4c 15477->15479 15478->14928 15479->15476 15481 40f04e 4 API calls 15479->15481 15480->15478 15481->15476 15483 406ec3 2 API calls 15482->15483 15484 407fdd 15483->15484 15485 4073ff 17 API calls 15484->15485 15494 4080c2 CreateProcessA 15484->15494 15486 407fff 15485->15486 15487 407809 21 API calls 15486->15487 15486->15494 15488 40804d 15487->15488 15489 40ef1e lstrlenA 15488->15489 15488->15494 15490 40809e 15489->15490 15491 40ef1e lstrlenA 15490->15491 15492 4080af 15491->15492 15493 407a95 24 API calls 15492->15493 15493->15494 15494->14964 15494->14965 15496 407db7 2 API calls 15495->15496 15497 407eb8 15496->15497 15498 40f04e 4 API calls 15497->15498 15499 407ece DeleteFileA 15498->15499 15499->14928 15501 40dd05 6 API calls 15500->15501 15502 40e31d 15501->15502 15593 40e177 15502->15593 15504 40e326 15504->14936 15506 4031f3 15505->15506 15516 4031ec 15505->15516 15507 40ebcc 4 API calls 15506->15507 15521 4031fc 15507->15521 15508 40344b 15509 403459 15508->15509 15510 40349d 15508->15510 15511 40f04e 4 API calls 15509->15511 15512 40ec2e codecvt 4 API calls 15510->15512 15513 40345f 15511->15513 15512->15516 15515 4030fa 4 API calls 15513->15515 15514 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15514->15521 15515->15516 15516->14928 15517 40344d 15518 40ec2e codecvt 4 API calls 15517->15518 15518->15508 15520 403141 lstrcmpiA 15520->15521 15521->15508 15521->15514 15521->15516 15521->15517 15521->15520 15619 4030fa GetTickCount 15521->15619 15523 4030fa 4 API calls 15522->15523 15524 403c1a 15523->15524 15525 403ce6 15524->15525 15624 403a72 15524->15624 15525->14928 15528 403a72 9 API calls 15529 403c5e 15528->15529 15529->15525 15530 403a72 9 API calls 15529->15530 15531 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15529->15531 15530->15529 15531->15529 15533 403a10 15532->15533 15534 4030fa 4 API calls 15533->15534 15535 403a1a 15534->15535 15535->14928 15537 40dd05 6 API calls 15536->15537 15538 40e7be 15537->15538 15538->14928 15540 40c105 15539->15540 15541 40c07e wsprintfA 15539->15541 15540->14928 15633 40bfce GetTickCount wsprintfA 15541->15633 15543 40c0ef 15634 40bfce GetTickCount wsprintfA 15543->15634 15546 407047 15545->15546 15547 406f88 LookupAccountNameA 15545->15547 15546->14928 15549 407025 15547->15549 15550 406fcb 15547->15550 15551 406edd 5 API calls 15549->15551 15553 406fdb ConvertSidToStringSidA 15550->15553 15552 40702a wsprintfA 15551->15552 15552->15546 15553->15549 15554 406ff1 15553->15554 15555 407013 LocalFree 15554->15555 15555->15549 15557 40dd05 6 API calls 15556->15557 15558 40e85c 15557->15558 15559 40dd84 lstrcmpiA 15558->15559 15560 40e867 15559->15560 15561 40e885 lstrcpyA 15560->15561 15635 4024a5 15560->15635 15638 40dd69 15561->15638 15567 407db7 2 API calls 15566->15567 15568 407de1 15567->15568 15569 40f04e 4 API calls 15568->15569 15572 407e16 15568->15572 15570 407df2 15569->15570 15571 40f04e 4 API calls 15570->15571 15570->15572 15571->15572 15572->14928 15574 40dd84 lstrcmpiA 15573->15574 15575 40c58e 15574->15575 15575->15424 15575->15430 15575->15432 15577 40ca1d 15576->15577 15578 40f33b 15576->15578 15577->14895 15577->15449 15579 40f347 htons socket 15578->15579 15580 40f382 ioctlsocket 15579->15580 15581 40f374 closesocket 15579->15581 15582 40f3aa connect select 15580->15582 15583 40f39d 15580->15583 15581->15577 15582->15577 15585 40f3f2 __WSAFDIsSet 15582->15585 15584 40f39f closesocket 15583->15584 15584->15577 15585->15584 15586 40f403 ioctlsocket 15585->15586 15588 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15586->15588 15588->15577 15590 407dc8 InterlockedExchange 15589->15590 15591 407dc0 Sleep 15590->15591 15592 407dd4 15590->15592 15591->15590 15592->15476 15592->15477 15594 40e184 15593->15594 15595 40e2e4 15594->15595 15596 40e223 15594->15596 15609 40dfe2 15594->15609 15595->15504 15596->15595 15598 40dfe2 8 API calls 15596->15598 15602 40e23c 15598->15602 15599 40e1be 15599->15596 15600 40dbcf 3 API calls 15599->15600 15603 40e1d6 15600->15603 15601 40e21a CloseHandle 15601->15596 15602->15595 15613 40e095 RegCreateKeyExA 15602->15613 15603->15596 15603->15601 15604 40e1f9 WriteFile 15603->15604 15604->15601 15606 40e213 15604->15606 15606->15601 15607 40e2a3 15607->15595 15608 40e095 4 API calls 15607->15608 15608->15595 15610 40dffc 15609->15610 15612 40e024 15609->15612 15611 40db2e 8 API calls 15610->15611 15610->15612 15611->15612 15612->15599 15614 40e172 15613->15614 15616 40e0c0 15613->15616 15614->15607 15615 40e13d 15617 40e14e RegDeleteValueA RegCloseKey 15615->15617 15616->15615 15618 40e115 RegSetValueExA 15616->15618 15617->15614 15618->15615 15618->15616 15620 403122 InterlockedExchange 15619->15620 15621 40312e 15620->15621 15622 40310f GetTickCount 15620->15622 15621->15521 15622->15621 15623 40311a Sleep 15622->15623 15623->15620 15625 40f04e 4 API calls 15624->15625 15632 403a83 15625->15632 15626 403ac1 15626->15525 15626->15528 15627 403be6 15629 40ec2e codecvt 4 API calls 15627->15629 15628 403bc0 15628->15627 15630 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15628->15630 15629->15626 15630->15628 15631 403b66 lstrlenA 15631->15626 15631->15632 15632->15626 15632->15628 15632->15631 15633->15543 15634->15540 15636 402419 4 API calls 15635->15636 15637 4024b6 15636->15637 15637->15561 15639 40dd79 lstrlenA 15638->15639 15639->14928 15641 404084 15640->15641 15642 40407d 15640->15642 15643 403ecd 6 API calls 15641->15643 15644 40408f 15643->15644 15645 404000 3 API calls 15644->15645 15646 404095 15645->15646 15647 404130 15646->15647 15652 403f18 4 API calls 15646->15652 15648 403ecd 6 API calls 15647->15648 15649 404159 CreateNamedPipeA 15648->15649 15650 404167 Sleep 15649->15650 15651 404188 ConnectNamedPipe 15649->15651 15650->15647 15653 404176 CloseHandle 15650->15653 15655 404195 GetLastError 15651->15655 15665 4041ab 15651->15665 15654 4040da 15652->15654 15653->15651 15656 403f8c 4 API calls 15654->15656 15657 40425e DisconnectNamedPipe 15655->15657 15655->15665 15658 4040ec 15656->15658 15657->15651 15659 404127 CloseHandle 15658->15659 15661 404101 15658->15661 15659->15647 15660 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15660->15665 15662 403f18 4 API calls 15661->15662 15663 40411c ExitProcess 15662->15663 15664 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15664->15665 15665->15651 15665->15657 15665->15660 15665->15664 15666 40426a CloseHandle CloseHandle 15665->15666 15667 40e318 23 API calls 15666->15667 15668 40427b 15667->15668 15668->15668 15670 408791 15669->15670 15671 40879f 15669->15671 15672 40f04e 4 API calls 15670->15672 15673 4087bc 15671->15673 15675 40f04e 4 API calls 15671->15675 15672->15671 15674 40e819 11 API calls 15673->15674 15676 4087d7 15674->15676 15675->15673 15689 408803 15676->15689 15691 4026b2 gethostbyaddr 15676->15691 15679 4087eb 15681 40e8a1 30 API calls 15679->15681 15679->15689 15681->15689 15684 40e819 11 API calls 15684->15689 15685 4088a0 Sleep 15685->15689 15687 4026b2 2 API calls 15687->15689 15688 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15688->15689 15689->15684 15689->15685 15689->15687 15689->15688 15690 40e8a1 30 API calls 15689->15690 15696 408cee 15689->15696 15704 40c4d6 15689->15704 15707 40c4e2 15689->15707 15710 402011 15689->15710 15745 408328 15689->15745 15690->15689 15692 4026fb 15691->15692 15693 4026cd 15691->15693 15692->15679 15694 4026e1 inet_ntoa 15693->15694 15695 4026de 15693->15695 15694->15695 15695->15679 15697 408d02 GetTickCount 15696->15697 15698 408dae 15696->15698 15697->15698 15702 408d19 15697->15702 15698->15689 15699 408da1 GetTickCount 15699->15698 15702->15699 15703 408d89 15702->15703 15797 40a677 15702->15797 15800 40a688 15702->15800 15703->15699 15808 40c2dc 15704->15808 15708 40c2dc 141 API calls 15707->15708 15709 40c4ec 15708->15709 15709->15689 15711 402020 15710->15711 15712 40202e 15710->15712 15713 40f04e 4 API calls 15711->15713 15714 40204b 15712->15714 15716 40f04e 4 API calls 15712->15716 15713->15712 15715 40206e GetTickCount 15714->15715 15717 40f04e 4 API calls 15714->15717 15718 4020db GetTickCount 15715->15718 15728 402090 15715->15728 15716->15714 15720 402068 15717->15720 15719 402132 GetTickCount GetTickCount 15718->15719 15730 4020e7 15718->15730 15723 40f04e 4 API calls 15719->15723 15720->15715 15721 4020d4 GetTickCount 15721->15718 15722 40212b GetTickCount 15722->15719 15724 402159 15723->15724 15726 4021b4 15724->15726 15729 40e854 13 API calls 15724->15729 15725 402684 2 API calls 15725->15728 15731 40f04e 4 API calls 15726->15731 15728->15721 15728->15725 15735 4020ce 15728->15735 16135 401978 15728->16135 15732 40218e 15729->15732 15730->15722 15737 401978 15 API calls 15730->15737 15738 402125 15730->15738 16140 402ef8 15730->16140 15734 4021d1 15731->15734 15736 40e819 11 API calls 15732->15736 15739 4021f2 15734->15739 15741 40ea84 30 API calls 15734->15741 15735->15721 15740 40219c 15736->15740 15737->15730 15738->15722 15739->15689 15740->15726 16148 401c5f 15740->16148 15742 4021ec 15741->15742 15743 40f04e 4 API calls 15742->15743 15743->15739 15746 407dd6 6 API calls 15745->15746 15747 40833c 15746->15747 15748 406ec3 2 API calls 15747->15748 15771 408340 15747->15771 15749 40834f 15748->15749 15750 40835c 15749->15750 15754 40846b 15749->15754 15751 4073ff 17 API calls 15750->15751 15773 408373 15751->15773 15752 4085df 15755 408626 GetTempPathA 15752->15755 15763 408762 15752->15763 15772 408638 15752->15772 15753 40675c 21 API calls 15753->15752 15756 4084a7 RegOpenKeyExA 15754->15756 15767 408450 15754->15767 15755->15772 15758 4084c0 RegQueryValueExA 15756->15758 15759 40852f 15756->15759 15761 408521 RegCloseKey 15758->15761 15762 4084dd 15758->15762 15764 408564 RegOpenKeyExA 15759->15764 15779 4085a5 15759->15779 15760 4086ad 15760->15763 15765 407e2f 6 API calls 15760->15765 15761->15759 15762->15761 15768 40ebcc 4 API calls 15762->15768 15770 40ec2e codecvt 4 API calls 15763->15770 15763->15771 15766 408573 RegSetValueExA RegCloseKey 15764->15766 15764->15779 15776 4086bb 15765->15776 15766->15779 15767->15752 15767->15753 15775 4084f0 15768->15775 15769 40875b DeleteFileA 15769->15763 15770->15771 15771->15689 16220 406ba7 IsBadCodePtr 15772->16220 15773->15767 15773->15771 15777 4083ea RegOpenKeyExA 15773->15777 15775->15761 15778 4084f8 RegQueryValueExA 15775->15778 15776->15769 15783 4086e0 lstrcpyA lstrlenA 15776->15783 15777->15767 15780 4083fd RegQueryValueExA 15777->15780 15778->15761 15781 408515 15778->15781 15779->15767 15782 40ec2e codecvt 4 API calls 15779->15782 15784 40842d RegSetValueExA 15780->15784 15785 40841e 15780->15785 15786 40ec2e codecvt 4 API calls 15781->15786 15782->15767 15787 407fcf 64 API calls 15783->15787 15788 408447 RegCloseKey 15784->15788 15785->15784 15785->15788 15789 40851d 15786->15789 15790 408719 CreateProcessA 15787->15790 15788->15767 15789->15761 15791 40873d CloseHandle CloseHandle 15790->15791 15792 40874f 15790->15792 15791->15763 15793 407ee6 64 API calls 15792->15793 15794 408754 15793->15794 15795 407ead 6 API calls 15794->15795 15796 40875a 15795->15796 15796->15769 15803 40a63d 15797->15803 15799 40a685 15799->15702 15801 40a63d GetTickCount 15800->15801 15802 40a696 15801->15802 15802->15702 15804 40a645 15803->15804 15805 40a64d 15803->15805 15804->15799 15806 40a66e 15805->15806 15807 40a65e GetTickCount 15805->15807 15806->15799 15807->15806 15824 40a4c7 GetTickCount 15808->15824 15811 40c45e 15815 40c4d2 15811->15815 15816 40c4ab InterlockedIncrement CreateThread 15811->15816 15812 40c300 GetTickCount 15814 40c337 15812->15814 15813 40c326 15813->15814 15817 40c32b GetTickCount 15813->15817 15814->15811 15819 40c363 GetTickCount 15814->15819 15815->15689 15816->15815 15818 40c4cb CloseHandle 15816->15818 15829 40b535 15816->15829 15817->15814 15818->15815 15819->15811 15820 40c373 15819->15820 15821 40c378 GetTickCount 15820->15821 15822 40c37f 15820->15822 15821->15822 15823 40c43b GetTickCount 15822->15823 15823->15811 15825 40a4f7 InterlockedExchange 15824->15825 15826 40a500 15825->15826 15827 40a4e4 GetTickCount 15825->15827 15826->15811 15826->15812 15826->15813 15827->15826 15828 40a4ef Sleep 15827->15828 15828->15825 15830 40b566 15829->15830 15831 40ebcc 4 API calls 15830->15831 15832 40b587 15831->15832 15833 40ebcc 4 API calls 15832->15833 15884 40b590 15833->15884 15834 40bdcd InterlockedDecrement 15835 40bde2 15834->15835 15837 40ec2e codecvt 4 API calls 15835->15837 15838 40bdea 15837->15838 15839 40ec2e codecvt 4 API calls 15838->15839 15841 40bdf2 15839->15841 15840 40bdb7 Sleep 15840->15884 15842 40be05 15841->15842 15844 40ec2e codecvt 4 API calls 15841->15844 15843 40bdcc 15843->15834 15844->15842 15845 40ebed 8 API calls 15845->15884 15848 40b6b6 lstrlenA 15848->15884 15849 4030b5 2 API calls 15849->15884 15850 40b6ed lstrcpyA 15904 405ce1 15850->15904 15851 40e819 11 API calls 15851->15884 15854 40b731 lstrlenA 15854->15884 15855 40b71f lstrcmpA 15855->15854 15855->15884 15856 40b772 GetTickCount 15856->15884 15857 40bd49 InterlockedIncrement 15998 40a628 15857->15998 15860 40bc5b InterlockedIncrement 15860->15884 15861 40b7ce InterlockedIncrement 15914 40acd7 15861->15914 15864 40b912 GetTickCount 15864->15884 15865 40b826 InterlockedIncrement 15865->15856 15866 40b932 GetTickCount 15868 40bc6d InterlockedIncrement 15866->15868 15866->15884 15867 40bcdc closesocket 15867->15884 15868->15884 15869 405ce1 22 API calls 15869->15884 15870 4038f0 6 API calls 15870->15884 15874 40bba6 InterlockedIncrement 15874->15884 15876 40bc4c closesocket 15876->15884 15877 405ded 12 API calls 15877->15884 15878 40a7c1 22 API calls 15878->15884 15880 40ba71 wsprintfA 15932 40a7c1 15880->15932 15882 40ab81 lstrcpynA InterlockedIncrement 15882->15884 15883 40ef1e lstrlenA 15883->15884 15884->15834 15884->15840 15884->15843 15884->15845 15884->15848 15884->15849 15884->15850 15884->15851 15884->15854 15884->15855 15884->15856 15884->15857 15884->15860 15884->15861 15884->15864 15884->15865 15884->15866 15884->15867 15884->15869 15884->15870 15884->15874 15884->15876 15884->15877 15884->15878 15884->15880 15884->15882 15884->15883 15885 40a688 GetTickCount 15884->15885 15886 403e10 15884->15886 15889 403e4f 15884->15889 15892 40384f 15884->15892 15912 40a7a3 inet_ntoa 15884->15912 15919 40abee 15884->15919 15931 401feb GetTickCount 15884->15931 15952 403cfb 15884->15952 15955 40b3c5 15884->15955 15986 40ab81 15884->15986 15885->15884 15887 4030fa 4 API calls 15886->15887 15888 403e1d 15887->15888 15888->15884 15890 4030fa 4 API calls 15889->15890 15891 403e5c 15890->15891 15891->15884 15893 4030fa 4 API calls 15892->15893 15894 403863 15893->15894 15895 4038b9 15894->15895 15896 403889 15894->15896 15903 4038b2 15894->15903 16007 4035f9 15895->16007 16001 403718 15896->16001 15901 403718 6 API calls 15901->15903 15902 4035f9 6 API calls 15902->15903 15903->15884 15905 405cf4 15904->15905 15906 405cec 15904->15906 15908 404bd1 4 API calls 15905->15908 16013 404bd1 GetTickCount 15906->16013 15909 405d02 15908->15909 16018 405472 15909->16018 15913 40a7b9 15912->15913 15913->15884 15915 40f315 14 API calls 15914->15915 15916 40aceb 15915->15916 15917 40acff 15916->15917 15918 40f315 14 API calls 15916->15918 15917->15884 15918->15917 15920 40abfb 15919->15920 15923 40ac65 15920->15923 16081 402f22 15920->16081 15922 40f315 14 API calls 15922->15923 15923->15922 15924 40ac8a 15923->15924 15925 40ac6f 15923->15925 15924->15884 15927 40ab81 2 API calls 15925->15927 15926 40ac23 15926->15923 15929 402684 2 API calls 15926->15929 15928 40ac81 15927->15928 16089 4038f0 15928->16089 15929->15926 15931->15884 15933 40a87d lstrlenA send 15932->15933 15934 40a7df 15932->15934 15935 40a899 15933->15935 15936 40a8bf 15933->15936 15934->15933 15937 40a8f2 15934->15937 15942 40a7fa wsprintfA 15934->15942 15943 40a80a 15934->15943 15938 40a8a5 wsprintfA 15935->15938 15951 40a89e 15935->15951 15936->15937 15939 40a8c4 send 15936->15939 15940 40a978 recv 15937->15940 15944 40a9b0 wsprintfA 15937->15944 15945 40a982 15937->15945 15938->15951 15939->15937 15941 40a8d8 wsprintfA 15939->15941 15940->15937 15940->15945 15941->15951 15942->15943 15943->15933 15944->15951 15946 4030b5 2 API calls 15945->15946 15945->15951 15947 40ab05 15946->15947 15948 40e819 11 API calls 15947->15948 15949 40ab17 15948->15949 15950 40a7a3 inet_ntoa 15949->15950 15950->15951 15951->15884 15953 4030fa 4 API calls 15952->15953 15954 403d0b 15953->15954 15954->15884 15956 405ce1 22 API calls 15955->15956 15957 40b3e6 15956->15957 15958 405ce1 22 API calls 15957->15958 15960 40b404 15958->15960 15959 40b440 15962 40ef7c 3 API calls 15959->15962 15960->15959 15961 40ef7c 3 API calls 15960->15961 15963 40b42b 15961->15963 15964 40b458 wsprintfA 15962->15964 15965 40ef7c 3 API calls 15963->15965 15966 40ef7c 3 API calls 15964->15966 15965->15959 15967 40b480 15966->15967 15968 40ef7c 3 API calls 15967->15968 15969 40b493 15968->15969 15970 40ef7c 3 API calls 15969->15970 15971 40b4bb 15970->15971 16103 40ad89 GetLocalTime SystemTimeToFileTime 15971->16103 15975 40b4cc 15976 40ef7c 3 API calls 15975->15976 15977 40b4dd 15976->15977 15978 40b211 7 API calls 15977->15978 15979 40b4ec 15978->15979 15980 40ef7c 3 API calls 15979->15980 15981 40b4fd 15980->15981 15982 40b211 7 API calls 15981->15982 15983 40b509 15982->15983 15984 40ef7c 3 API calls 15983->15984 15985 40b51a 15984->15985 15985->15884 15987 40abe9 GetTickCount 15986->15987 15989 40ab8c 15986->15989 15991 40a51d 15987->15991 15988 40aba8 lstrcpynA 15988->15989 15989->15987 15989->15988 15990 40abe1 InterlockedIncrement 15989->15990 15990->15989 15992 40a4c7 4 API calls 15991->15992 15993 40a52c 15992->15993 15994 40a542 GetTickCount 15993->15994 15996 40a539 GetTickCount 15993->15996 15994->15996 15997 40a56c 15996->15997 15997->15884 15999 40a4c7 4 API calls 15998->15999 16000 40a633 15999->16000 16000->15884 16002 40f04e 4 API calls 16001->16002 16004 40372a 16002->16004 16003 403847 16003->15901 16003->15903 16004->16003 16005 4037b3 GetCurrentThreadId 16004->16005 16005->16004 16006 4037c8 GetCurrentThreadId 16005->16006 16006->16004 16008 40f04e 4 API calls 16007->16008 16009 40360c 16008->16009 16010 4036da GetCurrentThreadId 16009->16010 16011 4036f1 16009->16011 16010->16011 16012 4036e5 GetCurrentThreadId 16010->16012 16011->15902 16011->15903 16012->16011 16014 404bff InterlockedExchange 16013->16014 16015 404c08 16014->16015 16016 404bec GetTickCount 16014->16016 16015->15905 16016->16015 16017 404bf7 Sleep 16016->16017 16017->16014 16037 404763 16018->16037 16020 405b58 16047 404699 16020->16047 16023 404763 lstrlenA 16024 405b6e 16023->16024 16068 404f9f 16024->16068 16026 405b79 16026->15884 16027 40548a 16027->16020 16031 40558d lstrcpynA 16027->16031 16032 405a9f lstrcpyA 16027->16032 16033 405472 13 API calls 16027->16033 16034 405935 lstrcpynA 16027->16034 16035 4058e7 lstrcpyA 16027->16035 16036 404ae6 8 API calls 16027->16036 16041 404ae6 16027->16041 16045 40ef7c lstrlenA lstrlenA lstrlenA 16027->16045 16029 405549 lstrlenA 16029->16027 16031->16027 16032->16027 16033->16027 16034->16027 16035->16027 16036->16027 16038 40477a 16037->16038 16039 404859 16038->16039 16040 40480d lstrlenA 16038->16040 16039->16027 16040->16038 16042 404af3 16041->16042 16044 404b03 16041->16044 16043 40ebed 8 API calls 16042->16043 16043->16044 16044->16029 16046 40efb4 16045->16046 16046->16027 16073 4045b3 16047->16073 16050 4045b3 7 API calls 16051 4046c6 16050->16051 16052 4045b3 7 API calls 16051->16052 16053 4046d8 16052->16053 16054 4045b3 7 API calls 16053->16054 16055 4046ea 16054->16055 16056 4045b3 7 API calls 16055->16056 16057 4046ff 16056->16057 16058 4045b3 7 API calls 16057->16058 16059 404711 16058->16059 16060 4045b3 7 API calls 16059->16060 16061 404723 16060->16061 16062 40ef7c 3 API calls 16061->16062 16063 404735 16062->16063 16064 40ef7c 3 API calls 16063->16064 16065 40474a 16064->16065 16066 40ef7c 3 API calls 16065->16066 16067 40475c 16066->16067 16067->16023 16069 404fac 16068->16069 16072 404fb0 16068->16072 16069->16026 16070 404ffd 16070->16026 16071 404fd5 IsBadCodePtr 16071->16072 16072->16070 16072->16071 16074 4045c1 16073->16074 16075 4045c8 16073->16075 16076 40ebcc 4 API calls 16074->16076 16077 40ebcc 4 API calls 16075->16077 16079 4045e1 16075->16079 16076->16075 16077->16079 16078 404691 16078->16050 16079->16078 16080 40ef7c 3 API calls 16079->16080 16080->16079 16096 402d21 GetModuleHandleA 16081->16096 16084 402fcf GetProcessHeap HeapFree 16088 402f44 16084->16088 16085 402f4f 16087 402f6b GetProcessHeap HeapFree 16085->16087 16086 402f85 16086->16084 16086->16086 16087->16088 16088->15926 16090 403900 16089->16090 16095 403980 16089->16095 16091 4030fa 4 API calls 16090->16091 16093 40390a 16091->16093 16092 40391b GetCurrentThreadId 16092->16093 16093->16092 16094 403939 GetCurrentThreadId 16093->16094 16093->16095 16094->16093 16095->15924 16097 402d46 LoadLibraryA 16096->16097 16098 402d5b GetProcAddress 16096->16098 16097->16098 16100 402d54 16097->16100 16098->16100 16102 402d6b 16098->16102 16099 402d97 GetProcessHeap HeapAlloc 16099->16100 16099->16102 16100->16085 16100->16086 16100->16088 16101 402db5 lstrcpynA 16101->16102 16102->16099 16102->16100 16102->16101 16104 40adbf 16103->16104 16128 40ad08 gethostname 16104->16128 16107 4030b5 2 API calls 16108 40add3 16107->16108 16109 40a7a3 inet_ntoa 16108->16109 16110 40ade4 16108->16110 16109->16110 16111 40ae85 wsprintfA 16110->16111 16114 40ae36 wsprintfA wsprintfA 16110->16114 16112 40ef7c 3 API calls 16111->16112 16113 40aebb 16112->16113 16115 40ef7c 3 API calls 16113->16115 16116 40ef7c 3 API calls 16114->16116 16117 40aed2 16115->16117 16116->16110 16118 40b211 16117->16118 16119 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16118->16119 16120 40b2af GetLocalTime 16118->16120 16121 40b2d2 16119->16121 16120->16121 16122 40b2d9 SystemTimeToFileTime 16121->16122 16123 40b31c GetTimeZoneInformation 16121->16123 16125 40b2ec 16122->16125 16124 40b33a wsprintfA 16123->16124 16124->15975 16126 40b312 FileTimeToSystemTime 16125->16126 16126->16123 16129 40ad71 16128->16129 16134 40ad26 lstrlenA 16128->16134 16131 40ad85 16129->16131 16132 40ad79 lstrcpyA 16129->16132 16131->16107 16132->16131 16133 40ad68 lstrlenA 16133->16129 16134->16129 16134->16133 16136 40f428 14 API calls 16135->16136 16137 40198a 16136->16137 16138 401990 closesocket 16137->16138 16139 401998 16137->16139 16138->16139 16139->15728 16141 402d21 6 API calls 16140->16141 16142 402f01 16141->16142 16143 402f0f 16142->16143 16156 402df2 GetModuleHandleA 16142->16156 16144 402684 2 API calls 16143->16144 16147 402f1f 16143->16147 16146 402f1d 16144->16146 16146->15730 16147->15730 16152 401c80 16148->16152 16149 401d1c 16149->16149 16153 401d47 wsprintfA 16149->16153 16150 401cc2 wsprintfA 16151 402684 2 API calls 16150->16151 16151->16152 16152->16149 16152->16150 16155 401d79 16152->16155 16154 402684 2 API calls 16153->16154 16154->16155 16155->15726 16157 402e10 LoadLibraryA 16156->16157 16158 402e0b 16156->16158 16159 402e17 16157->16159 16158->16157 16158->16159 16160 402ef1 16159->16160 16161 402e28 GetProcAddress 16159->16161 16160->16143 16161->16160 16162 402e3e GetProcessHeap HeapAlloc 16161->16162 16164 402e62 16162->16164 16163 402ede GetProcessHeap HeapFree 16163->16160 16164->16160 16164->16163 16165 402e7f htons inet_addr 16164->16165 16166 402ea5 gethostbyname 16164->16166 16168 402ceb 16164->16168 16165->16164 16165->16166 16166->16164 16170 402cf2 16168->16170 16171 402d1c 16170->16171 16172 402d0e Sleep 16170->16172 16173 402a62 GetProcessHeap HeapAlloc 16170->16173 16171->16164 16172->16170 16172->16171 16174 402a92 16173->16174 16175 402a99 socket 16173->16175 16174->16170 16176 402cd3 GetProcessHeap HeapFree 16175->16176 16177 402ab4 16175->16177 16176->16174 16177->16176 16181 402abd 16177->16181 16178 402adb htons 16193 4026ff 16178->16193 16180 402b04 select 16180->16181 16181->16178 16181->16180 16182 402ca4 16181->16182 16183 402cb3 GetProcessHeap HeapFree closesocket 16181->16183 16184 402b3f recv 16181->16184 16185 402b66 htons 16181->16185 16186 402b87 htons 16181->16186 16188 402bf3 GetProcessHeap HeapAlloc 16181->16188 16190 402c17 htons 16181->16190 16192 402c4d GetProcessHeap HeapFree 16181->16192 16200 402923 16181->16200 16212 402904 16181->16212 16182->16183 16183->16174 16184->16181 16185->16181 16185->16182 16186->16181 16186->16182 16188->16181 16208 402871 16190->16208 16192->16181 16194 40271d 16193->16194 16195 402717 16193->16195 16197 40272b GetTickCount htons 16194->16197 16196 40ebcc 4 API calls 16195->16196 16196->16194 16198 4027cc htons htons sendto 16197->16198 16199 40278a 16197->16199 16198->16181 16199->16198 16201 402944 16200->16201 16203 40293d 16200->16203 16216 402816 htons 16201->16216 16203->16181 16204 402871 htons 16207 402950 16204->16207 16205 4029bd htons htons htons 16205->16203 16206 4029f6 GetProcessHeap HeapAlloc 16205->16206 16206->16203 16206->16207 16207->16203 16207->16204 16207->16205 16209 4028e3 16208->16209 16211 402889 16208->16211 16209->16181 16210 4028c3 htons 16210->16209 16210->16211 16211->16209 16211->16210 16213 402921 16212->16213 16214 402908 16212->16214 16213->16181 16215 402909 GetProcessHeap HeapFree 16214->16215 16215->16213 16215->16215 16217 40286b 16216->16217 16218 402836 16216->16218 16217->16207 16218->16217 16219 40285c htons 16218->16219 16219->16217 16219->16218 16221 406bc0 16220->16221 16222 406bbc 16220->16222 16223 406bd4 16221->16223 16224 40ebcc 4 API calls 16221->16224 16222->15760 16223->15760 16225 406be4 16224->16225 16225->16223 16226 406c07 CreateFileA 16225->16226 16227 406bfc 16225->16227 16229 406c34 WriteFile 16226->16229 16230 406c2a 16226->16230 16228 40ec2e codecvt 4 API calls 16227->16228 16228->16223 16232 406c49 CloseHandle DeleteFileA 16229->16232 16233 406c5a CloseHandle 16229->16233 16231 40ec2e codecvt 4 API calls 16230->16231 16231->16223 16232->16230 16234 40ec2e codecvt 4 API calls 16233->16234 16234->16223 16235 29b0005 16240 29b092b GetPEB 16235->16240 16237 29b0030 16242 29b003c 16237->16242 16241 29b0972 16240->16241 16241->16237 16243 29b0049 16242->16243 16257 29b0e0f SetErrorMode SetErrorMode 16243->16257 16248 29b0265 16249 29b02ce VirtualProtect 16248->16249 16251 29b030b 16249->16251 16250 29b0439 VirtualFree 16255 29b05f4 LoadLibraryA 16250->16255 16256 29b04be 16250->16256 16251->16250 16252 29b04e3 LoadLibraryA 16252->16256 16254 29b08c7 16255->16254 16256->16252 16256->16255 16258 29b0223 16257->16258 16259 29b0d90 16258->16259 16260 29b0dad 16259->16260 16261 29b0dbb GetPEB 16260->16261 16262 29b0238 VirtualAlloc 16260->16262 16261->16262 16262->16248
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                      • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                      • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                      • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                    • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                    • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                    • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                    • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                    • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                    • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                    • wsprintfA.USER32 ref: 0040A0B6
                                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                    • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                      • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                    • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                    • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                    • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                    • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                    • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                    • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                    • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                    • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                                    • API String ID: 2089075347-2824936573
                                                                                                    • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                    • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                    • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                    • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 542 40964c-409662 526->542 543 40966d-409679 526->543 534 409683 call 4091eb 527->534 552 409530-409537 531->552 553 409539-409565 call 402544 RegQueryValueExA 531->553 536 40957a-40957f 532->536 546 409688-409690 534->546 540 409581-409584 536->540 541 40958a-40958d 536->541 540->523 540->541 541->527 549 409593-40959a 541->549 550 409664-40966b 542->550 551 40962b-40962d 542->551 543->534 547 409692 546->547 548 409698-4096a0 546->548 547->548 555 4096a2-4096a9 548->555 556 40961a-40961f 549->556 557 40959c-4095a1 549->557 550->551 551->555 558 40956e-409577 RegCloseKey 552->558 553->558 565 409567 553->565 563 409625 556->563 557->556 564 4095a3-4095c0 call 40f0e4 557->564 558->536 563->551 570 4095c2-4095db call 4018e0 564->570 571 40960c-409618 564->571 565->558 570->555 574 4095e1-4095f9 570->574 571->563 574->555 575 4095ff-409607 574->575 575->555
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                    • wsprintfA.USER32 ref: 004093CE
                                                                                                    • wsprintfA.USER32 ref: 0040940C
                                                                                                    • wsprintfA.USER32 ref: 0040948D
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                    • String ID: PromptOnSecureDesktop$runas
                                                                                                    • API String ID: 3696105349-2220793183
                                                                                                    • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                    • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                    • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                    • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 617 406ba3-406ba6 615->617 618 406ac5-406adc call 40eb0e 616->618 619 406b1d-406b34 call 406987 616->619 618->619 624 406ade 618->624 625 406b56-406b63 FindCloseChangeNotification 619->625 626 406b36-406b54 GetLastError CloseHandle 619->626 629 406ae0-406ae5 624->629 630 406ae7-406afb call 40eca5 624->630 627 406b65-406b7d GetLastError CloseHandle 625->627 628 406b86-406b8a 625->628 631 406b7f-406b80 DeleteFileA 626->631 627->631 628->617 629->630 632 406afd-406aff 629->632 630->619 631->628 632->619 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->619 636->637 637->619
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                    • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                    • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 1251348514-2980165447
                                                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                    • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                    • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                    • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                    • String ID:
                                                                                                    • API String ID: 1209300637-0
                                                                                                    • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                    • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                    • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                    • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 811 2bbe348-2bbe361 812 2bbe363-2bbe365 811->812 813 2bbe36c-2bbe378 CreateToolhelp32Snapshot 812->813 814 2bbe367 812->814 815 2bbe37a-2bbe380 813->815 816 2bbe388-2bbe395 Module32First 813->816 814->813 815->816 821 2bbe382-2bbe386 815->821 817 2bbe39e-2bbe3a6 816->817 818 2bbe397-2bbe398 call 2bbe007 816->818 822 2bbe39d 818->822 821->812 821->816 822->817
                                                                                                    APIs
                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02BBE370
                                                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 02BBE390
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1351232837.0000000002BB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BB9000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_2bb9000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                    • String ID:
                                                                                                    • API String ID: 3833638111-0
                                                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                    • Instruction ID: 328526aada0347e2c0714324f1f58a27de9ffa3537dd3f6c01c33d7424c2ebd6
                                                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                    • Instruction Fuzzy Hash: CDF0F6311007146FE7223BF9988CBFE76E8FF48224F904168F643910D0CBF0E8058A60

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                                    APIs
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                      • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                      • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocateSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2559512979-0
                                                                                                    • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                    • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                                    • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                    • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 287 407804-407808 283->287 285 4074a2-4074b1 call 406cad 284->285 286 407714-40771d RegCloseKey 284->286 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 304->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 354 407769-40777c call 40ef00 346->354 352 407680 347->352 353 407675-40767e 347->353 356 407683-40768e call 406cad 352->356 353->356 359 4077e3-4077e6 RegCloseKey 354->359 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 381 4077e0-4077e2 379->381 382 4077de 379->382 380->379 381->359 382->381
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 00407472
                                                                                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004074F0
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 00407528
                                                                                                    • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004076E7
                                                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 00407717
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 00407745
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 004077EF
                                                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                    • String ID: "$PromptOnSecureDesktop
                                                                                                    • API String ID: 3433985886-3108538426
                                                                                                    • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                    • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                    • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                    • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 448 407258 436->448 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 448->437 458 4072dd-4072f4 call 40ed23 451->458 459 4072cd-4072d8 RegCloseKey 451->459 454 4072aa-4072b3 452->454 455 40729c-4072a9 call 40ef00 452->455 454->404 455->454 463 407301 458->463 464 4072f6-4072ff 458->464 459->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 471 40732d-407330 468->471 472 40731f-40732c call 40ef00 468->472 475 4073d5-4073e2 RegCloseKey 469->475 476 40735f-407365 469->476 471->454 472->471 479 4073f2-4073f7 475->479 480 4073e4-4073f1 call 40ef00 475->480 476->475 478 407367-407370 476->478 478->475 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->475 493->492
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 004070C2
                                                                                                    • RegEnumValueA.KERNELBASE(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 0040719E
                                                                                                    • RegCloseKey.KERNELBASE(771B0F10,?,771B0F10,00000000), ref: 004071B2
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 00407208
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 00407291
                                                                                                    • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 004072D0
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 00407314
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 004073D8
                                                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                    • String ID: $"$PromptOnSecureDesktop
                                                                                                    • API String ID: 4293430545-98143240
                                                                                                    • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                    • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                    • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                    • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 588 4067ed-40680b ReadFile 585->588 587 40696e-406971 FindCloseChangeNotification 586->587 587->583 588->586 589 406811-406824 SetFilePointer 588->589 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->587 597 4068e5-4068eb 593->597 595 406891-40689e 594->595 596 4068d2 594->596 598 4068a0-4068b5 595->598 599 4068b7-4068ba 595->599 596->593 600 4068f0-4068fe call 40ebcc 597->600 601 4068ed 597->601 603 4068bd-4068c3 598->603 599->603 600->586 607 406900-40690b SetFilePointer 600->607 601->600 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 608 4068d0 606->608 609 40695a-406969 call 40ec2e 607->609 610 40690d-406920 ReadFile 607->610 608->593 609->587 610->609 611 406922-406958 610->611 611->587
                                                                                                    APIs
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                                    • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                                    • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                                    • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,771B0F10,00000000), ref: 0040688B
                                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 00406906
                                                                                                    • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,771B0F10,00000000), ref: 0040691C
                                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,?,771B0F10,00000000), ref: 00406971
                                                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1400801100-0
                                                                                                    • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                    • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                    • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                    • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 640 29b003c-29b0047 641 29b0049 640->641 642 29b004c-29b0263 call 29b0a3f call 29b0e0f call 29b0d90 VirtualAlloc 640->642 641->642 657 29b028b-29b0292 642->657 658 29b0265-29b0289 call 29b0a69 642->658 660 29b02a1-29b02b0 657->660 662 29b02ce-29b03c2 VirtualProtect call 29b0cce call 29b0ce7 658->662 660->662 663 29b02b2-29b02cc 660->663 669 29b03d1-29b03e0 662->669 663->660 670 29b0439-29b04b8 VirtualFree 669->670 671 29b03e2-29b0437 call 29b0ce7 669->671 673 29b04be-29b04cd 670->673 674 29b05f4-29b05fe 670->674 671->669 676 29b04d3-29b04dd 673->676 677 29b077f-29b0789 674->677 678 29b0604-29b060d 674->678 676->674 682 29b04e3-29b0505 LoadLibraryA 676->682 680 29b078b-29b07a3 677->680 681 29b07a6-29b07b0 677->681 678->677 683 29b0613-29b0637 678->683 680->681 684 29b086e-29b08be LoadLibraryA 681->684 685 29b07b6-29b07cb 681->685 686 29b0517-29b0520 682->686 687 29b0507-29b0515 682->687 688 29b063e-29b0648 683->688 692 29b08c7-29b08f9 684->692 689 29b07d2-29b07d5 685->689 690 29b0526-29b0547 686->690 687->690 688->677 691 29b064e-29b065a 688->691 693 29b07d7-29b07e0 689->693 694 29b0824-29b0833 689->694 695 29b054d-29b0550 690->695 691->677 696 29b0660-29b066a 691->696 697 29b08fb-29b0901 692->697 698 29b0902-29b091d 692->698 699 29b07e2 693->699 700 29b07e4-29b0822 693->700 704 29b0839-29b083c 694->704 701 29b05e0-29b05ef 695->701 702 29b0556-29b056b 695->702 703 29b067a-29b0689 696->703 697->698 699->694 700->689 701->676 705 29b056f-29b057a 702->705 706 29b056d 702->706 707 29b068f-29b06b2 703->707 708 29b0750-29b077a 703->708 704->684 709 29b083e-29b0847 704->709 715 29b059b-29b05bb 705->715 716 29b057c-29b0599 705->716 706->701 710 29b06ef-29b06fc 707->710 711 29b06b4-29b06ed 707->711 708->688 712 29b084b-29b086c 709->712 713 29b0849 709->713 717 29b074b 710->717 718 29b06fe-29b0748 710->718 711->710 712->704 713->684 723 29b05bd-29b05db 715->723 716->723 717->703 718->717 723->695
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 029B024D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID: cess$kernel32.dll
                                                                                                    • API String ID: 4275171209-1230238691
                                                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                    • Instruction ID: 42523d658734be5adc1b1daf10dbf1cb7dd777a4bc5754a5a5006f2d178b3ac3
                                                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                    • Instruction Fuzzy Hash: 87527974A01229DFDB65CF68C984BADBBB5BF09304F1480D9E94DAB351DB30AA85CF14

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                    • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                    • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                      • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                      • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                      • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                      • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                      • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 4131120076-2980165447
                                                                                                    • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                    • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                                    • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                    • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                                    • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                                    • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateErrorFileLastSleep
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 408151869-2980165447
                                                                                                    • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                    • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                    • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                    • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 752 4069e4-4069fd WriteFile 750->752 751->750 753 4069c0-4069d0 751->753 754 406a4d-406a51 752->754 755 4069ff-406a02 752->755 756 4069d2 753->756 757 4069d5-4069de 753->757 759 406a53-406a56 754->759 760 406a59 754->760 755->754 758 406a04-406a08 755->758 756->757 757->752 761 406a0a-406a0d 758->761 762 406a3c-406a3e 758->762 759->760 763 406a5b-406a5f 760->763 764 406a10-406a2e WriteFile 761->764 762->763 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->763 766->765 767 406a35-406a3a 766->767 767->762 767->764
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                    • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID: ,k@
                                                                                                    • API String ID: 3934441357-1053005162
                                                                                                    • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                    • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                    • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                    • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 773 40930b-40930f 770->773 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 782 40922e-409230 775->782 778 409250-409270 call 40ee08 776->778 779 40924b 776->779 785 409272-40927f 778->785 786 4092dd-4092e1 778->786 779->778 784 409233-409238 782->784 784->784 789 40923a-40923c 784->789 790 409281-409285 785->790 791 40929b-40929e 785->791 787 4092e3-4092e5 786->787 788 4092e7-4092e8 786->788 787->788 793 4092ea-4092ef 787->793 788->786 789->776 790->790 792 409287 790->792 794 4092a0 791->794 795 40928e-409293 791->795 792->791 798 4092f1-4092f6 Sleep 793->798 799 4092fc-409302 793->799 800 4092a8-4092ab 794->800 796 409295-409298 795->796 797 409289-40928c 795->797 796->800 801 40929a 796->801 797->795 797->801 798->799 799->770 799->771 802 4092a2-4092a5 800->802 803 4092ad-4092b0 800->803 801->791 804 4092b2 802->804 805 4092a7 802->805 803->804 806 4092bd 803->806 807 4092b5-4092b9 804->807 805->800 808 4092bf-4092db ShellExecuteA 806->808 807->807 810 4092bb 807->810 808->786 809 409310-409324 808->809 809->773 810->808
                                                                                                    APIs
                                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                                    • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShellSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 4194306370-0
                                                                                                    • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                    • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                                    • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                    • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 824 29b0e0f-29b0e24 SetErrorMode * 2 825 29b0e2b-29b0e2c 824->825 826 29b0e26 824->826 826->825
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(00000400,?,?,029B0223,?,?), ref: 029B0E19
                                                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,029B0223,?,?), ref: 029B0E1E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                    • Instruction ID: 8c5091a75a8c552e1507ec5e9f2876851e53a5403109e6d851cc54e5729abfa9
                                                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                    • Instruction Fuzzy Hash: 16D01236245228B7DB012AD4DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4046EA

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                      • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                      • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                      • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1823874839-0
                                                                                                    • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                    • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                    • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                    • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02BBE058
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1351232837.0000000002BB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BB9000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_2bb9000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                    • Instruction ID: 02195c6b06c99e32253f6f8a89b2d4abe5af32bc40b7086726dd73582e2e5f5f
                                                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                    • Instruction Fuzzy Hash: 80112B79A00208EFDB01DF98C985E98BBF5AF08351F458094FA489B361D371EA50DF80
                                                                                                    APIs
                                                                                                    • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                                    • closesocket.WS2_32(?), ref: 0040CB63
                                                                                                    • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                                    • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                                    • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                                    • wsprintfA.USER32 ref: 0040CD21
                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                                    • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                                    • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                                    • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                                    • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                                    • closesocket.WS2_32(?), ref: 0040D56C
                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                                    • ExitProcess.KERNEL32 ref: 0040D583
                                                                                                    • wsprintfA.USER32 ref: 0040D81F
                                                                                                      • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                                    • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                    • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                    • API String ID: 562065436-3791576231
                                                                                                    • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                    • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                                    • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                    • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                    • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                    • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                                    • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                                    • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                                    • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                                    • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                                    • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                                    • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                                    • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                                    • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                                    • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                                    • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                    • API String ID: 2238633743-3228201535
                                                                                                    • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                    • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                    • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                    • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                    • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                    • wsprintfA.USER32 ref: 0040B3B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                    • API String ID: 766114626-2976066047
                                                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                    • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                    • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                    • String ID: D
                                                                                                    • API String ID: 3722657555-2746444292
                                                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                    • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                    • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                    APIs
                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShelllstrlen
                                                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                    • API String ID: 1628651668-1839596206
                                                                                                    • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                    • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                    • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                    • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                    • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                    • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                      • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                    • API String ID: 4207808166-1381319158
                                                                                                    • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                    • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                    • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                    • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                    APIs
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 00402A83
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 00402A86
                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                    • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                    • select.WS2_32 ref: 00402B28
                                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                    • htons.WS2_32(?), ref: 00402B71
                                                                                                    • htons.WS2_32(?), ref: 00402B8C
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 1639031587-0
                                                                                                    • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                    • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                    • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                    • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                    • ExitProcess.KERNEL32 ref: 00404121
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateEventExitProcess
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 2404124870-2980165447
                                                                                                    • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                    • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                    • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                    • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                    APIs
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                    • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2438460464-0
                                                                                                    • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                    • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                    • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                    • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                    APIs
                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                    • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                    • String ID: *p@
                                                                                                    • API String ID: 3429775523-2474123842
                                                                                                    • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                    • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                    • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                    • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 029B65F6
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 029B6610
                                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 029B6631
                                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 029B6652
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 1965334864-0
                                                                                                    • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                    • Instruction ID: 2e641a22c38312b16daaee350788746e9877bd09c76a33a2abd2fb289dc01123
                                                                                                    • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                    • Instruction Fuzzy Hash: 36113D71600218BFDB229F75DD49FDB3FACEF457A5F104024FA08A6250D7B1ED508AA4
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 1965334864-0
                                                                                                    • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                    • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                    • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                    • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                                    • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                      • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                      • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 3754425949-0
                                                                                                    • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                    • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                                    • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                    • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .$GetProcAddress.$l
                                                                                                    • API String ID: 0-2784972518
                                                                                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                    • Instruction ID: 0a66f4f24eebff46a6d1eba4c5b0f30797ab4fddd30b559a89f81ec772f921fa
                                                                                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                    • Instruction Fuzzy Hash: D33148B6900609DFDB11CF99C984AEEBBF9FF48324F14414AD841A7350D771EA45CBA4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                    • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                                    • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                    • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1351232837.0000000002BB9000.00000040.00000020.00020000.00000000.sdmp, Offset: 02BB9000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_2bb9000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                    • Instruction ID: 8b33e426dbf5319896bdcbf7cf70dbff5fbf0c521dc9803b7dc7c0d98cb52cb4
                                                                                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                    • Instruction Fuzzy Hash: 09118EB2340101AFD745DF55DC91FF673EAEF89225B1980A5ED08CB315D6B9E802CB60
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                    • Instruction ID: d368135e42564d2e68dd37a759f2409f13f1ff75548028cdd3c4d342cc0a74d6
                                                                                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                    • Instruction Fuzzy Hash: 1F01A276A106048FDF22CF24CA05BEB33E9FFC6616F4545A5D90A9B281E774A9418B90
                                                                                                    APIs
                                                                                                    • ExitProcess.KERNEL32 ref: 029B9E6D
                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 029B9FE1
                                                                                                    • lstrcat.KERNEL32(?,?), ref: 029B9FF2
                                                                                                    • lstrcat.KERNEL32(?,0041070C), ref: 029BA004
                                                                                                    • GetFileAttributesExA.KERNEL32(?,?,?), ref: 029BA054
                                                                                                    • DeleteFileA.KERNEL32(?), ref: 029BA09F
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 029BA0D6
                                                                                                    • lstrcpy.KERNEL32 ref: 029BA12F
                                                                                                    • lstrlen.KERNEL32(00000022), ref: 029BA13C
                                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 029B9F13
                                                                                                      • Part of subcall function 029B7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 029B7081
                                                                                                      • Part of subcall function 029B6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\aenzvwkq,029B7043), ref: 029B6F4E
                                                                                                      • Part of subcall function 029B6F30: GetProcAddress.KERNEL32(00000000), ref: 029B6F55
                                                                                                      • Part of subcall function 029B6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029B6F7B
                                                                                                      • Part of subcall function 029B6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029B6F92
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 029BA1A2
                                                                                                    • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029BA1C5
                                                                                                    • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 029BA214
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 029BA21B
                                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 029BA265
                                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 029BA29F
                                                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 029BA2C5
                                                                                                    • lstrcat.KERNEL32(?,00000022), ref: 029BA2D9
                                                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 029BA2F4
                                                                                                    • wsprintfA.USER32 ref: 029BA31D
                                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 029BA345
                                                                                                    • lstrcat.KERNEL32(?,?), ref: 029BA364
                                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 029BA387
                                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 029BA398
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029BA1D1
                                                                                                      • Part of subcall function 029B9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029B999D
                                                                                                      • Part of subcall function 029B9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 029B99BD
                                                                                                      • Part of subcall function 029B9966: RegCloseKey.ADVAPI32(?), ref: 029B99C6
                                                                                                    • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 029BA3DB
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 029BA3E2
                                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 029BA41D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                    • String ID: "$"$"$D$P$\
                                                                                                    • API String ID: 1653845638-2605685093
                                                                                                    • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                    • Instruction ID: 9d0296501e0905c2d4e9aa8298a28ff9b280062e846319ef1dd94a5fb444024c
                                                                                                    • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                    • Instruction Fuzzy Hash: 26F141B1D4025DAFDF22DBA08E48FEE7BBDAF09304F0444A6E605E2151E7759A848F64
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 029B7D21
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 029B7D46
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7D7D
                                                                                                    • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 029B7DA2
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029B7DC0
                                                                                                    • EqualSid.ADVAPI32(?,?), ref: 029B7DD1
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7DE5
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7DF3
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029B7E03
                                                                                                    • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 029B7E12
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 029B7E19
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029B7E35
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                    • String ID: D$PromptOnSecureDesktop
                                                                                                    • API String ID: 2976863881-1403908072
                                                                                                    • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                    • Instruction ID: 7c7ba836c86b22620e20ab916512d3a3523af567d24313c1bda3c30b58163d96
                                                                                                    • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                    • Instruction Fuzzy Hash: 06A14B72900219AFDB128FA0DE88FEEBBBDFF48744F04816AF505E6150D7758A85CB64
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                    • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                    • String ID: D$PromptOnSecureDesktop
                                                                                                    • API String ID: 2976863881-1403908072
                                                                                                    • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                    • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                    • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                    • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                    • API String ID: 2400214276-165278494
                                                                                                    • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                    • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                    • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                    • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                    APIs
                                                                                                    • wsprintfA.USER32 ref: 0040A7FB
                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                    • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                    • wsprintfA.USER32 ref: 0040A8AF
                                                                                                    • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                    • wsprintfA.USER32 ref: 0040A8E2
                                                                                                    • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                    • wsprintfA.USER32 ref: 0040A9B9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                                                    • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                    • API String ID: 3650048968-2394369944
                                                                                                    • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                    • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                    • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                    • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 029B7A96
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7ACD
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 029B7ADF
                                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 029B7B01
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029B7B1F
                                                                                                    • EqualSid.ADVAPI32(?,?), ref: 029B7B39
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7B4A
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7B58
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029B7B68
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 029B7B77
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 029B7B7E
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029B7B9A
                                                                                                    • GetAce.ADVAPI32(?,?,?), ref: 029B7BCA
                                                                                                    • EqualSid.ADVAPI32(?,?), ref: 029B7BF1
                                                                                                    • DeleteAce.ADVAPI32(?,?), ref: 029B7C0A
                                                                                                    • EqualSid.ADVAPI32(?,?), ref: 029B7C2C
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7CB1
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7CBF
                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 029B7CD0
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 029B7CE0
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 029B7CEE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                    • String ID: D
                                                                                                    • API String ID: 3722657555-2746444292
                                                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                    • Instruction ID: f654d0ebd20af280c1c699e3fd905bd77509bb0b3fcbacd0931144b6a0a99d2b
                                                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                    • Instruction Fuzzy Hash: 20813D72900219AFDB12CFE4DE88FEEBBBCAF48305F04816AE505E6250D7759A45CF64
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                    • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                    • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                    • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseOpenQuery
                                                                                                    • String ID: PromptOnSecureDesktop$localcfg
                                                                                                    • API String ID: 237177642-1678164370
                                                                                                    • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                    • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                    • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                    • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                    APIs
                                                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                    • API String ID: 835516345-270533642
                                                                                                    • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                    • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                    • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                    • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 029B865A
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 029B867B
                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 029B86A8
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 029B86B1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseOpenQuery
                                                                                                    • String ID: "$PromptOnSecureDesktop
                                                                                                    • API String ID: 237177642-3108538426
                                                                                                    • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                    • Instruction ID: 128f38fcc887b322a511e1dd8b67b7c755268c2cc85ed0bd091818acd99c2f06
                                                                                                    • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                    • Instruction Fuzzy Hash: 88C17F71900149BFEF12ABA4DE89EEE7BBDEF48304F144066F604A6050E7714A948B65
                                                                                                    APIs
                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 029B1601
                                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 029B17D8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShelllstrlen
                                                                                                    • String ID: $<$@$D
                                                                                                    • API String ID: 1628651668-1974347203
                                                                                                    • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                    • Instruction ID: df3caf3a0597b9f19cd2fbfeb3b8e886828a1896a4627902182df770bcccf36e
                                                                                                    • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                    • Instruction Fuzzy Hash: D4F1ACB11083819FD721CF64C998BEBB7E9FF88304F10892DF59A972A0D7B49944CB56
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029B76D9
                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 029B7757
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 029B778F
                                                                                                    • ___ascii_stricmp.LIBCMT ref: 029B78B4
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 029B794E
                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029B796D
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 029B797E
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 029B79AC
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 029B7A56
                                                                                                      • Part of subcall function 029BF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,029B772A,?), ref: 029BF414
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 029B79F6
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 029B7A4D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                    • String ID: "$PromptOnSecureDesktop
                                                                                                    • API String ID: 3433985886-3108538426
                                                                                                    • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                    • Instruction ID: 6f5b54e8bedef0f98781eeb8a28d7cd6d8db4efced1db3dc229972a8566402c9
                                                                                                    • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                    • Instruction Fuzzy Hash: 52C17372900209AFDB12DBE4DE44FEEBBBDEF89710F1441A5E544E6190EB71DA84CB60
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 029B2CED
                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 029B2D07
                                                                                                    • htons.WS2_32(00000000), ref: 029B2D42
                                                                                                    • select.WS2_32 ref: 029B2D8F
                                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 029B2DB1
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029B2E62
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 127016686-0
                                                                                                    • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                    • Instruction ID: a844754e445bd0e1a5e81102e49a2f9bdfbb3dfbc358388cf5ba20d742e5a797
                                                                                                    • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                    • Instruction Fuzzy Hash: 9A61EF71904305ABC322AF65DD08BEBBBECEF88745F004829FD8497160D7B4D880CBA6
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                      • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                      • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                      • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                      • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                    • wsprintfA.USER32 ref: 0040AEA5
                                                                                                      • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                    • wsprintfA.USER32 ref: 0040AE4F
                                                                                                    • wsprintfA.USER32 ref: 0040AE5E
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                    • API String ID: 3631595830-1816598006
                                                                                                    • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                    • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                    • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                    • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                    • htons.WS2_32(00000035), ref: 00402E88
                                                                                                    • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                    • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                    • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                    • API String ID: 929413710-2099955842
                                                                                                    • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                    • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                    • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                    • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(?), ref: 029B95A7
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029B95D5
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 029B95DC
                                                                                                    • wsprintfA.USER32 ref: 029B9635
                                                                                                    • wsprintfA.USER32 ref: 029B9673
                                                                                                    • wsprintfA.USER32 ref: 029B96F4
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 029B9758
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029B978D
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029B97D8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 3696105349-2980165447
                                                                                                    • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                    • Instruction ID: b001f930b03aa73000ae96becf5d14f5538d158dcdeb970be76d510faaee7d44
                                                                                                    • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                    • Instruction Fuzzy Hash: 16A16AB295020CAFEB22DFA0CD85FDA3BADEF48740F104026FA15A6151E7B5D584CFA4
                                                                                                    APIs
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmpi
                                                                                                    • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                                    • API String ID: 1586166983-142018493
                                                                                                    • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                    • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                    • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                    • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                    APIs
                                                                                                    • wsprintfA.USER32 ref: 0040B467
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$wsprintf
                                                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                    • API String ID: 1220175532-2340906255
                                                                                                    • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                    • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                    • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                    • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32 ref: 029B202D
                                                                                                    • GetSystemInfo.KERNEL32(?), ref: 029B204F
                                                                                                    • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 029B206A
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 029B2071
                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 029B2082
                                                                                                    • GetTickCount.KERNEL32 ref: 029B2230
                                                                                                      • Part of subcall function 029B1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 029B1E7C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                    • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                    • API String ID: 4207808166-1391650218
                                                                                                    • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                    • Instruction ID: ad89a558a526af43ddb215cb195e7ef56d43268a244c1e1827628b41dc779185
                                                                                                    • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                    • Instruction Fuzzy Hash: 1E5137B0900348AFE332AF758D84FE7BAECEF85704F40491DF99692142D7B8A544CB65
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00402078
                                                                                                    • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                    • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                    • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                    • GetTickCount.KERNEL32 ref: 00402132
                                                                                                    • GetTickCount.KERNEL32 ref: 00402142
                                                                                                      • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                      • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                      • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                      • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                      • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                    • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                    • API String ID: 3976553417-1522128867
                                                                                                    • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                    • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                    • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                    • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                    APIs
                                                                                                    • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                    • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: closesockethtonssocket
                                                                                                    • String ID: time_cfg
                                                                                                    • API String ID: 311057483-2401304539
                                                                                                    • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                    • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                    • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                    • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                      • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                    • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                    • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 1553760989-1857712256
                                                                                                    • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                    • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                    • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                    • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 029B3068
                                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 029B3078
                                                                                                    • GetProcAddress.KERNEL32(00000000,00410408), ref: 029B3095
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 029B30B6
                                                                                                    • htons.WS2_32(00000035), ref: 029B30EF
                                                                                                    • inet_addr.WS2_32(?), ref: 029B30FA
                                                                                                    • gethostbyname.WS2_32(?), ref: 029B310D
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 029B314D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                    • String ID: iphlpapi.dll
                                                                                                    • API String ID: 2869546040-3565520932
                                                                                                    • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                    • Instruction ID: a34baf1f08ff3a42c0dd7040d1b1c7549d64c0ca321ca18b9277bb9fac303ece
                                                                                                    • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                    • Instruction Fuzzy Hash: BF31B631A00206BBDB12DBB89D48BEE77BCEF05764F1441A5E918E7290DB74D541CB5C
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                                                    • API String ID: 3560063639-3847274415
                                                                                                    • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                    • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                    • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                    • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                                    • API String ID: 1082366364-2834986871
                                                                                                    • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                    • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                    • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                    • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                                    • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                                    • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                    • String ID: D$PromptOnSecureDesktop
                                                                                                    • API String ID: 2981417381-1403908072
                                                                                                    • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                    • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                    • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                    • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                    APIs
                                                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 029B67C3
                                                                                                    • htonl.WS2_32(?), ref: 029B67DF
                                                                                                    • htonl.WS2_32(?), ref: 029B67EE
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 029B68F1
                                                                                                    • ExitProcess.KERNEL32 ref: 029B69BC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                    • String ID: except_info$localcfg
                                                                                                    • API String ID: 1150517154-3605449297
                                                                                                    • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                    • Instruction ID: 252678702cf82b402801c59cd2f9c6b4ca81ac2595015a62932f1b0a42368217
                                                                                                    • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                    • Instruction Fuzzy Hash: B3616E71940208AFDF619FA4DC45FEA77E9FF48300F148066FA6DD2161DB75A9908F14
                                                                                                    APIs
                                                                                                    • htons.WS2_32(029BCC84), ref: 029BF5B4
                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 029BF5CE
                                                                                                    • closesocket.WS2_32(00000000), ref: 029BF5DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: closesockethtonssocket
                                                                                                    • String ID: time_cfg
                                                                                                    • API String ID: 311057483-2401304539
                                                                                                    • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                    • Instruction ID: c36697e206fae3cdf7e980bad387d8d87737c7ecd7eaa711cf87e197ec3a304b
                                                                                                    • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                    • Instruction Fuzzy Hash: 10318C7290011CABDB12DFB5DD88DEEBBBCEF88314F104566F905E3150E7708A818BA4
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                    • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                    • wsprintfA.USER32 ref: 00407036
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                    • String ID: /%d$|
                                                                                                    • API String ID: 676856371-4124749705
                                                                                                    • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                    • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                    • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                    • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 029B2FA1
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 029B2FB1
                                                                                                    • GetProcAddress.KERNEL32(00000000,004103F0), ref: 029B2FC8
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029B3000
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 029B3007
                                                                                                    • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 029B3032
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                    • String ID: dnsapi.dll
                                                                                                    • API String ID: 1242400761-3175542204
                                                                                                    • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                    • Instruction ID: 70892c50e9f0fef74d2f2dd83acb9e5615e6e99a6c72556d0a2db01196819b8f
                                                                                                    • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                    • Instruction Fuzzy Hash: 8F21A171D01229BBCB22DF54DD88AEEBBBCEF08B50F004461F901E7540D7B49A8187E4
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\aenzvwkq,029B7043), ref: 029B6F4E
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 029B6F55
                                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029B6F7B
                                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029B6F92
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                    • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\aenzvwkq
                                                                                                    • API String ID: 1082366364-1787891232
                                                                                                    • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                    • Instruction ID: 5b80198d06729259e56e476fa3693be4d4e72ab31c98098d4ae44dd958e85e30
                                                                                                    • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                    • Instruction Fuzzy Hash: 8D2102227413447AF72353359E8CFFB3E4D8F92B24F1880A6F944E6490DBD994D682AD
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Code
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 3609698214-2980165447
                                                                                                    • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                    • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                    • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                    • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                    APIs
                                                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 029B92E2
                                                                                                    • wsprintfA.USER32 ref: 029B9350
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029B9375
                                                                                                    • lstrlen.KERNEL32(?,?,00000000), ref: 029B9389
                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000), ref: 029B9394
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 029B939B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 2439722600-2980165447
                                                                                                    • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                    • Instruction ID: d971f06e0db10fb17e1b9cf8529f5022460c67be7a2fcb7cdf31ea2048674fb6
                                                                                                    • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                    • Instruction Fuzzy Hash: E81172B16401147BE7216B31ED0DFEF3A6EDFC9B10F008065BB09A5091EAB54E418A64
                                                                                                    APIs
                                                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                    • wsprintfA.USER32 ref: 004090E9
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 2439722600-2980165447
                                                                                                    • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                    • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                    • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                    • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 029B9A18
                                                                                                    • GetThreadContext.KERNEL32(?,?), ref: 029B9A52
                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 029B9A60
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 029B9A98
                                                                                                    • SetThreadContext.KERNEL32(?,00010002), ref: 029B9AB5
                                                                                                    • ResumeThread.KERNEL32(?), ref: 029B9AC2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                    • String ID: D
                                                                                                    • API String ID: 2981417381-2746444292
                                                                                                    • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                    • Instruction ID: 449f0eba3b288d6ad1fe802a7e411e42e269c3f35a46c60dd6b4c4e49e3e0bf3
                                                                                                    • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                    • Instruction Fuzzy Hash: 1B213BB1A01219BBEB129BA1DD09EEFBBBCEF05750F404061BA19E5050E7759A84CFA4
                                                                                                    APIs
                                                                                                    • inet_addr.WS2_32(004102D8), ref: 029B1C18
                                                                                                    • LoadLibraryA.KERNEL32(004102C8), ref: 029B1C26
                                                                                                    • GetProcessHeap.KERNEL32 ref: 029B1C84
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 029B1C9D
                                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 029B1CC1
                                                                                                    • HeapFree.KERNEL32(?,00000000,00000000), ref: 029B1D02
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 029B1D0B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                    • String ID:
                                                                                                    • API String ID: 2324436984-0
                                                                                                    • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                    • Instruction ID: 93ec63b452a1e726b86677f70ec18d0d73d7beef71ff0b516573d3844ca42d18
                                                                                                    • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                    • Instruction Fuzzy Hash: C7315E31E00209BFCB129FE4DE988EEBBB9EF85705F24447AE509E2110D7B54E80DB94
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                    • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue$CloseOpen
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 1586453840-2980165447
                                                                                                    • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                    • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                    • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                    • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                                    • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                    • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle$CreateEvent
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 1371578007-2980165447
                                                                                                    • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                    • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                    • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                    • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 029B6CE4
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 029B6D22
                                                                                                    • GetLastError.KERNEL32 ref: 029B6DA7
                                                                                                    • CloseHandle.KERNEL32(?), ref: 029B6DB5
                                                                                                    • GetLastError.KERNEL32 ref: 029B6DD6
                                                                                                    • DeleteFileA.KERNEL32(?), ref: 029B6DE7
                                                                                                    • GetLastError.KERNEL32 ref: 029B6DFD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                    • String ID:
                                                                                                    • API String ID: 3873183294-0
                                                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                    • Instruction ID: 8b323eb0eddfb865d11c9424e8aac627905ba7559ee8614626d6975b43b5d16d
                                                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                    • Instruction Fuzzy Hash: 5131E176900249BFCB02DFA4DE48ADE7F7DEF88310F148476E251E3250D770AA958B65
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029B93C6
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 029B93CD
                                                                                                    • CharToOemA.USER32(?,?), ref: 029B93DB
                                                                                                    • wsprintfA.USER32 ref: 029B9410
                                                                                                      • Part of subcall function 029B92CB: GetTempPathA.KERNEL32(00000400,?), ref: 029B92E2
                                                                                                      • Part of subcall function 029B92CB: wsprintfA.USER32 ref: 029B9350
                                                                                                      • Part of subcall function 029B92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029B9375
                                                                                                      • Part of subcall function 029B92CB: lstrlen.KERNEL32(?,?,00000000), ref: 029B9389
                                                                                                      • Part of subcall function 029B92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 029B9394
                                                                                                      • Part of subcall function 029B92CB: CloseHandle.KERNEL32(00000000), ref: 029B939B
                                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 029B9448
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 3857584221-2980165447
                                                                                                    • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                    • Instruction ID: c6c1ec20cdbecd40651e6a05e1a5bec1c252ce1a6c8c2fe8c6c113f18cfb704d
                                                                                                    • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                    • Instruction Fuzzy Hash: 33015EF69001187BEB21A7619E8DEDF3B7CDB95701F0040A2BB49E2080EAB497C58F75
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                    • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                    • wsprintfA.USER32 ref: 004091A9
                                                                                                      • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                      • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                      • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                      • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                      • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                      • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 3857584221-2980165447
                                                                                                    • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                    • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                    • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                    • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen
                                                                                                    • String ID: $localcfg
                                                                                                    • API String ID: 1659193697-2018645984
                                                                                                    • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                    • Instruction ID: cfd63c9f51d115d1a3a7bdd0ca8150eef1c3339cb8dc1f674b8cd26bf15dc2df
                                                                                                    • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                    • Instruction Fuzzy Hash: FF713B71A00318BADF338B58DE85FEE376DAF81709F244467F904A6090DF7295C48B59
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                      • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                    • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                    • String ID: flags_upd$localcfg
                                                                                                    • API String ID: 204374128-3505511081
                                                                                                    • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                    • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                    • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                    • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                    APIs
                                                                                                      • Part of subcall function 029BDF6C: GetCurrentThreadId.KERNEL32 ref: 029BDFBA
                                                                                                    • lstrcmp.KERNEL32(00410178,00000000), ref: 029BE8FA
                                                                                                    • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,029B6128), ref: 029BE950
                                                                                                    • lstrcmp.KERNEL32(?,00000008), ref: 029BE989
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                    • String ID: A$ A$ A
                                                                                                    • API String ID: 2920362961-1846390581
                                                                                                    • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                    • Instruction ID: de33c884d5404985c5aea482ab15409ab6ba6d6156173993e0edb9d6f5071644
                                                                                                    • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                    • Instruction Fuzzy Hash: 5831B231A007059BDF738F24C9847E67BECEF09715F80892AE5D687551D374E888CB91
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Code
                                                                                                    • String ID:
                                                                                                    • API String ID: 3609698214-0
                                                                                                    • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                    • Instruction ID: 269d167a4fa46e2f1865d4837adcbfaaa042f403356f295e4d73e0c557cbf7ac
                                                                                                    • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                    • Instruction Fuzzy Hash: 37212E7A104119BFDB129BB0FE48EDF7FADEF49665B108425F502D1090EB70EA509B74
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                    • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                    • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,0040E538,?,771B0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                    • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3819781495-0
                                                                                                    • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                    • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                    • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                    • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 029BC6B4
                                                                                                    • InterlockedIncrement.KERNEL32(029BC74B), ref: 029BC715
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,029BC747), ref: 029BC728
                                                                                                    • CloseHandle.KERNEL32(00000000,?,029BC747,00413588,029B8A77), ref: 029BC733
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 1026198776-1857712256
                                                                                                    • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                    • Instruction ID: bec825192b39cae195558dc7e12f6a7e09e74ab2b81729216591cbf9874febf6
                                                                                                    • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                    • Instruction Fuzzy Hash: FE514AB1A01B468FD7258F69C6D466ABBE9FF88304B50593FE18BC7A90D774E840CB10
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 0040815F
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408187
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 004081BE
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408210
                                                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                                      • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                                      • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                                      • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                                      • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 124786226-2980165447
                                                                                                    • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                    • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                    • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                    • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                    APIs
                                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,029BE50A,00000000,00000000,00000000,00020106,00000000,029BE50A,00000000,000000E4), ref: 029BE319
                                                                                                    • RegSetValueExA.ADVAPI32(029BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029BE38E
                                                                                                    • RegDeleteValueA.ADVAPI32(029BE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029BE3BF
                                                                                                    • RegCloseKey.ADVAPI32(029BE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,029BE50A), ref: 029BE3C8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseCreateDelete
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 2667537340-2980165447
                                                                                                    • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                    • Instruction ID: 9d76c320faad90ea19956aa9fab8038ea3668973ae80c17f05a3b634b1221a7c
                                                                                                    • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                    • Instruction Fuzzy Hash: E3214A71A0021DBBDF229FA4ED89EEE7F7DEF08750F008021F944A6160E3718A54DBA0
                                                                                                    APIs
                                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                    • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                    • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                    • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseCreateDelete
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 2667537340-2980165447
                                                                                                    • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                    • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                    • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                    • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 029B71E1
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7228
                                                                                                    • LocalFree.KERNEL32(?,?,?), ref: 029B7286
                                                                                                    • wsprintfA.USER32 ref: 029B729D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                    • String ID: |
                                                                                                    • API String ID: 2539190677-2343686810
                                                                                                    • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                    • Instruction ID: 464caa247c195e7534b5bb02cc54ca1f80958e5cce00a0371cebc8f276fa4088
                                                                                                    • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                    • Instruction Fuzzy Hash: 9F312972A00208BFDB02DFA8DD45BDA7BACEF44314F14C166F959DB240EB75D6488BA4
                                                                                                    APIs
                                                                                                    • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                    • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                                                    • String ID: LocalHost
                                                                                                    • API String ID: 3695455745-3154191806
                                                                                                    • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                    • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                    • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                    • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 029BB51A
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 029BB529
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 029BB548
                                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 029BB590
                                                                                                    • wsprintfA.USER32 ref: 029BB61E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 4026320513-0
                                                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                    • Instruction ID: 724ddb351160e7a98ca85c30cafe30d6e01b5a0d55529ddfa370c3705feaab14
                                                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                    • Instruction Fuzzy Hash: 5C511EB1D0021CAACF15DFD5D9889EEBBB9BF48304F10856AE505A6150E7F84AC9CF98
                                                                                                    APIs
                                                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 029B6303
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 029B632A
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 029B63B1
                                                                                                    • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 029B6405
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 3498078134-0
                                                                                                    • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                    • Instruction ID: aad41257da8cabcb71046fe7f354872aea0c2073ae96a8a25e94b59b3bd7ad9d
                                                                                                    • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                    • Instruction Fuzzy Hash: 3B417971A00609ABDB16CF58CA84BEDBBBDFF04318F188469E969D7290E731F940CB50
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                    • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                    • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                    • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                    • lstrcmpA.KERNEL32(?,00000008,?,771B0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                    • String ID: A$ A
                                                                                                    • API String ID: 3343386518-686259309
                                                                                                    • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                    • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                    • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                    • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                    • htons.WS2_32(00000001), ref: 00402752
                                                                                                    • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                    • htons.WS2_32(00000001), ref: 004027E3
                                                                                                    • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                      • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                      • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                    • String ID:
                                                                                                    • API String ID: 1128258776-0
                                                                                                    • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                    • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                    • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                    • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                    APIs
                                                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: setsockopt
                                                                                                    • String ID:
                                                                                                    • API String ID: 3981526788-0
                                                                                                    • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                    • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                    • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                    • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$lstrcmpi
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 1808961391-1857712256
                                                                                                    • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                    • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                    • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                    • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                    APIs
                                                                                                      • Part of subcall function 029BDF6C: GetCurrentThreadId.KERNEL32 ref: 029BDFBA
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,029BA6AC), ref: 029BE7BF
                                                                                                    • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,029BA6AC), ref: 029BE7EA
                                                                                                    • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,029BA6AC), ref: 029BE819
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 1396056608-2980165447
                                                                                                    • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                    • Instruction ID: d6e9b282dc8568db452486c088d9ea86cdff918c519168309b7c6df57c138980
                                                                                                    • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                    • Instruction Fuzzy Hash: D32127B1A003047AF6237735AE49FEB3E0DDFA5B60F500034FA49B55D3EAA594508AB9
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                                    • CloseHandle.KERNEL32(00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 3683885500-2980165447
                                                                                                    • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                    • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                                    • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                    • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                    • API String ID: 2574300362-1087626847
                                                                                                    • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                    • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                    • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                    • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029B76D9
                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029B796D
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 029B797E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseEnumOpen
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 1332880857-2980165447
                                                                                                    • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                    • Instruction ID: ef94afd45ec1076651251536969ba03c45657d08baa4c1dd71f67a8475297232
                                                                                                    • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                    • Instruction Fuzzy Hash: E811DC32A00109AFDB128FA9DD44FEFBF7DEF86704F140261F510E6290E3B089408B61
                                                                                                    APIs
                                                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                    • String ID: hi_id$localcfg
                                                                                                    • API String ID: 2777991786-2393279970
                                                                                                    • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                    • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                    • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                    • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029B999D
                                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000), ref: 029B99BD
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 029B99C6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseDeleteOpenValue
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 849931509-2980165447
                                                                                                    • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                    • Instruction ID: e7075a9d172f9563088b878039ea5a8e8b19e09ea91dffb2c3ee4635050989d4
                                                                                                    • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                    • Instruction Fuzzy Hash: 3DF0F6B2A80208BBF7116B54ED46FDB3A2CDF95B10F104060FA05B5091F6E59A9086BD
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                                    • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                                    • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseDeleteOpenValue
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 849931509-2980165447
                                                                                                    • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                    • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                                    • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                    • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbynameinet_addr
                                                                                                    • String ID: time_cfg$u6A
                                                                                                    • API String ID: 1594361348-1940331995
                                                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                    • Instruction ID: e12e3185b9d493d41d2444881e38ff6fe0016d23374082560665e496e5f71b62
                                                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                    • Instruction Fuzzy Hash: DCE0C230A041119FCB018B2CF948AC537E8EF0A230F008580F844C31A0C734DCC09780
                                                                                                    APIs
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 029B69E5
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 029B6A26
                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 029B6A3A
                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 029B6BD8
                                                                                                      • Part of subcall function 029BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029B1DCF,?), ref: 029BEEA8
                                                                                                      • Part of subcall function 029BEE95: HeapFree.KERNEL32(00000000), ref: 029BEEAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 3384756699-0
                                                                                                    • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                    • Instruction ID: 37a56a69097bbaca44971f93b24aa9fc4b056b55e35b644095545d563b4f8c0d
                                                                                                    • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                    • Instruction Fuzzy Hash: 1C71057190422DEFDF129FA4CD80AEEBBBDFF08354F10456AE515A6190D730AE92DB60
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf
                                                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                    • API String ID: 2111968516-120809033
                                                                                                    • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                    • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                    • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                    • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                    APIs
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029B421F
                                                                                                    • GetLastError.KERNEL32 ref: 029B4229
                                                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 029B423A
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029B424D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 888215731-0
                                                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                    • Instruction ID: 1583882053477f464152fbe648e7064e94fafd86c941f07aa2be2d7e6cc1a3b1
                                                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                    • Instruction Fuzzy Hash: E801A572911109ABDF02DF90EE84BEE7BACEF08255F108461F901E6051D7709A54ABB6
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029B41AB
                                                                                                    • GetLastError.KERNEL32 ref: 029B41B5
                                                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 029B41C6
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029B41D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3373104450-0
                                                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                    • Instruction ID: 0bf8d5b814dfd0e2f984cb7a65127b0e70dc19d50f841843927de349a85ea806
                                                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                    • Instruction Fuzzy Hash: A6010C7691110AAFDF02DF90EE84BEF7B6CEF18255F004061F905E2051D770DA549BB5
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                    • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3373104450-0
                                                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                    • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                    • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                    APIs
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                    • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 888215731-0
                                                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                    • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                    • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                    APIs
                                                                                                    • lstrcmp.KERNEL32(?,80000009), ref: 029BE066
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmp
                                                                                                    • String ID: A$ A$ A
                                                                                                    • API String ID: 1534048567-1846390581
                                                                                                    • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                    • Instruction ID: 4c529f75edd2e8cfe3e5ce6fd2df7b88aaa4afb1ac67e450f00f64224b4967f4
                                                                                                    • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                    • Instruction Fuzzy Hash: 5EF062312047069BCB22CF25D984AD2B7FDFF05325B84862AE595C3060D374A498CB55
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                    • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                    • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                    • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                    • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                    • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                    • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                    • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                    • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                    • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                    • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                    • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                    • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                    • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                    • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00403103
                                                                                                    • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                    • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                    • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                    • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                    • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(00000001,029B44E2,00000000,00000000,00000000), ref: 029BE470
                                                                                                    • CloseHandle.KERNEL32(00000001,00000003), ref: 029BE484
                                                                                                      • Part of subcall function 029BE2FC: RegCreateKeyExA.ADVAPI32(80000001,029BE50A,00000000,00000000,00000000,00020106,00000000,029BE50A,00000000,000000E4), ref: 029BE319
                                                                                                      • Part of subcall function 029BE2FC: RegSetValueExA.ADVAPI32(029BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029BE38E
                                                                                                      • Part of subcall function 029BE2FC: RegDeleteValueA.ADVAPI32(029BE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029BE3BF
                                                                                                      • Part of subcall function 029BE2FC: RegCloseKey.ADVAPI32(029BE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,029BE50A), ref: 029BE3C8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 4151426672-2980165447
                                                                                                    • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                    • Instruction ID: bcb20d6c6b0d9502d3813669cb1dd65ff94b44909dfcd9bdd8c423c61b675e4f
                                                                                                    • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                    • Instruction Fuzzy Hash: 6B413AB2D00208BBEF226F518E45FEB3F6DEF45764F408125FE0894091E7B59650CAB4
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                                    • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                      • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                      • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                      • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                      • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 4151426672-2980165447
                                                                                                    • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                    • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                                    • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                    • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 029B83C6
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 029B8477
                                                                                                      • Part of subcall function 029B69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 029B69E5
                                                                                                      • Part of subcall function 029B69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 029B6A26
                                                                                                      • Part of subcall function 029B69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 029B6A3A
                                                                                                      • Part of subcall function 029BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029B1DCF,?), ref: 029BEEA8
                                                                                                      • Part of subcall function 029BEE95: HeapFree.KERNEL32(00000000), ref: 029BEEAF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 359188348-2980165447
                                                                                                    • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                    • Instruction ID: 058d2e2d666173b218db3641edf9ac7209f9ca70d6ccf167a095350667d46fca
                                                                                                    • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                    • Instruction Fuzzy Hash: 21417FB2901109BFEB12EBA09F84EFF776EFF48344F0444A6E508D6050E7B05A948B64
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,029BE859,00000000,00020119,029BE859,PromptOnSecureDesktop), ref: 029BE64D
                                                                                                    • RegCloseKey.ADVAPI32(029BE859,?,?,?,?,000000C8,000000E4), ref: 029BE787
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: PromptOnSecureDesktop
                                                                                                    • API String ID: 47109696-2980165447
                                                                                                    • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                    • Instruction ID: 3c2d0fbef72c9dfe7e0e6f34c9e6c9280ce7bc3d8b16ed3aa8b90b5dc213d095
                                                                                                    • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                    • Instruction Fuzzy Hash: 6C4117B2D0011DBFDF12AFA4DD85EEEBB7EFF04304F504466EA00A6160E3719A559B60
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 029BAFFF
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 029BB00D
                                                                                                      • Part of subcall function 029BAF6F: gethostname.WS2_32(?,00000080), ref: 029BAF83
                                                                                                      • Part of subcall function 029BAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 029BAFE6
                                                                                                      • Part of subcall function 029B331C: gethostname.WS2_32(?,00000080), ref: 029B333F
                                                                                                      • Part of subcall function 029B331C: gethostbyname.WS2_32(?), ref: 029B3349
                                                                                                      • Part of subcall function 029BAA0A: inet_ntoa.WS2_32(00000000), ref: 029BAA10
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                    • String ID: %OUTLOOK_BND_
                                                                                                    • API String ID: 1981676241-3684217054
                                                                                                    • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                    • Instruction ID: be7d2e97a8a8cedca03450c7ab4067071aee5f4092de5c340df3a6be6ba360d5
                                                                                                    • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                    • Instruction Fuzzy Hash: C041317290020CABDB26EFA0DD45EEE3BADFF48304F144426F92992151EA75D654CF54
                                                                                                    APIs
                                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 029B9536
                                                                                                    • Sleep.KERNEL32(000001F4), ref: 029B955D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShellSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 4194306370-3916222277
                                                                                                    • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                    • Instruction ID: 1cef30d1c57343924a909a52278edcb6d428be0b9a691c09745483575441051d
                                                                                                    • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                    • Instruction Fuzzy Hash: 3F4125718583986EFB378B64DA8C7E63BAD9F02314F1400A5DA86871A2D7F44980CF11
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 029BB9D9
                                                                                                    • InterlockedIncrement.KERNEL32(00413648), ref: 029BBA3A
                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 029BBA94
                                                                                                    • GetTickCount.KERNEL32 ref: 029BBB79
                                                                                                    • GetTickCount.KERNEL32 ref: 029BBB99
                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 029BBE15
                                                                                                    • closesocket.WS2_32(00000000), ref: 029BBEB4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                    • String ID: %FROM_EMAIL
                                                                                                    • API String ID: 1869671989-2903620461
                                                                                                    • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                    • Instruction ID: 2d9468a872f1de813176799bfbeafec710fd1fcee8303e8f3e7621881576d352
                                                                                                    • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                    • Instruction Fuzzy Hash: 07317C71500248DFDF26DFA4DE98BEDB7A9EF88704F20446AFA24821A0DB34D685CF50
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 536389180-1857712256
                                                                                                    • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                    • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                    • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                    • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTickwsprintf
                                                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                    • API String ID: 2424974917-1012700906
                                                                                                    • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                    • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                    • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                    • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                    APIs
                                                                                                      • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                      • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                    • String ID: %FROM_EMAIL
                                                                                                    • API String ID: 3716169038-2903620461
                                                                                                    • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                    • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                    • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                    • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 029B70BC
                                                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 029B70F4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Name$AccountLookupUser
                                                                                                    • String ID: |
                                                                                                    • API String ID: 2370142434-2343686810
                                                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                    • Instruction ID: 9175a348efa739e0004460cb552a100cf30286f3c4aaeb23d62e2edb7989c23b
                                                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                    • Instruction Fuzzy Hash: E411FA73900118EBDB12CBD4DD84AEEB7BDAF44719F1442A6E501E6194D7709B88CBA0
                                                                                                    APIs
                                                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 2777991786-1857712256
                                                                                                    • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                    • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                    • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                    • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                    APIs
                                                                                                    • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                    • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: IncrementInterlockedlstrcpyn
                                                                                                    • String ID: %FROM_EMAIL
                                                                                                    • API String ID: 224340156-2903620461
                                                                                                    • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                    • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                    • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                    • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                    APIs
                                                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                    • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 2112563974-1857712256
                                                                                                    • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                    • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                    • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                    • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbynameinet_addr
                                                                                                    • String ID: time_cfg
                                                                                                    • API String ID: 1594361348-2401304539
                                                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                    • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                    • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000), ref: 0040EAF2
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                    • String ID: ntdll.dll
                                                                                                    • API String ID: 2574300362-2227199552
                                                                                                    • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                    • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                    • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                    • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                    APIs
                                                                                                      • Part of subcall function 029B2F88: GetModuleHandleA.KERNEL32(?), ref: 029B2FA1
                                                                                                      • Part of subcall function 029B2F88: LoadLibraryA.KERNEL32(?), ref: 029B2FB1
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 029B31DA
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 029B31E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1350570395.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_29b0000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1017166417-0
                                                                                                    • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                    • Instruction ID: 458f2a3c6801884b0a0f90d64a1ec5e32411f1e96aa837dc75be210740d6b19e
                                                                                                    • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                    • Instruction Fuzzy Hash: B7518A7190024AEFCB02DF64DD88AFAB779FF05304B1445A9EC9687220E7329A19CB94
                                                                                                    APIs
                                                                                                      • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                      • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.1349305263.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000002.00000002.1349305263.0000000000414000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_400000_igvdwmhd.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1017166417-0
                                                                                                    • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                    • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                    • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                    • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:3%
                                                                                                    Dynamic/Decrypted Code Coverage:30.5%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:1576
                                                                                                    Total number of Limit Nodes:14
                                                                                                    execution_graph 14497 409961 RegisterServiceCtrlHandlerA 14498 40997d 14497->14498 14499 4099cb 14497->14499 14507 409892 14498->14507 14501 40999a 14502 4099ba 14501->14502 14503 409892 SetServiceStatus 14501->14503 14502->14499 14505 409892 SetServiceStatus 14502->14505 14504 4099aa 14503->14504 14504->14502 14510 4098f2 14504->14510 14505->14499 14508 4098c2 SetServiceStatus 14507->14508 14508->14501 14511 4098f6 14510->14511 14513 409904 Sleep 14511->14513 14515 409917 14511->14515 14518 404280 CreateEventA 14511->14518 14513->14511 14514 409915 14513->14514 14514->14515 14517 409947 14515->14517 14545 40977c 14515->14545 14517->14502 14519 4042a5 14518->14519 14520 40429d 14518->14520 14559 403ecd 14519->14559 14520->14511 14522 4042b0 14563 404000 14522->14563 14525 4043c1 FindCloseChangeNotification 14525->14520 14526 4042ce 14569 403f18 WriteFile 14526->14569 14531 4043ba CloseHandle 14531->14525 14532 404318 14533 403f18 4 API calls 14532->14533 14534 404331 14533->14534 14535 403f18 4 API calls 14534->14535 14536 40434a 14535->14536 14577 40ebcc GetProcessHeap HeapAlloc 14536->14577 14539 403f18 4 API calls 14540 404389 14539->14540 14580 40ec2e 14540->14580 14543 403f8c 4 API calls 14544 40439f CloseHandle CloseHandle 14543->14544 14544->14520 14609 40ee2a 14545->14609 14548 4097c2 14550 4097d4 Wow64GetThreadContext 14548->14550 14549 4097bb 14549->14517 14551 409801 14550->14551 14552 4097f5 14550->14552 14611 40637c 14551->14611 14553 4097f6 TerminateProcess 14552->14553 14553->14549 14555 409816 14555->14553 14556 40981e WriteProcessMemory 14555->14556 14556->14552 14557 40983b Wow64SetThreadContext 14556->14557 14557->14552 14558 409858 ResumeThread 14557->14558 14558->14549 14560 403edc 14559->14560 14562 403ee2 14559->14562 14585 406dc2 14560->14585 14562->14522 14564 40400b CreateFileA 14563->14564 14565 40402c GetLastError 14564->14565 14566 404052 14564->14566 14565->14566 14567 404037 14565->14567 14566->14520 14566->14525 14566->14526 14567->14566 14568 404041 Sleep 14567->14568 14568->14564 14568->14566 14570 403f7c 14569->14570 14571 403f4e GetLastError 14569->14571 14573 403f8c ReadFile 14570->14573 14571->14570 14572 403f5b WaitForSingleObject GetOverlappedResult 14571->14572 14572->14570 14574 403fc2 GetLastError 14573->14574 14575 403ff0 14573->14575 14574->14575 14576 403fcf WaitForSingleObject GetOverlappedResult 14574->14576 14575->14531 14575->14532 14576->14575 14603 40eb74 14577->14603 14581 40ec37 14580->14581 14582 40438f 14580->14582 14606 40eba0 14581->14606 14582->14543 14586 406dd7 14585->14586 14590 406e24 14585->14590 14591 406cc9 14586->14591 14588 406ddc 14588->14588 14589 406e02 GetVolumeInformationA 14588->14589 14588->14590 14589->14590 14590->14562 14592 406cdc GetModuleHandleA GetProcAddress 14591->14592 14593 406dbe 14591->14593 14594 406d12 GetSystemDirectoryA 14592->14594 14595 406cfd 14592->14595 14593->14588 14596 406d27 GetWindowsDirectoryA 14594->14596 14597 406d1e 14594->14597 14595->14594 14599 406d8b 14595->14599 14598 406d42 14596->14598 14597->14596 14597->14599 14601 40ef1e lstrlenA 14598->14601 14599->14593 14602 40ef32 14601->14602 14602->14599 14604 40eb7b GetProcessHeap HeapSize 14603->14604 14605 404350 14603->14605 14604->14605 14605->14539 14607 40eba7 GetProcessHeap HeapSize 14606->14607 14608 40ebbf GetProcessHeap HeapFree 14606->14608 14607->14608 14608->14582 14610 409794 CreateProcessA 14609->14610 14610->14548 14610->14549 14612 406386 14611->14612 14613 40638a GetModuleHandleA VirtualAlloc 14611->14613 14612->14555 14614 4063b6 14613->14614 14618 4063f5 14613->14618 14615 4063be VirtualAllocEx 14614->14615 14616 4063d6 14615->14616 14615->14618 14617 4063df WriteProcessMemory 14616->14617 14617->14618 14618->14555 17914 29b69b8 17915 29b69c0 17914->17915 17916 29b7160 3 API calls 17915->17916 17917 29b69d8 17916->17917 14619 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14736 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14619->14736 14621 409a95 14622 409aa3 GetModuleHandleA GetModuleFileNameA 14621->14622 14628 40a3c7 14621->14628 14635 409ac4 14622->14635 14623 40a41c CreateThread WSAStartup 14847 40e52e 14623->14847 15697 40405e CreateEventA 14623->15697 14625 409afd GetCommandLineA 14636 409b22 14625->14636 14626 40a406 DeleteFileA 14626->14628 14629 40a40d 14626->14629 14627 40a445 14866 40eaaf 14627->14866 14628->14623 14628->14626 14628->14629 14631 40a3ed GetLastError 14628->14631 14629->14623 14631->14629 14633 40a3f8 Sleep 14631->14633 14632 40a44d 14870 401d96 14632->14870 14633->14626 14635->14625 14639 409c0c 14636->14639 14646 409b47 14636->14646 14637 40a457 14918 4080c9 14637->14918 14737 4096aa 14639->14737 14650 409b96 lstrlenA 14646->14650 14654 409b58 14646->14654 14647 40a1d2 14655 40a1e3 GetCommandLineA 14647->14655 14648 409c39 14651 40a167 GetModuleHandleA GetModuleFileNameA 14648->14651 14652 409c4b 14648->14652 14650->14654 14653 409c05 ExitProcess 14651->14653 14657 40a189 14651->14657 14652->14651 14658 404280 30 API calls 14652->14658 14654->14653 14659 409bd2 14654->14659 14681 40a205 14655->14681 14657->14653 14664 40a1b2 GetDriveTypeA 14657->14664 14661 409c5b 14658->14661 14749 40675c 14659->14749 14661->14651 14668 40675c 21 API calls 14661->14668 14664->14653 14667 40a1c5 14664->14667 14839 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14667->14839 14670 409c79 14668->14670 14670->14651 14677 409ca0 GetTempPathA 14670->14677 14678 409e3e 14670->14678 14671 409bff 14671->14653 14673 40a491 14674 40a49f GetTickCount 14673->14674 14675 40a4be Sleep 14673->14675 14680 40a4b7 GetTickCount 14673->14680 14964 40c913 14673->14964 14674->14673 14674->14675 14675->14673 14677->14678 14679 409cba 14677->14679 14684 409e6b GetEnvironmentVariableA 14678->14684 14688 409e04 14678->14688 14787 4099d2 lstrcpyA 14679->14787 14680->14675 14685 40a285 lstrlenA 14681->14685 14697 40a239 14681->14697 14682 40ec2e codecvt 4 API calls 14686 40a15d 14682->14686 14684->14688 14689 409e7d 14684->14689 14685->14697 14686->14651 14686->14653 14688->14682 14690 4099d2 16 API calls 14689->14690 14691 409e9d 14690->14691 14691->14688 14696 409eb0 lstrcpyA lstrlenA 14691->14696 14692 406dc2 6 API calls 14694 409d5f 14692->14694 14698 406cc9 5 API calls 14694->14698 14695 40a3c2 14699 4098f2 41 API calls 14695->14699 14700 409ef4 14696->14700 14745 406ec3 14697->14745 14702 409d72 lstrcpyA lstrcatA lstrcatA 14698->14702 14699->14628 14703 406dc2 6 API calls 14700->14703 14705 409f03 14700->14705 14701 40a39d StartServiceCtrlDispatcherA 14701->14695 14704 409cf6 14702->14704 14703->14705 14794 409326 14704->14794 14706 409f32 RegOpenKeyExA 14705->14706 14707 409f48 RegSetValueExA RegCloseKey 14706->14707 14711 409f70 14706->14711 14707->14711 14708 40a35f 14708->14695 14708->14701 14716 409f9d GetModuleHandleA GetModuleFileNameA 14711->14716 14712 409e0c DeleteFileA 14712->14678 14713 409dde GetFileAttributesExA 14713->14712 14715 409df7 14713->14715 14715->14688 14831 4096ff 14715->14831 14718 409fc2 14716->14718 14719 40a093 14716->14719 14718->14719 14724 409ff1 GetDriveTypeA 14718->14724 14720 40a103 CreateProcessA 14719->14720 14723 40a0a4 wsprintfA 14719->14723 14721 40a13a 14720->14721 14722 40a12a DeleteFileA 14720->14722 14721->14688 14728 4096ff 3 API calls 14721->14728 14722->14721 14837 402544 14723->14837 14724->14719 14726 40a00d 14724->14726 14731 40a02d lstrcatA 14726->14731 14728->14688 14729 40ee2a 14730 40a0ec lstrcatA 14729->14730 14730->14720 14732 40a046 14731->14732 14733 40a052 lstrcatA 14732->14733 14734 40a064 lstrcatA 14732->14734 14733->14734 14734->14719 14735 40a081 lstrcatA 14734->14735 14735->14719 14736->14621 14738 4096b9 14737->14738 15067 4073ff 14738->15067 14740 4096e2 14741 4096e9 14740->14741 14742 4096fa 14740->14742 15087 40704c 14741->15087 14742->14647 14742->14648 14744 4096f7 14744->14742 14746 406ecc 14745->14746 14748 406ed5 14745->14748 15112 406e36 GetUserNameW 14746->15112 14748->14708 14750 406784 CreateFileA 14749->14750 14751 40677a SetFileAttributesA 14749->14751 14752 4067a4 CreateFileA 14750->14752 14753 4067b5 14750->14753 14751->14750 14752->14753 14754 4067c5 14753->14754 14755 4067ba SetFileAttributesA 14753->14755 14756 406977 14754->14756 14757 4067cf GetFileSize 14754->14757 14755->14754 14756->14653 14774 406a60 CreateFileA 14756->14774 14758 4067e5 14757->14758 14772 406922 14757->14772 14759 4067ed ReadFile 14758->14759 14758->14772 14761 406811 SetFilePointer 14759->14761 14759->14772 14760 40696e CloseHandle 14760->14756 14762 40682a ReadFile 14761->14762 14761->14772 14763 406848 SetFilePointer 14762->14763 14762->14772 14766 406867 14763->14766 14763->14772 14764 4068d0 14764->14760 14767 40ebcc 4 API calls 14764->14767 14765 406878 ReadFile 14765->14764 14765->14766 14766->14764 14766->14765 14768 4068f8 14767->14768 14769 406900 SetFilePointer 14768->14769 14768->14772 14770 40695a 14769->14770 14771 40690d ReadFile 14769->14771 14773 40ec2e codecvt 4 API calls 14770->14773 14771->14770 14771->14772 14772->14760 14773->14772 14775 406b8c GetLastError 14774->14775 14776 406a8f GetDiskFreeSpaceA 14774->14776 14777 406b86 14775->14777 14778 406ac5 14776->14778 14786 406ad7 14776->14786 14777->14671 15115 40eb0e 14778->15115 14782 406b56 CloseHandle 14782->14777 14785 406b65 GetLastError CloseHandle 14782->14785 14783 406b36 GetLastError CloseHandle 14784 406b7f DeleteFileA 14783->14784 14784->14777 14785->14784 15119 406987 14786->15119 14788 4099eb 14787->14788 14789 409a2f lstrcatA 14788->14789 14790 40ee2a 14789->14790 14791 409a4b lstrcatA 14790->14791 14792 406a60 13 API calls 14791->14792 14793 409a60 14792->14793 14793->14678 14793->14692 14793->14704 15129 401910 14794->15129 14797 40934a GetModuleHandleA GetModuleFileNameA 14799 40937f 14797->14799 14800 4093a4 14799->14800 14801 4093d9 14799->14801 14802 4093c3 wsprintfA 14800->14802 14803 409401 wsprintfA 14801->14803 14804 409415 14802->14804 14803->14804 14807 406cc9 5 API calls 14804->14807 14827 4094a0 14804->14827 14806 4094ac 14808 40962f 14806->14808 14809 4094e8 RegOpenKeyExA 14806->14809 14810 409439 14807->14810 14818 409646 14808->14818 15152 401820 14808->15152 14812 409502 14809->14812 14816 4094fb 14809->14816 14815 40ef1e lstrlenA 14810->14815 14814 40951f RegQueryValueExA 14812->14814 14819 409530 14814->14819 14820 409539 14814->14820 14821 409462 14815->14821 14816->14808 14817 40958a 14816->14817 14817->14818 14822 409593 14817->14822 14824 4095d6 14818->14824 15158 4091eb 14818->15158 14823 40956e RegCloseKey 14819->14823 14825 409556 RegQueryValueExA 14820->14825 14826 40947e wsprintfA 14821->14826 14822->14824 15139 40f0e4 14822->15139 14823->14816 14824->14712 14824->14713 14825->14819 14825->14823 14826->14827 15131 406edd 14827->15131 14829 4095bb 14829->14824 15146 4018e0 14829->15146 14832 402544 14831->14832 14833 40972d RegOpenKeyExA 14832->14833 14834 409740 14833->14834 14835 409765 14833->14835 14836 40974f RegDeleteValueA RegCloseKey 14834->14836 14835->14688 14836->14835 14838 402554 lstrcatA 14837->14838 14838->14729 14840 402544 14839->14840 14841 40919e wsprintfA 14840->14841 14842 4091bb 14841->14842 15197 409064 GetTempPathA 14842->15197 14845 4091d5 ShellExecuteA 14846 4091e7 14845->14846 14846->14671 15204 40dd05 GetTickCount 14847->15204 14849 40e538 15211 40dbcf 14849->15211 14851 40e544 14852 40e555 GetFileSize 14851->14852 14857 40e5b8 14851->14857 14853 40e5b1 CloseHandle 14852->14853 14854 40e566 14852->14854 14853->14857 15221 40db2e 14854->15221 15230 40e3ca RegOpenKeyExA 14857->15230 14858 40e576 ReadFile 14858->14853 14859 40e58d 14858->14859 15225 40e332 14859->15225 14862 40e5f2 14864 40e629 14862->14864 14865 40e3ca 19 API calls 14862->14865 14864->14627 14865->14864 14867 40eabe 14866->14867 14869 40eaba 14866->14869 14868 40dd05 6 API calls 14867->14868 14867->14869 14868->14869 14869->14632 14871 40ee2a 14870->14871 14872 401db4 GetVersionExA 14871->14872 14873 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14872->14873 14875 401e24 14873->14875 14876 401e16 GetCurrentProcess 14873->14876 15283 40e819 14875->15283 14876->14875 14878 401e3d 14879 40e819 11 API calls 14878->14879 14880 401e4e 14879->14880 14881 401e77 14880->14881 15290 40df70 14880->15290 15299 40ea84 14881->15299 14885 401e6c 14887 40df70 12 API calls 14885->14887 14886 40e819 11 API calls 14888 401e93 14886->14888 14887->14881 15303 40199c inet_addr LoadLibraryA 14888->15303 14891 40e819 11 API calls 14892 401eb9 14891->14892 14893 401ed8 14892->14893 14895 40f04e 4 API calls 14892->14895 14894 40e819 11 API calls 14893->14894 14896 401eee 14894->14896 14897 401ec9 14895->14897 14898 401f0a 14896->14898 15316 401b71 14896->15316 14899 40ea84 30 API calls 14897->14899 14901 40e819 11 API calls 14898->14901 14899->14893 14903 401f23 14901->14903 14902 401efd 14904 40ea84 30 API calls 14902->14904 14905 401f3f 14903->14905 15320 401bdf 14903->15320 14904->14898 14906 40e819 11 API calls 14905->14906 14908 401f5e 14906->14908 14910 401f77 14908->14910 14912 40ea84 30 API calls 14908->14912 15327 4030b5 14910->15327 14911 40ea84 30 API calls 14911->14905 14912->14910 14916 406ec3 2 API calls 14917 401f8e GetTickCount 14916->14917 14917->14637 14919 406ec3 2 API calls 14918->14919 14920 4080eb 14919->14920 14921 4080f9 14920->14921 14922 4080ef 14920->14922 14924 40704c 16 API calls 14921->14924 15375 407ee6 14922->15375 14926 408110 14924->14926 14925 4080f4 14927 40675c 21 API calls 14925->14927 14936 408269 CreateThread 14925->14936 14926->14925 14928 408156 RegOpenKeyExA 14926->14928 14930 408244 14927->14930 14928->14925 14929 40816d RegQueryValueExA 14928->14929 14931 4081f7 14929->14931 14932 40818d 14929->14932 14934 40ec2e codecvt 4 API calls 14930->14934 14930->14936 14933 40820d RegCloseKey 14931->14933 14935 40ec2e codecvt 4 API calls 14931->14935 14932->14931 14937 40ebcc 4 API calls 14932->14937 14933->14925 14934->14936 14942 4081dd 14935->14942 14943 405e6c 14936->14943 15675 40877e 14936->15675 14938 4081a0 14937->14938 14938->14933 14939 4081aa RegQueryValueExA 14938->14939 14939->14931 14940 4081c4 14939->14940 14941 40ebcc 4 API calls 14940->14941 14941->14942 14942->14933 15443 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14943->15443 14945 405e71 15444 40e654 14945->15444 14947 405ec1 14948 403132 14947->14948 14949 40df70 12 API calls 14948->14949 14950 40313b 14949->14950 14951 40c125 14950->14951 15455 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14951->15455 14953 40c12d 14954 40e654 13 API calls 14953->14954 14955 40c2bd 14954->14955 14956 40e654 13 API calls 14955->14956 14957 40c2c9 14956->14957 14958 40e654 13 API calls 14957->14958 14959 40a47a 14958->14959 14960 408db1 14959->14960 14961 408dbc 14960->14961 14962 40e654 13 API calls 14961->14962 14963 408dec Sleep 14962->14963 14963->14673 14965 40c92f 14964->14965 14966 40c93c 14965->14966 15456 40c517 14965->15456 14968 40ca2b 14966->14968 14969 40e819 11 API calls 14966->14969 14968->14673 14970 40c96a 14969->14970 14971 40e819 11 API calls 14970->14971 14972 40c97d 14971->14972 14973 40e819 11 API calls 14972->14973 14974 40c990 14973->14974 14975 40c9aa 14974->14975 14976 40ebcc 4 API calls 14974->14976 14975->14968 15473 402684 14975->15473 14976->14975 14981 40ca26 15480 40c8aa 14981->15480 14984 40ca44 14985 40ca4b closesocket 14984->14985 14986 40ca83 14984->14986 14985->14981 14987 40ea84 30 API calls 14986->14987 14988 40caac 14987->14988 14989 40f04e 4 API calls 14988->14989 14990 40cab2 14989->14990 14991 40ea84 30 API calls 14990->14991 14992 40caca 14991->14992 14993 40ea84 30 API calls 14992->14993 14994 40cad9 14993->14994 15488 40c65c 14994->15488 14997 40cb60 closesocket 14997->14968 14999 40dad2 closesocket 15000 40e318 23 API calls 14999->15000 15000->14968 15001 40df4c 20 API calls 15060 40cb70 15001->15060 15006 40e654 13 API calls 15006->15060 15012 40d569 closesocket Sleep 15535 40e318 15012->15535 15013 40d815 wsprintfA 15013->15060 15014 40cc1c GetTempPathA 15014->15060 15015 40ea84 30 API calls 15015->15060 15017 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15017->15060 15018 407ead 6 API calls 15018->15060 15019 40c517 23 API calls 15019->15060 15020 40d582 ExitProcess 15021 40e8a1 30 API calls 15021->15060 15022 40cfe3 GetSystemDirectoryA 15022->15060 15023 40675c 21 API calls 15023->15060 15024 40d027 GetSystemDirectoryA 15024->15060 15025 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15025->15060 15026 40cfad GetEnvironmentVariableA 15026->15060 15027 40d105 lstrcatA 15027->15060 15028 40ef1e lstrlenA 15028->15060 15029 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15029->15060 15030 40cc9f CreateFileA 15031 40ccc6 WriteFile 15030->15031 15030->15060 15033 40cdcc CloseHandle 15031->15033 15034 40cced CloseHandle 15031->15034 15032 40d15b CreateFileA 15035 40d182 WriteFile CloseHandle 15032->15035 15032->15060 15033->15060 15041 40cd2f 15034->15041 15035->15060 15036 40cd16 wsprintfA 15036->15041 15037 40d149 SetFileAttributesA 15037->15032 15038 40d36e GetEnvironmentVariableA 15038->15060 15039 40d1bf SetFileAttributesA 15039->15060 15040 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15040->15060 15041->15036 15517 407fcf 15041->15517 15042 40d22d GetEnvironmentVariableA 15042->15060 15044 40d3af lstrcatA 15047 40d3f2 CreateFileA 15044->15047 15044->15060 15046 407fcf 64 API calls 15046->15060 15048 40d415 WriteFile CloseHandle 15047->15048 15047->15060 15048->15060 15049 40cd81 WaitForSingleObject CloseHandle CloseHandle 15051 40f04e 4 API calls 15049->15051 15050 40cda5 15052 407ee6 64 API calls 15050->15052 15051->15050 15055 40cdbd DeleteFileA 15052->15055 15053 40d3e0 SetFileAttributesA 15053->15047 15054 40d26e lstrcatA 15057 40d2b1 CreateFileA 15054->15057 15054->15060 15055->15060 15056 40d4b1 CreateProcessA 15058 40d4e8 CloseHandle CloseHandle 15056->15058 15056->15060 15057->15060 15061 40d2d8 WriteFile CloseHandle 15057->15061 15058->15060 15059 40d452 SetFileAttributesA 15059->15060 15060->14999 15060->15001 15060->15006 15060->15012 15060->15013 15060->15014 15060->15015 15060->15017 15060->15018 15060->15019 15060->15021 15060->15022 15060->15023 15060->15024 15060->15025 15060->15026 15060->15027 15060->15028 15060->15029 15060->15030 15060->15032 15060->15037 15060->15038 15060->15039 15060->15040 15060->15042 15060->15044 15060->15046 15060->15047 15060->15053 15060->15054 15060->15056 15060->15057 15060->15059 15062 407ee6 64 API calls 15060->15062 15063 40d29f SetFileAttributesA 15060->15063 15066 40d31d SetFileAttributesA 15060->15066 15496 40c75d 15060->15496 15508 407e2f 15060->15508 15530 407ead 15060->15530 15540 4031d0 15060->15540 15557 403c09 15060->15557 15567 403a00 15060->15567 15571 40e7b4 15060->15571 15574 40c06c 15060->15574 15580 406f5f GetUserNameA 15060->15580 15591 40e854 15060->15591 15601 407dd6 15060->15601 15061->15060 15062->15060 15063->15057 15066->15060 15068 40741b 15067->15068 15069 406dc2 6 API calls 15068->15069 15070 40743f 15069->15070 15071 407469 RegOpenKeyExA 15070->15071 15073 4077f9 15071->15073 15083 407487 ___ascii_stricmp 15071->15083 15072 407703 RegEnumKeyA 15074 407714 RegCloseKey 15072->15074 15072->15083 15073->14740 15074->15073 15075 40f1a5 lstrlenA 15075->15083 15076 4074d2 RegOpenKeyExA 15076->15083 15077 40772c 15079 407742 RegCloseKey 15077->15079 15080 40774b 15077->15080 15078 407521 RegQueryValueExA 15078->15083 15079->15080 15082 4077ec RegCloseKey 15080->15082 15081 4076e4 RegCloseKey 15081->15083 15082->15073 15083->15072 15083->15075 15083->15076 15083->15077 15083->15078 15083->15081 15085 40777e GetFileAttributesExA 15083->15085 15086 407769 15083->15086 15084 4077e3 RegCloseKey 15084->15082 15085->15086 15086->15084 15088 407073 15087->15088 15089 4070b9 RegOpenKeyExA 15088->15089 15090 4070d0 15089->15090 15104 4071b8 15089->15104 15091 406dc2 6 API calls 15090->15091 15094 4070d5 15091->15094 15092 40719b RegEnumValueA 15093 4071af RegCloseKey 15092->15093 15092->15094 15093->15104 15094->15092 15096 4071d0 15094->15096 15110 40f1a5 lstrlenA 15094->15110 15097 407205 RegCloseKey 15096->15097 15098 407227 15096->15098 15097->15104 15099 4072b8 ___ascii_stricmp 15098->15099 15100 40728e RegCloseKey 15098->15100 15101 4072cd RegCloseKey 15099->15101 15102 4072dd 15099->15102 15100->15104 15101->15104 15103 407311 RegCloseKey 15102->15103 15106 407335 15102->15106 15103->15104 15104->14744 15105 4073d5 RegCloseKey 15107 4073e4 15105->15107 15106->15105 15108 40737e GetFileAttributesExA 15106->15108 15109 407397 15106->15109 15108->15109 15109->15105 15111 40f1c3 15110->15111 15111->15094 15113 406e97 15112->15113 15114 406e5f LookupAccountNameW 15112->15114 15113->14748 15114->15113 15116 40eb17 15115->15116 15117 40eb21 15115->15117 15125 40eae4 15116->15125 15117->14786 15121 4069b9 WriteFile 15119->15121 15122 406a3c 15121->15122 15124 4069ff 15121->15124 15122->14782 15122->14783 15123 406a10 WriteFile 15123->15122 15123->15124 15124->15122 15124->15123 15126 40eb02 GetProcAddress 15125->15126 15127 40eaed LoadLibraryA 15125->15127 15126->15117 15127->15126 15128 40eb01 15127->15128 15128->15117 15130 401924 GetVersionExA 15129->15130 15130->14797 15132 406eef AllocateAndInitializeSid 15131->15132 15138 406f55 15131->15138 15133 406f1c CheckTokenMembership 15132->15133 15136 406f44 15132->15136 15134 406f3b FreeSid 15133->15134 15135 406f2e 15133->15135 15134->15136 15135->15134 15137 406e36 2 API calls 15136->15137 15136->15138 15137->15138 15138->14806 15140 40f0f1 15139->15140 15141 40f0ed 15139->15141 15142 40f119 15140->15142 15143 40f0fa lstrlenA SysAllocStringByteLen 15140->15143 15141->14829 15145 40f11c MultiByteToWideChar 15142->15145 15144 40f117 15143->15144 15143->15145 15144->14829 15145->15144 15147 401820 17 API calls 15146->15147 15148 4018f2 15147->15148 15149 4018f9 15148->15149 15163 401280 15148->15163 15149->14824 15151 401908 15151->14824 15176 401000 15152->15176 15154 401839 15155 401851 GetCurrentProcess 15154->15155 15156 40183d 15154->15156 15157 401864 15155->15157 15156->14818 15157->14818 15159 409308 15158->15159 15161 40920e 15158->15161 15159->14824 15160 4092f1 Sleep 15160->15161 15161->15159 15161->15160 15162 4092bf ShellExecuteA 15161->15162 15162->15159 15162->15161 15166 4012e1 ShellExecuteExW 15163->15166 15165 4016f9 GetLastError 15172 401699 15165->15172 15166->15165 15173 4013a8 15166->15173 15167 401570 lstrlenW 15167->15173 15168 4015be GetStartupInfoW 15168->15173 15169 4015ff CreateProcessWithLogonW 15170 4016bf GetLastError 15169->15170 15171 40163f WaitForSingleObject 15169->15171 15170->15172 15171->15173 15174 401659 CloseHandle 15171->15174 15172->15151 15173->15167 15173->15168 15173->15169 15173->15172 15175 401668 CloseHandle 15173->15175 15174->15173 15175->15173 15177 40100d LoadLibraryA 15176->15177 15182 401023 15176->15182 15178 401021 15177->15178 15177->15182 15178->15154 15179 4010b5 GetProcAddress 15180 4010d1 GetProcAddress 15179->15180 15181 40127b 15179->15181 15180->15181 15183 4010f0 GetProcAddress 15180->15183 15181->15154 15182->15179 15196 4010ae 15182->15196 15183->15181 15184 401110 GetProcAddress 15183->15184 15184->15181 15185 401130 GetProcAddress 15184->15185 15185->15181 15186 40114f GetProcAddress 15185->15186 15186->15181 15187 40116f GetProcAddress 15186->15187 15187->15181 15188 40118f GetProcAddress 15187->15188 15188->15181 15189 4011ae GetProcAddress 15188->15189 15189->15181 15190 4011ce GetProcAddress 15189->15190 15190->15181 15191 4011ee GetProcAddress 15190->15191 15191->15181 15192 401209 GetProcAddress 15191->15192 15192->15181 15193 401225 GetProcAddress 15192->15193 15193->15181 15194 401241 GetProcAddress 15193->15194 15194->15181 15195 40125c GetProcAddress 15194->15195 15195->15181 15196->15154 15198 40908d 15197->15198 15199 4090e2 wsprintfA 15198->15199 15200 40ee2a 15199->15200 15201 4090fd CreateFileA 15200->15201 15202 40911a lstrlenA WriteFile CloseHandle 15201->15202 15203 40913f 15201->15203 15202->15203 15203->14845 15203->14846 15205 40dd41 InterlockedExchange 15204->15205 15206 40dd20 GetCurrentThreadId 15205->15206 15210 40dd4a 15205->15210 15207 40dd53 GetCurrentThreadId 15206->15207 15208 40dd2e GetTickCount 15206->15208 15207->14849 15209 40dd39 Sleep 15208->15209 15208->15210 15209->15205 15210->15207 15212 40dbf0 15211->15212 15244 40db67 GetEnvironmentVariableA 15212->15244 15214 40dc19 15215 40dcda 15214->15215 15216 40db67 3 API calls 15214->15216 15215->14851 15217 40dc5c 15216->15217 15217->15215 15218 40db67 3 API calls 15217->15218 15219 40dc9b 15218->15219 15219->15215 15220 40db67 3 API calls 15219->15220 15220->15215 15222 40db3a 15221->15222 15224 40db55 15221->15224 15248 40ebed 15222->15248 15224->14853 15224->14858 15257 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15225->15257 15227 40e3be 15227->14853 15229 40e342 15229->15227 15260 40de24 15229->15260 15231 40e528 15230->15231 15232 40e3f4 15230->15232 15231->14862 15233 40e434 RegQueryValueExA 15232->15233 15234 40e458 15233->15234 15235 40e51d RegCloseKey 15233->15235 15236 40e46e RegQueryValueExA 15234->15236 15235->15231 15236->15234 15237 40e488 15236->15237 15237->15235 15238 40db2e 8 API calls 15237->15238 15239 40e499 15238->15239 15239->15235 15240 40e4b9 RegQueryValueExA 15239->15240 15241 40e4e8 15239->15241 15240->15239 15240->15241 15241->15235 15242 40e332 14 API calls 15241->15242 15243 40e513 15242->15243 15243->15235 15245 40db89 lstrcpyA CreateFileA 15244->15245 15246 40dbca 15244->15246 15245->15214 15246->15214 15249 40ec01 15248->15249 15250 40ebf6 15248->15250 15252 40eba0 codecvt 2 API calls 15249->15252 15251 40ebcc 4 API calls 15250->15251 15253 40ebfe 15251->15253 15254 40ec0a GetProcessHeap HeapReAlloc 15252->15254 15253->15224 15255 40eb74 2 API calls 15254->15255 15256 40ec28 15255->15256 15256->15224 15271 40eb41 15257->15271 15261 40de3a 15260->15261 15267 40de4e 15261->15267 15275 40dd84 15261->15275 15264 40ebed 8 API calls 15269 40def6 15264->15269 15265 40de9e 15265->15264 15265->15267 15266 40de76 15279 40ddcf 15266->15279 15267->15229 15269->15267 15270 40ddcf lstrcmpA 15269->15270 15270->15267 15272 40eb4a 15271->15272 15274 40eb54 15271->15274 15273 40eae4 2 API calls 15272->15273 15273->15274 15274->15229 15276 40ddc5 15275->15276 15277 40dd96 15275->15277 15276->15265 15276->15266 15277->15276 15278 40ddad lstrcmpiA 15277->15278 15278->15276 15278->15277 15280 40de20 15279->15280 15281 40dddd 15279->15281 15280->15267 15281->15280 15282 40ddfa lstrcmpA 15281->15282 15282->15281 15284 40dd05 6 API calls 15283->15284 15285 40e821 15284->15285 15286 40dd84 lstrcmpiA 15285->15286 15287 40e82c 15286->15287 15288 40e844 15287->15288 15331 402480 15287->15331 15288->14878 15291 40dd05 6 API calls 15290->15291 15292 40df7c 15291->15292 15293 40dd84 lstrcmpiA 15292->15293 15297 40df89 15293->15297 15294 40dfc4 15294->14885 15295 40ddcf lstrcmpA 15295->15297 15296 40ec2e codecvt 4 API calls 15296->15297 15297->15294 15297->15295 15297->15296 15298 40dd84 lstrcmpiA 15297->15298 15298->15297 15300 40ea98 15299->15300 15340 40e8a1 15300->15340 15302 401e84 15302->14886 15304 4019d5 GetProcAddress GetProcAddress GetProcAddress 15303->15304 15307 4019ce 15303->15307 15305 401ab3 FreeLibrary 15304->15305 15306 401a04 15304->15306 15305->15307 15306->15305 15308 401a14 GetProcessHeap 15306->15308 15307->14891 15308->15307 15310 401a2e HeapAlloc 15308->15310 15310->15307 15311 401a42 15310->15311 15312 401a62 15311->15312 15313 401a52 HeapReAlloc 15311->15313 15314 401aa1 FreeLibrary 15312->15314 15315 401a96 HeapFree 15312->15315 15313->15312 15314->15307 15315->15314 15368 401ac3 LoadLibraryA 15316->15368 15319 401bcf 15319->14902 15321 401ac3 12 API calls 15320->15321 15322 401c09 15321->15322 15323 401c41 15322->15323 15324 401c0d GetComputerNameA 15322->15324 15323->14911 15325 401c45 GetVolumeInformationA 15324->15325 15326 401c1f 15324->15326 15325->15323 15326->15323 15326->15325 15328 40ee2a 15327->15328 15329 4030d0 gethostname gethostbyname 15328->15329 15330 401f82 15329->15330 15330->14916 15330->14917 15334 402419 lstrlenA 15331->15334 15333 402491 15333->15288 15335 402474 15334->15335 15336 40243d lstrlenA 15334->15336 15335->15333 15337 402464 lstrlenA 15336->15337 15338 40244e lstrcmpiA 15336->15338 15337->15335 15337->15336 15338->15337 15339 40245c 15338->15339 15339->15335 15339->15337 15341 40dd05 6 API calls 15340->15341 15342 40e8b4 15341->15342 15343 40dd84 lstrcmpiA 15342->15343 15344 40e8c0 15343->15344 15345 40e90a 15344->15345 15346 40e8c8 lstrcpynA 15344->15346 15347 402419 4 API calls 15345->15347 15356 40ea27 15345->15356 15348 40e8f5 15346->15348 15349 40e926 lstrlenA lstrlenA 15347->15349 15361 40df4c 15348->15361 15350 40e96a 15349->15350 15351 40e94c lstrlenA 15349->15351 15355 40ebcc 4 API calls 15350->15355 15350->15356 15351->15350 15353 40e901 15354 40dd84 lstrcmpiA 15353->15354 15354->15345 15357 40e98f 15355->15357 15356->15302 15357->15356 15358 40df4c 20 API calls 15357->15358 15359 40ea1e 15358->15359 15360 40ec2e codecvt 4 API calls 15359->15360 15360->15356 15362 40dd05 6 API calls 15361->15362 15363 40df51 15362->15363 15364 40f04e 4 API calls 15363->15364 15365 40df58 15364->15365 15366 40de24 10 API calls 15365->15366 15367 40df63 15366->15367 15367->15353 15369 401ae2 GetProcAddress 15368->15369 15373 401b68 GetComputerNameA GetVolumeInformationA 15368->15373 15370 401af5 15369->15370 15369->15373 15371 40ebed 8 API calls 15370->15371 15372 401b29 15370->15372 15371->15370 15372->15373 15374 40ec2e codecvt 4 API calls 15372->15374 15373->15319 15374->15373 15376 406ec3 2 API calls 15375->15376 15377 407ef4 15376->15377 15378 407fc9 15377->15378 15379 4073ff 17 API calls 15377->15379 15378->14925 15380 407f16 15379->15380 15380->15378 15388 407809 GetUserNameA 15380->15388 15382 407f63 15382->15378 15383 40ef1e lstrlenA 15382->15383 15384 407fa6 15383->15384 15385 40ef1e lstrlenA 15384->15385 15386 407fb7 15385->15386 15412 407a95 RegOpenKeyExA 15386->15412 15389 40783d LookupAccountNameA 15388->15389 15390 407a8d 15388->15390 15389->15390 15391 407874 GetLengthSid GetFileSecurityA 15389->15391 15390->15382 15391->15390 15392 4078a8 GetSecurityDescriptorOwner 15391->15392 15393 4078c5 EqualSid 15392->15393 15394 40791d GetSecurityDescriptorDacl 15392->15394 15393->15394 15395 4078dc LocalAlloc 15393->15395 15394->15390 15407 407941 15394->15407 15395->15394 15396 4078ef InitializeSecurityDescriptor 15395->15396 15398 407916 LocalFree 15396->15398 15399 4078fb SetSecurityDescriptorOwner 15396->15399 15397 40795b GetAce 15397->15407 15398->15394 15399->15398 15400 40790b SetFileSecurityA 15399->15400 15400->15398 15401 407980 EqualSid 15401->15407 15402 407a3d 15402->15390 15405 407a43 LocalAlloc 15402->15405 15403 4079be EqualSid 15403->15407 15404 40799d DeleteAce 15404->15407 15405->15390 15406 407a56 InitializeSecurityDescriptor 15405->15406 15408 407a62 SetSecurityDescriptorDacl 15406->15408 15409 407a86 LocalFree 15406->15409 15407->15390 15407->15397 15407->15401 15407->15402 15407->15403 15407->15404 15408->15409 15410 407a73 SetFileSecurityA 15408->15410 15409->15390 15410->15409 15411 407a83 15410->15411 15411->15409 15413 407ac4 15412->15413 15414 407acb GetUserNameA 15412->15414 15413->15378 15415 407da7 RegCloseKey 15414->15415 15416 407aed LookupAccountNameA 15414->15416 15415->15413 15416->15415 15417 407b24 RegGetKeySecurity 15416->15417 15417->15415 15418 407b49 GetSecurityDescriptorOwner 15417->15418 15419 407b63 EqualSid 15418->15419 15420 407bb8 GetSecurityDescriptorDacl 15418->15420 15419->15420 15421 407b74 LocalAlloc 15419->15421 15422 407da6 15420->15422 15435 407bdc 15420->15435 15421->15420 15423 407b8a InitializeSecurityDescriptor 15421->15423 15422->15415 15424 407bb1 LocalFree 15423->15424 15425 407b96 SetSecurityDescriptorOwner 15423->15425 15424->15420 15425->15424 15427 407ba6 RegSetKeySecurity 15425->15427 15426 407bf8 GetAce 15426->15435 15427->15424 15428 407c1d EqualSid 15428->15435 15429 407c5f EqualSid 15429->15435 15430 407cd9 15430->15422 15432 407d5a LocalAlloc 15430->15432 15434 407cf2 RegOpenKeyExA 15430->15434 15431 407c3a DeleteAce 15431->15435 15432->15422 15433 407d70 InitializeSecurityDescriptor 15432->15433 15436 407d7c SetSecurityDescriptorDacl 15433->15436 15437 407d9f LocalFree 15433->15437 15434->15432 15440 407d0f 15434->15440 15435->15422 15435->15426 15435->15428 15435->15429 15435->15430 15435->15431 15436->15437 15438 407d8c RegSetKeySecurity 15436->15438 15437->15422 15438->15437 15439 407d9c 15438->15439 15439->15437 15441 407d43 RegSetValueExA 15440->15441 15441->15432 15442 407d54 15441->15442 15442->15432 15443->14945 15445 40dd05 6 API calls 15444->15445 15446 40e65f 15445->15446 15447 40e6a5 15446->15447 15449 40e68c lstrcmpA 15446->15449 15448 40ebcc 4 API calls 15447->15448 15453 40e6f5 15447->15453 15451 40e6b0 15448->15451 15449->15446 15450 40e6b7 15450->14947 15451->15450 15452 40e6e0 lstrcpynA 15451->15452 15451->15453 15452->15453 15453->15450 15454 40e71d lstrcmpA 15453->15454 15454->15453 15455->14953 15457 40c525 15456->15457 15458 40c532 15456->15458 15457->15458 15461 40ec2e codecvt 4 API calls 15457->15461 15459 40c548 15458->15459 15608 40e7ff 15458->15608 15462 40e7ff lstrcmpiA 15459->15462 15467 40c54f 15459->15467 15461->15458 15463 40c615 15462->15463 15464 40ebcc 4 API calls 15463->15464 15463->15467 15464->15467 15465 40c5d1 15469 40ebcc 4 API calls 15465->15469 15467->14966 15468 40e819 11 API calls 15470 40c5b7 15468->15470 15469->15467 15471 40f04e 4 API calls 15470->15471 15472 40c5bf 15471->15472 15472->15459 15472->15465 15474 402692 inet_addr 15473->15474 15476 40268e 15473->15476 15475 40269e gethostbyname 15474->15475 15474->15476 15475->15476 15477 40f428 15476->15477 15611 40f315 15477->15611 15482 40c8d2 15480->15482 15481 40c907 15481->14968 15482->15481 15483 40c517 23 API calls 15482->15483 15483->15481 15484 40f43e 15485 40f473 recv 15484->15485 15486 40f458 15485->15486 15487 40f47c 15485->15487 15486->15485 15486->15487 15487->14984 15489 40c670 15488->15489 15490 40c67d 15488->15490 15491 40ebcc 4 API calls 15489->15491 15492 40ebcc 4 API calls 15490->15492 15494 40c699 15490->15494 15491->15490 15492->15494 15493 40c6f3 15493->14997 15493->15060 15494->15493 15495 40c73c send 15494->15495 15495->15493 15497 40c770 15496->15497 15498 40c77d 15496->15498 15500 40ebcc 4 API calls 15497->15500 15499 40c799 15498->15499 15501 40ebcc 4 API calls 15498->15501 15502 40c7b5 15499->15502 15503 40ebcc 4 API calls 15499->15503 15500->15498 15501->15499 15504 40f43e recv 15502->15504 15503->15502 15505 40c7cb 15504->15505 15506 40f43e recv 15505->15506 15507 40c7d3 15505->15507 15506->15507 15507->15060 15624 407db7 15508->15624 15511 40f04e 4 API calls 15513 407e4c 15511->15513 15512 40f04e 4 API calls 15514 407e96 15512->15514 15515 40f04e 4 API calls 15513->15515 15516 407e70 15513->15516 15514->15060 15515->15516 15516->15512 15516->15514 15518 406ec3 2 API calls 15517->15518 15519 407fdd 15518->15519 15520 4073ff 17 API calls 15519->15520 15529 4080c2 CreateProcessA 15519->15529 15521 407fff 15520->15521 15522 407809 21 API calls 15521->15522 15521->15529 15523 40804d 15522->15523 15524 40ef1e lstrlenA 15523->15524 15523->15529 15525 40809e 15524->15525 15526 40ef1e lstrlenA 15525->15526 15527 4080af 15526->15527 15528 407a95 24 API calls 15527->15528 15528->15529 15529->15049 15529->15050 15531 407db7 2 API calls 15530->15531 15532 407eb8 15531->15532 15533 40f04e 4 API calls 15532->15533 15534 407ece DeleteFileA 15533->15534 15534->15060 15536 40dd05 6 API calls 15535->15536 15537 40e31d 15536->15537 15628 40e177 15537->15628 15539 40e326 15539->15020 15541 4031f3 15540->15541 15550 4031ec 15540->15550 15542 40ebcc 4 API calls 15541->15542 15554 4031fc 15542->15554 15543 403459 15546 40f04e 4 API calls 15543->15546 15544 40349d 15545 40ec2e codecvt 4 API calls 15544->15545 15545->15550 15547 40345f 15546->15547 15548 4030fa 4 API calls 15547->15548 15548->15550 15549 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15549->15554 15550->15060 15551 40344d 15552 40ec2e codecvt 4 API calls 15551->15552 15555 40344b 15552->15555 15554->15549 15554->15550 15554->15551 15554->15555 15556 403141 lstrcmpiA 15554->15556 15654 4030fa GetTickCount 15554->15654 15555->15543 15555->15544 15556->15554 15558 4030fa 4 API calls 15557->15558 15559 403c1a 15558->15559 15560 403ce6 15559->15560 15659 403a72 15559->15659 15560->15060 15563 403a72 9 API calls 15565 403c5e 15563->15565 15564 403a72 9 API calls 15564->15565 15565->15560 15565->15564 15566 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15565->15566 15566->15565 15568 403a10 15567->15568 15569 4030fa 4 API calls 15568->15569 15570 403a1a 15569->15570 15570->15060 15572 40dd05 6 API calls 15571->15572 15573 40e7be 15572->15573 15573->15060 15575 40c07e wsprintfA 15574->15575 15579 40c105 15574->15579 15668 40bfce GetTickCount wsprintfA 15575->15668 15577 40c0ef 15669 40bfce GetTickCount wsprintfA 15577->15669 15579->15060 15581 406f88 LookupAccountNameA 15580->15581 15582 407047 15580->15582 15584 407025 15581->15584 15585 406fcb 15581->15585 15582->15060 15586 406edd 5 API calls 15584->15586 15588 406fdb ConvertSidToStringSidA 15585->15588 15587 40702a wsprintfA 15586->15587 15587->15582 15588->15584 15589 406ff1 15588->15589 15590 407013 LocalFree 15589->15590 15590->15584 15592 40dd05 6 API calls 15591->15592 15593 40e85c 15592->15593 15594 40dd84 lstrcmpiA 15593->15594 15595 40e867 15594->15595 15596 40e885 lstrcpyA 15595->15596 15670 4024a5 15595->15670 15673 40dd69 15596->15673 15602 407db7 2 API calls 15601->15602 15603 407de1 15602->15603 15604 40f04e 4 API calls 15603->15604 15607 407e16 15603->15607 15605 407df2 15604->15605 15606 40f04e 4 API calls 15605->15606 15605->15607 15606->15607 15607->15060 15609 40dd84 lstrcmpiA 15608->15609 15610 40c58e 15609->15610 15610->15459 15610->15465 15610->15468 15612 40f33b 15611->15612 15620 40ca1d 15611->15620 15613 40f347 htons socket 15612->15613 15614 40f382 ioctlsocket 15613->15614 15615 40f374 closesocket 15613->15615 15616 40f3aa connect select 15614->15616 15617 40f39d 15614->15617 15615->15620 15619 40f3f2 __WSAFDIsSet 15616->15619 15616->15620 15618 40f39f closesocket 15617->15618 15618->15620 15619->15618 15621 40f403 ioctlsocket 15619->15621 15620->14981 15620->15484 15623 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15621->15623 15623->15620 15625 407dc8 InterlockedExchange 15624->15625 15626 407dc0 Sleep 15625->15626 15627 407dd4 15625->15627 15626->15625 15627->15511 15627->15516 15629 40e184 15628->15629 15630 40e2e4 15629->15630 15631 40e223 15629->15631 15644 40dfe2 15629->15644 15630->15539 15631->15630 15633 40dfe2 8 API calls 15631->15633 15637 40e23c 15633->15637 15634 40e1be 15634->15631 15635 40dbcf 3 API calls 15634->15635 15638 40e1d6 15635->15638 15636 40e21a CloseHandle 15636->15631 15637->15630 15648 40e095 RegCreateKeyExA 15637->15648 15638->15631 15638->15636 15639 40e1f9 WriteFile 15638->15639 15639->15636 15641 40e213 15639->15641 15641->15636 15642 40e2a3 15642->15630 15643 40e095 4 API calls 15642->15643 15643->15630 15645 40dffc 15644->15645 15647 40e024 15644->15647 15646 40db2e 8 API calls 15645->15646 15645->15647 15646->15647 15647->15634 15649 40e172 15648->15649 15652 40e0c0 15648->15652 15649->15642 15650 40e13d 15651 40e14e RegDeleteValueA RegCloseKey 15650->15651 15651->15649 15652->15650 15653 40e115 RegSetValueExA 15652->15653 15653->15650 15653->15652 15655 403122 InterlockedExchange 15654->15655 15656 40312e 15655->15656 15657 40310f GetTickCount 15655->15657 15656->15554 15657->15656 15658 40311a Sleep 15657->15658 15658->15655 15660 40f04e 4 API calls 15659->15660 15667 403a83 15660->15667 15661 403be6 15665 40ec2e codecvt 4 API calls 15661->15665 15662 403ac1 15662->15560 15662->15563 15663 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15664 403bc0 15663->15664 15664->15661 15664->15663 15665->15662 15666 403b66 lstrlenA 15666->15662 15666->15667 15667->15662 15667->15664 15667->15666 15668->15577 15669->15579 15671 402419 4 API calls 15670->15671 15672 4024b6 15671->15672 15672->15596 15674 40dd79 lstrlenA 15673->15674 15674->15060 15676 408791 15675->15676 15677 40879f 15675->15677 15678 40f04e 4 API calls 15676->15678 15679 4087bc 15677->15679 15680 40f04e 4 API calls 15677->15680 15678->15677 15681 40e819 11 API calls 15679->15681 15680->15679 15682 4087d7 15681->15682 15695 408803 15682->15695 15726 4026b2 gethostbyaddr 15682->15726 15685 4087eb 15687 40e8a1 30 API calls 15685->15687 15685->15695 15687->15695 15690 40e819 11 API calls 15690->15695 15691 4088a0 Sleep 15691->15695 15692 4026b2 2 API calls 15692->15695 15694 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15694->15695 15695->15690 15695->15691 15695->15692 15695->15694 15696 40e8a1 30 API calls 15695->15696 15731 408cee 15695->15731 15739 40c4d6 15695->15739 15742 40c4e2 15695->15742 15745 402011 15695->15745 15780 408328 15695->15780 15696->15695 15698 404084 15697->15698 15699 40407d 15697->15699 15700 403ecd 6 API calls 15698->15700 15701 40408f 15700->15701 15702 404000 3 API calls 15701->15702 15703 404095 15702->15703 15704 404130 15703->15704 15709 403f18 4 API calls 15703->15709 15705 403ecd 6 API calls 15704->15705 15706 404159 CreateNamedPipeA 15705->15706 15707 404167 Sleep 15706->15707 15708 404188 ConnectNamedPipe 15706->15708 15707->15704 15710 404176 CloseHandle 15707->15710 15712 404195 GetLastError 15708->15712 15721 4041ab 15708->15721 15711 4040da 15709->15711 15710->15708 15713 403f8c 4 API calls 15711->15713 15714 40425e DisconnectNamedPipe 15712->15714 15712->15721 15715 4040ec 15713->15715 15714->15708 15716 404127 CloseHandle 15715->15716 15717 404101 15715->15717 15716->15704 15718 403f18 4 API calls 15717->15718 15719 40411c ExitProcess 15718->15719 15720 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15720->15721 15721->15708 15721->15714 15721->15720 15722 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15721->15722 15723 40426a CloseHandle CloseHandle 15721->15723 15722->15721 15724 40e318 23 API calls 15723->15724 15725 40427b 15724->15725 15725->15725 15727 4026fb 15726->15727 15728 4026cd 15726->15728 15727->15685 15729 4026e1 inet_ntoa 15728->15729 15730 4026de 15728->15730 15729->15730 15730->15685 15732 408d02 GetTickCount 15731->15732 15733 408dae 15731->15733 15732->15733 15735 408d19 15732->15735 15733->15695 15734 408da1 GetTickCount 15734->15733 15735->15734 15738 408d89 15735->15738 15832 40a677 15735->15832 15835 40a688 15735->15835 15738->15734 15843 40c2dc 15739->15843 15743 40c2dc 141 API calls 15742->15743 15744 40c4ec 15743->15744 15744->15695 15746 402020 15745->15746 15747 40202e 15745->15747 15748 40f04e 4 API calls 15746->15748 15749 40204b 15747->15749 15750 40f04e 4 API calls 15747->15750 15748->15747 15751 40206e GetTickCount 15749->15751 15752 40f04e 4 API calls 15749->15752 15750->15749 15753 4020db GetTickCount 15751->15753 15761 402090 15751->15761 15756 402068 15752->15756 15755 402132 GetTickCount GetTickCount 15753->15755 15763 4020e7 15753->15763 15754 4020d4 GetTickCount 15754->15753 15757 40f04e 4 API calls 15755->15757 15756->15751 15760 402159 15757->15760 15758 40212b GetTickCount 15758->15755 15759 402684 2 API calls 15759->15761 15765 40e854 13 API calls 15760->15765 15779 4021b4 15760->15779 15761->15754 15761->15759 15768 4020ce 15761->15768 16170 401978 15761->16170 15763->15758 15770 401978 15 API calls 15763->15770 15771 402125 15763->15771 16175 402ef8 15763->16175 15764 40f04e 4 API calls 15767 4021d1 15764->15767 15769 40218e 15765->15769 15773 40ea84 30 API calls 15767->15773 15778 4021f2 15767->15778 15768->15754 15772 40e819 11 API calls 15769->15772 15770->15763 15771->15758 15774 40219c 15772->15774 15775 4021ec 15773->15775 15774->15779 16183 401c5f 15774->16183 15776 40f04e 4 API calls 15775->15776 15776->15778 15778->15695 15779->15764 15781 407dd6 6 API calls 15780->15781 15782 40833c 15781->15782 15783 406ec3 2 API calls 15782->15783 15807 408340 15782->15807 15784 40834f 15783->15784 15785 40835c 15784->15785 15789 40846b 15784->15789 15786 4073ff 17 API calls 15785->15786 15808 408373 15786->15808 15787 4085df 15790 408626 GetTempPathA 15787->15790 15798 408762 15787->15798 15801 408638 15787->15801 15788 40675c 21 API calls 15788->15787 15791 4084a7 RegOpenKeyExA 15789->15791 15814 408450 15789->15814 15790->15801 15793 4084c0 RegQueryValueExA 15791->15793 15794 40852f 15791->15794 15796 408521 RegCloseKey 15793->15796 15797 4084dd 15793->15797 15799 408564 RegOpenKeyExA 15794->15799 15803 4085a5 15794->15803 15795 4086ad 15795->15798 15800 407e2f 6 API calls 15795->15800 15796->15794 15797->15796 15804 40ebcc 4 API calls 15797->15804 15806 40ec2e codecvt 4 API calls 15798->15806 15798->15807 15802 408573 RegSetValueExA RegCloseKey 15799->15802 15799->15803 15811 4086bb 15800->15811 16255 406ba7 IsBadCodePtr 15801->16255 15802->15803 15803->15814 15817 40ec2e codecvt 4 API calls 15803->15817 15810 4084f0 15804->15810 15805 40875b DeleteFileA 15805->15798 15806->15807 15807->15695 15808->15807 15812 4083ea RegOpenKeyExA 15808->15812 15808->15814 15810->15796 15813 4084f8 RegQueryValueExA 15810->15813 15811->15805 15818 4086e0 lstrcpyA lstrlenA 15811->15818 15812->15814 15815 4083fd RegQueryValueExA 15812->15815 15813->15796 15816 408515 15813->15816 15814->15787 15814->15788 15819 40842d RegSetValueExA 15815->15819 15820 40841e 15815->15820 15821 40ec2e codecvt 4 API calls 15816->15821 15817->15814 15822 407fcf 64 API calls 15818->15822 15823 408447 RegCloseKey 15819->15823 15820->15819 15820->15823 15824 40851d 15821->15824 15825 408719 CreateProcessA 15822->15825 15823->15814 15824->15796 15826 40873d CloseHandle CloseHandle 15825->15826 15827 40874f 15825->15827 15826->15798 15828 407ee6 64 API calls 15827->15828 15829 408754 15828->15829 15830 407ead 6 API calls 15829->15830 15831 40875a 15830->15831 15831->15805 15838 40a63d 15832->15838 15834 40a685 15834->15735 15836 40a63d GetTickCount 15835->15836 15837 40a696 15836->15837 15837->15735 15839 40a645 15838->15839 15840 40a64d 15838->15840 15839->15834 15841 40a66e 15840->15841 15842 40a65e GetTickCount 15840->15842 15841->15834 15842->15841 15859 40a4c7 GetTickCount 15843->15859 15846 40c300 GetTickCount 15848 40c337 15846->15848 15847 40c326 15847->15848 15849 40c32b GetTickCount 15847->15849 15852 40c363 GetTickCount 15848->15852 15858 40c45e 15848->15858 15849->15848 15850 40c4d2 15850->15695 15851 40c4ab InterlockedIncrement CreateThread 15851->15850 15853 40c4cb CloseHandle 15851->15853 15864 40b535 15851->15864 15854 40c373 15852->15854 15852->15858 15853->15850 15855 40c378 GetTickCount 15854->15855 15856 40c37f 15854->15856 15855->15856 15857 40c43b GetTickCount 15856->15857 15857->15858 15858->15850 15858->15851 15860 40a4f7 InterlockedExchange 15859->15860 15861 40a500 15860->15861 15862 40a4e4 GetTickCount 15860->15862 15861->15846 15861->15847 15861->15858 15862->15861 15863 40a4ef Sleep 15862->15863 15863->15860 15865 40b566 15864->15865 15866 40ebcc 4 API calls 15865->15866 15867 40b587 15866->15867 15868 40ebcc 4 API calls 15867->15868 15918 40b590 15868->15918 15869 40bdcd InterlockedDecrement 15870 40bde2 15869->15870 15872 40ec2e codecvt 4 API calls 15870->15872 15873 40bdea 15872->15873 15875 40ec2e codecvt 4 API calls 15873->15875 15874 40bdb7 Sleep 15874->15918 15876 40bdf2 15875->15876 15878 40be05 15876->15878 15879 40ec2e codecvt 4 API calls 15876->15879 15877 40bdcc 15877->15869 15879->15878 15880 40ebed 8 API calls 15880->15918 15883 40b6b6 lstrlenA 15883->15918 15884 4030b5 2 API calls 15884->15918 15885 40e819 11 API calls 15885->15918 15886 40b6ed lstrcpyA 15939 405ce1 15886->15939 15889 40b731 lstrlenA 15889->15918 15890 40b71f lstrcmpA 15890->15889 15890->15918 15891 40b772 GetTickCount 15891->15918 15892 40bd49 InterlockedIncrement 16033 40a628 15892->16033 15895 40b7ce InterlockedIncrement 15949 40acd7 15895->15949 15896 40bc5b InterlockedIncrement 15896->15918 15899 40b912 GetTickCount 15899->15918 15900 40b932 GetTickCount 15903 40bc6d InterlockedIncrement 15900->15903 15900->15918 15901 40bcdc closesocket 15901->15918 15902 40b826 InterlockedIncrement 15902->15891 15903->15918 15904 405ce1 22 API calls 15904->15918 15905 4038f0 6 API calls 15905->15918 15907 40a7c1 22 API calls 15907->15918 15909 40bba6 InterlockedIncrement 15909->15918 15911 40bc4c closesocket 15911->15918 15913 40ab81 lstrcpynA InterlockedIncrement 15913->15918 15915 40ba71 wsprintfA 15967 40a7c1 15915->15967 15917 40ef1e lstrlenA 15917->15918 15918->15869 15918->15874 15918->15877 15918->15880 15918->15883 15918->15884 15918->15885 15918->15886 15918->15889 15918->15890 15918->15891 15918->15892 15918->15895 15918->15896 15918->15899 15918->15900 15918->15901 15918->15902 15918->15904 15918->15905 15918->15907 15918->15909 15918->15911 15918->15913 15918->15915 15918->15917 15919 405ded 12 API calls 15918->15919 15920 40a688 GetTickCount 15918->15920 15921 403e10 15918->15921 15924 403e4f 15918->15924 15927 40384f 15918->15927 15947 40a7a3 inet_ntoa 15918->15947 15954 40abee 15918->15954 15966 401feb GetTickCount 15918->15966 15987 403cfb 15918->15987 15990 40b3c5 15918->15990 16021 40ab81 15918->16021 15919->15918 15920->15918 15922 4030fa 4 API calls 15921->15922 15923 403e1d 15922->15923 15923->15918 15925 4030fa 4 API calls 15924->15925 15926 403e5c 15925->15926 15926->15918 15928 4030fa 4 API calls 15927->15928 15930 403863 15928->15930 15929 4038b2 15929->15918 15930->15929 15931 4038b9 15930->15931 15932 403889 15930->15932 16042 4035f9 15931->16042 16036 403718 15932->16036 15937 403718 6 API calls 15937->15929 15938 4035f9 6 API calls 15938->15929 15940 405cf4 15939->15940 15941 405cec 15939->15941 15943 404bd1 4 API calls 15940->15943 16048 404bd1 GetTickCount 15941->16048 15944 405d02 15943->15944 16053 405472 15944->16053 15948 40a7b9 15947->15948 15948->15918 15950 40f315 14 API calls 15949->15950 15951 40aceb 15950->15951 15952 40acff 15951->15952 15953 40f315 14 API calls 15951->15953 15952->15918 15953->15952 15955 40abfb 15954->15955 15958 40ac65 15955->15958 16116 402f22 15955->16116 15957 40f315 14 API calls 15957->15958 15958->15957 15959 40ac8a 15958->15959 15960 40ac6f 15958->15960 15959->15918 15962 40ab81 2 API calls 15960->15962 15961 40ac23 15961->15958 15963 402684 2 API calls 15961->15963 15964 40ac81 15962->15964 15963->15961 16124 4038f0 15964->16124 15966->15918 15968 40a87d lstrlenA send 15967->15968 15972 40a7df 15967->15972 15969 40a899 15968->15969 15970 40a8bf 15968->15970 15973 40a8a5 wsprintfA 15969->15973 15986 40a89e 15969->15986 15974 40a8c4 send 15970->15974 15979 40a8f2 15970->15979 15971 40a80a 15971->15968 15972->15968 15972->15971 15976 40a7fa wsprintfA 15972->15976 15972->15979 15973->15986 15977 40a8d8 wsprintfA 15974->15977 15974->15979 15975 40a978 recv 15975->15979 15980 40a982 15975->15980 15976->15971 15977->15986 15978 40a9b0 wsprintfA 15978->15986 15979->15975 15979->15978 15979->15980 15981 4030b5 2 API calls 15980->15981 15980->15986 15982 40ab05 15981->15982 15983 40e819 11 API calls 15982->15983 15984 40ab17 15983->15984 15985 40a7a3 inet_ntoa 15984->15985 15985->15986 15986->15918 15988 4030fa 4 API calls 15987->15988 15989 403d0b 15988->15989 15989->15918 15991 405ce1 22 API calls 15990->15991 15992 40b3e6 15991->15992 15993 405ce1 22 API calls 15992->15993 15995 40b404 15993->15995 15994 40b440 15997 40ef7c 3 API calls 15994->15997 15995->15994 15996 40ef7c 3 API calls 15995->15996 15998 40b42b 15996->15998 15999 40b458 wsprintfA 15997->15999 16000 40ef7c 3 API calls 15998->16000 16001 40ef7c 3 API calls 15999->16001 16000->15994 16002 40b480 16001->16002 16003 40ef7c 3 API calls 16002->16003 16004 40b493 16003->16004 16005 40ef7c 3 API calls 16004->16005 16006 40b4bb 16005->16006 16138 40ad89 GetLocalTime SystemTimeToFileTime 16006->16138 16010 40b4cc 16011 40ef7c 3 API calls 16010->16011 16012 40b4dd 16011->16012 16013 40b211 7 API calls 16012->16013 16014 40b4ec 16013->16014 16015 40ef7c 3 API calls 16014->16015 16016 40b4fd 16015->16016 16017 40b211 7 API calls 16016->16017 16018 40b509 16017->16018 16019 40ef7c 3 API calls 16018->16019 16020 40b51a 16019->16020 16020->15918 16022 40abe9 GetTickCount 16021->16022 16024 40ab8c 16021->16024 16026 40a51d 16022->16026 16023 40aba8 lstrcpynA 16023->16024 16024->16022 16024->16023 16025 40abe1 InterlockedIncrement 16024->16025 16025->16024 16027 40a4c7 4 API calls 16026->16027 16028 40a52c 16027->16028 16029 40a542 GetTickCount 16028->16029 16031 40a539 GetTickCount 16028->16031 16029->16031 16032 40a56c 16031->16032 16032->15918 16034 40a4c7 4 API calls 16033->16034 16035 40a633 16034->16035 16035->15918 16037 40f04e 4 API calls 16036->16037 16039 40372a 16037->16039 16038 403847 16038->15929 16038->15937 16039->16038 16040 4037b3 GetCurrentThreadId 16039->16040 16040->16039 16041 4037c8 GetCurrentThreadId 16040->16041 16041->16039 16043 40f04e 4 API calls 16042->16043 16047 40360c 16043->16047 16044 4036f1 16044->15929 16044->15938 16045 4036da GetCurrentThreadId 16045->16044 16046 4036e5 GetCurrentThreadId 16045->16046 16046->16044 16047->16044 16047->16045 16049 404bff InterlockedExchange 16048->16049 16050 404c08 16049->16050 16051 404bec GetTickCount 16049->16051 16050->15940 16051->16050 16052 404bf7 Sleep 16051->16052 16052->16049 16072 404763 16053->16072 16055 405b58 16082 404699 16055->16082 16058 404763 lstrlenA 16059 405b6e 16058->16059 16103 404f9f 16059->16103 16061 405b79 16061->15918 16063 405549 lstrlenA 16071 40548a 16063->16071 16065 40558d lstrcpynA 16065->16071 16066 405a9f lstrcpyA 16066->16071 16067 404ae6 8 API calls 16067->16071 16068 405935 lstrcpynA 16068->16071 16069 405472 13 API calls 16069->16071 16070 4058e7 lstrcpyA 16070->16071 16071->16055 16071->16065 16071->16066 16071->16067 16071->16068 16071->16069 16071->16070 16076 404ae6 16071->16076 16080 40ef7c lstrlenA lstrlenA lstrlenA 16071->16080 16074 40477a 16072->16074 16073 404859 16073->16071 16074->16073 16075 40480d lstrlenA 16074->16075 16075->16074 16077 404af3 16076->16077 16079 404b03 16076->16079 16078 40ebed 8 API calls 16077->16078 16078->16079 16079->16063 16081 40efb4 16080->16081 16081->16071 16108 4045b3 16082->16108 16085 4045b3 7 API calls 16086 4046c6 16085->16086 16087 4045b3 7 API calls 16086->16087 16088 4046d8 16087->16088 16089 4045b3 7 API calls 16088->16089 16090 4046ea 16089->16090 16091 4045b3 7 API calls 16090->16091 16092 4046ff 16091->16092 16093 4045b3 7 API calls 16092->16093 16094 404711 16093->16094 16095 4045b3 7 API calls 16094->16095 16096 404723 16095->16096 16097 40ef7c 3 API calls 16096->16097 16098 404735 16097->16098 16099 40ef7c 3 API calls 16098->16099 16100 40474a 16099->16100 16101 40ef7c 3 API calls 16100->16101 16102 40475c 16101->16102 16102->16058 16104 404fac 16103->16104 16107 404fb0 16103->16107 16104->16061 16105 404ffd 16105->16061 16106 404fd5 IsBadCodePtr 16106->16107 16107->16105 16107->16106 16109 4045c1 16108->16109 16111 4045c8 16108->16111 16110 40ebcc 4 API calls 16109->16110 16110->16111 16112 40ebcc 4 API calls 16111->16112 16114 4045e1 16111->16114 16112->16114 16113 404691 16113->16085 16114->16113 16115 40ef7c 3 API calls 16114->16115 16115->16114 16131 402d21 GetModuleHandleA 16116->16131 16119 402fcf GetProcessHeap HeapFree 16123 402f44 16119->16123 16120 402f4f 16122 402f6b GetProcessHeap HeapFree 16120->16122 16121 402f85 16121->16119 16121->16121 16122->16123 16123->15961 16123->16123 16125 403900 16124->16125 16126 403980 16124->16126 16127 4030fa 4 API calls 16125->16127 16126->15959 16130 40390a 16127->16130 16128 40391b GetCurrentThreadId 16128->16130 16129 403939 GetCurrentThreadId 16129->16130 16130->16126 16130->16128 16130->16129 16132 402d46 LoadLibraryA 16131->16132 16133 402d5b GetProcAddress 16131->16133 16132->16133 16135 402d54 16132->16135 16133->16135 16137 402d6b 16133->16137 16134 402d97 GetProcessHeap HeapAlloc 16134->16135 16134->16137 16135->16120 16135->16121 16135->16123 16136 402db5 lstrcpynA 16136->16137 16137->16134 16137->16135 16137->16136 16139 40adbf 16138->16139 16163 40ad08 gethostname 16139->16163 16142 4030b5 2 API calls 16143 40add3 16142->16143 16144 40a7a3 inet_ntoa 16143->16144 16152 40ade4 16143->16152 16144->16152 16145 40ae85 wsprintfA 16146 40ef7c 3 API calls 16145->16146 16147 40aebb 16146->16147 16149 40ef7c 3 API calls 16147->16149 16148 40ae36 wsprintfA wsprintfA 16150 40ef7c 3 API calls 16148->16150 16151 40aed2 16149->16151 16150->16152 16153 40b211 16151->16153 16152->16145 16152->16148 16154 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16153->16154 16155 40b2af GetLocalTime 16153->16155 16156 40b2d2 16154->16156 16155->16156 16157 40b2d9 SystemTimeToFileTime 16156->16157 16158 40b31c GetTimeZoneInformation 16156->16158 16159 40b2ec 16157->16159 16160 40b33a wsprintfA 16158->16160 16161 40b312 FileTimeToSystemTime 16159->16161 16160->16010 16161->16158 16164 40ad71 16163->16164 16165 40ad26 lstrlenA 16163->16165 16167 40ad85 16164->16167 16168 40ad79 lstrcpyA 16164->16168 16165->16164 16169 40ad68 lstrlenA 16165->16169 16167->16142 16168->16167 16169->16164 16171 40f428 14 API calls 16170->16171 16172 40198a 16171->16172 16173 401990 closesocket 16172->16173 16174 401998 16172->16174 16173->16174 16174->15761 16176 402d21 6 API calls 16175->16176 16177 402f01 16176->16177 16178 402f0f 16177->16178 16191 402df2 GetModuleHandleA 16177->16191 16180 402684 2 API calls 16178->16180 16182 402f1f 16178->16182 16181 402f1d 16180->16181 16181->15763 16182->15763 16187 401c80 16183->16187 16184 401d1c 16184->16184 16188 401d47 wsprintfA 16184->16188 16185 401cc2 wsprintfA 16186 402684 2 API calls 16185->16186 16186->16187 16187->16184 16187->16185 16190 401d79 16187->16190 16189 402684 2 API calls 16188->16189 16189->16190 16190->15779 16192 402e10 LoadLibraryA 16191->16192 16193 402e0b 16191->16193 16194 402e17 16192->16194 16193->16192 16193->16194 16195 402ef1 16194->16195 16196 402e28 GetProcAddress 16194->16196 16195->16178 16196->16195 16197 402e3e GetProcessHeap HeapAlloc 16196->16197 16199 402e62 16197->16199 16198 402ede GetProcessHeap HeapFree 16198->16195 16199->16195 16199->16198 16200 402e7f htons inet_addr 16199->16200 16201 402ea5 gethostbyname 16199->16201 16203 402ceb 16199->16203 16200->16199 16200->16201 16201->16199 16204 402cf2 16203->16204 16206 402d1c 16204->16206 16207 402d0e Sleep 16204->16207 16208 402a62 GetProcessHeap HeapAlloc 16204->16208 16206->16199 16207->16204 16207->16206 16209 402a92 16208->16209 16210 402a99 socket 16208->16210 16209->16204 16211 402cd3 GetProcessHeap HeapFree 16210->16211 16212 402ab4 16210->16212 16211->16209 16212->16211 16216 402abd 16212->16216 16213 402adb htons 16228 4026ff 16213->16228 16215 402b04 select 16215->16216 16216->16213 16216->16215 16217 402ca4 16216->16217 16218 402cb3 GetProcessHeap HeapFree closesocket 16216->16218 16219 402b3f recv 16216->16219 16220 402b66 htons 16216->16220 16221 402b87 htons 16216->16221 16223 402bf3 GetProcessHeap HeapAlloc 16216->16223 16225 402c17 htons 16216->16225 16227 402c4d GetProcessHeap HeapFree 16216->16227 16235 402923 16216->16235 16247 402904 16216->16247 16217->16218 16218->16209 16219->16216 16220->16216 16220->16217 16221->16216 16221->16217 16223->16216 16243 402871 16225->16243 16227->16216 16229 40271d 16228->16229 16230 402717 16228->16230 16232 40272b GetTickCount htons 16229->16232 16231 40ebcc 4 API calls 16230->16231 16231->16229 16233 4027cc htons htons sendto 16232->16233 16234 40278a 16232->16234 16233->16216 16234->16233 16236 402944 16235->16236 16238 40293d 16235->16238 16251 402816 htons 16236->16251 16238->16216 16239 402871 htons 16240 402950 16239->16240 16240->16238 16240->16239 16241 4029bd htons htons htons 16240->16241 16241->16238 16242 4029f6 GetProcessHeap HeapAlloc 16241->16242 16242->16238 16242->16240 16244 4028e3 16243->16244 16245 402889 16243->16245 16244->16216 16245->16244 16246 4028c3 htons 16245->16246 16246->16244 16246->16245 16248 402921 16247->16248 16249 402908 16247->16249 16248->16216 16250 402909 GetProcessHeap HeapFree 16249->16250 16250->16248 16250->16250 16252 40286b 16251->16252 16253 402836 16251->16253 16252->16240 16253->16252 16254 40285c htons 16253->16254 16254->16252 16254->16253 16256 406bc0 16255->16256 16257 406bbc 16255->16257 16258 40ebcc 4 API calls 16256->16258 16260 406bd4 16256->16260 16257->15795 16259 406be4 16258->16259 16259->16260 16261 406c07 CreateFileA 16259->16261 16262 406bfc 16259->16262 16260->15795 16263 406c34 WriteFile 16261->16263 16264 406c2a 16261->16264 16265 40ec2e codecvt 4 API calls 16262->16265 16267 406c49 CloseHandle DeleteFileA 16263->16267 16268 406c5a CloseHandle 16263->16268 16266 40ec2e codecvt 4 API calls 16264->16266 16265->16260 16266->16260 16267->16264 16269 40ec2e codecvt 4 API calls 16268->16269 16269->16260 16298 29b69c0 16299 29b69cf 16298->16299 16302 29b7160 16299->16302 16303 29b717b 16302->16303 16304 29b7184 CreateToolhelp32Snapshot 16303->16304 16305 29b71a0 Module32First 16303->16305 16304->16303 16304->16305 16306 29b71af 16305->16306 16307 29b69d8 16305->16307 16309 29b6e1f 16306->16309 16310 29b6e4a 16309->16310 16311 29b6e5b VirtualAlloc 16310->16311 16312 29b6e93 16310->16312 16311->16312 16312->16312 16270 28e0005 16275 28e092b GetPEB 16270->16275 16272 28e0030 16277 28e003c 16272->16277 16276 28e0972 16275->16276 16276->16272 16278 28e0049 16277->16278 16292 28e0e0f SetErrorMode SetErrorMode 16278->16292 16283 28e0265 16284 28e02ce VirtualProtect 16283->16284 16286 28e030b 16284->16286 16285 28e0439 VirtualFree 16290 28e05f4 LoadLibraryA 16285->16290 16291 28e04be 16285->16291 16286->16285 16287 28e04e3 LoadLibraryA 16287->16291 16289 28e08c7 16290->16289 16291->16287 16291->16290 16293 28e0223 16292->16293 16294 28e0d90 16293->16294 16295 28e0dad 16294->16295 16296 28e0dbb GetPEB 16295->16296 16297 28e0238 VirtualAlloc 16295->16297 16296->16297 16297->16283
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                      • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                      • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                      • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                    • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                    • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                    • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                    • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                    • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                    • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                    • wsprintfA.USER32 ref: 0040A0B6
                                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                    • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                      • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                    • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                    • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                    • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                    • DeleteFileA.KERNEL32(C:\Users\user\Desktop\igvdwmhd.exe), ref: 0040A407
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                    • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                    • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                    • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                    • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                    • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\igvdwmhd.exe$C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe$D$P$\$ptcoklzf
                                                                                                    • API String ID: 2089075347-1790027639
                                                                                                    • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                    • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                    • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                    • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 522 40637c-406384 523 406386-406389 522->523 524 40638a-4063b4 GetModuleHandleA VirtualAlloc 522->524 525 4063f5-4063f7 524->525 526 4063b6-4063d4 call 40ee08 VirtualAllocEx 524->526 528 40640b-40640f 525->528 526->525 530 4063d6-4063f3 call 4062b7 WriteProcessMemory 526->530 530->525 533 4063f9-40640a 530->533 533->528
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                    • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                    • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 1965334864-0
                                                                                                    • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                    • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                    • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                    • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 331 4075dc 330->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 381 4077e0-4077e2 379->381 382 4077de 379->382 380->379 381->359 382->381
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 00407472
                                                                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004074F0
                                                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 00407528
                                                                                                    • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004076E7
                                                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 00407717
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 00407745
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 004077EF
                                                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                    • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                    • String ID: "
                                                                                                    • API String ID: 3433985886-123907689
                                                                                                    • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                    • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                    • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                    • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 386 28e003c-28e0047 387 28e004c-28e0263 call 28e0a3f call 28e0e0f call 28e0d90 VirtualAlloc 386->387 388 28e0049 386->388 403 28e028b-28e0292 387->403 404 28e0265-28e0289 call 28e0a69 387->404 388->387 406 28e02a1-28e02b0 403->406 408 28e02ce-28e03c2 VirtualProtect call 28e0cce call 28e0ce7 404->408 406->408 409 28e02b2-28e02cc 406->409 415 28e03d1-28e03e0 408->415 409->406 416 28e0439-28e04b8 VirtualFree 415->416 417 28e03e2-28e0437 call 28e0ce7 415->417 418 28e04be-28e04cd 416->418 419 28e05f4-28e05fe 416->419 417->415 421 28e04d3-28e04dd 418->421 422 28e077f-28e0789 419->422 423 28e0604-28e060d 419->423 421->419 428 28e04e3-28e0505 LoadLibraryA 421->428 426 28e078b-28e07a3 422->426 427 28e07a6-28e07b0 422->427 423->422 429 28e0613-28e0637 423->429 426->427 430 28e086e-28e08be LoadLibraryA 427->430 431 28e07b6-28e07cb 427->431 432 28e0517-28e0520 428->432 433 28e0507-28e0515 428->433 434 28e063e-28e0648 429->434 438 28e08c7-28e08f9 430->438 435 28e07d2-28e07d5 431->435 436 28e0526-28e0547 432->436 433->436 434->422 437 28e064e-28e065a 434->437 439 28e07d7-28e07e0 435->439 440 28e0824-28e0833 435->440 441 28e054d-28e0550 436->441 437->422 442 28e0660-28e066a 437->442 443 28e08fb-28e0901 438->443 444 28e0902-28e091d 438->444 445 28e07e4-28e0822 439->445 446 28e07e2 439->446 450 28e0839-28e083c 440->450 447 28e0556-28e056b 441->447 448 28e05e0-28e05ef 441->448 449 28e067a-28e0689 442->449 443->444 445->435 446->440 451 28e056f-28e057a 447->451 452 28e056d 447->452 448->421 453 28e068f-28e06b2 449->453 454 28e0750-28e077a 449->454 450->430 455 28e083e-28e0847 450->455 457 28e057c-28e0599 451->457 458 28e059b-28e05bb 451->458 452->448 459 28e06ef-28e06fc 453->459 460 28e06b4-28e06ed 453->460 454->434 461 28e084b-28e086c 455->461 462 28e0849 455->462 469 28e05bd-28e05db 457->469 458->469 463 28e06fe-28e0748 459->463 464 28e074b 459->464 460->459 461->450 462->430 463->464 464->449 469->441
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 028E024D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID: cess$kernel32.dll
                                                                                                    • API String ID: 4275171209-1230238691
                                                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                    • Instruction ID: 7c09f1d2d0eeecdccc9fdca5e850ce5dd99776932fc0b2e5381126aa200c8370
                                                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                    • Instruction Fuzzy Hash: 6B527B78A01229DFDB64CF58C984BACBBB1BF09304F1484D9E44EAB351DB70AA85CF14

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                                    • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                                    • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                                    • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                                    • String ID: D
                                                                                                    • API String ID: 2098669666-2746444292
                                                                                                    • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                    • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                    • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                    • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                    • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                    • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle$CreateEvent
                                                                                                    • String ID:
                                                                                                    • API String ID: 1371578007-0
                                                                                                    • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                    • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                    • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                    • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 534 404000-404008 535 40400b-40402a CreateFileA 534->535 536 404057 535->536 537 40402c-404035 GetLastError 535->537 540 404059-40405c 536->540 538 404052 537->538 539 404037-40403a 537->539 542 404054-404056 538->542 539->538 541 40403c-40403f 539->541 540->542 541->540 543 404041-404050 Sleep 541->543 543->535 543->538
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                                    • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                                    • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateErrorFileLastSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 408151869-0
                                                                                                    • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                    • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                    • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                    • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                    • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                    • String ID:
                                                                                                    • API String ID: 1209300637-0
                                                                                                    • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                    • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                    • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                    • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 545 406e36-406e5d GetUserNameW 546 406ebe-406ec2 545->546 547 406e5f-406e95 LookupAccountNameW 545->547 547->546 548 406e97-406e9b 547->548 549 406ebb-406ebd 548->549 550 406e9d-406ea3 548->550 549->546 550->549 551 406ea5-406eaa 550->551 552 406eb7-406eb9 551->552 553 406eac-406eb0 551->553 552->546 553->549 554 406eb2-406eb5 553->554 554->549 554->552
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Name$AccountLookupUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2370142434-0
                                                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                    • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                    • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 555 29b7160-29b7179 556 29b717b-29b717d 555->556 557 29b717f 556->557 558 29b7184-29b7190 CreateToolhelp32Snapshot 556->558 557->558 559 29b7192-29b7198 558->559 560 29b71a0-29b71ad Module32First 558->560 559->560 567 29b719a-29b719e 559->567 561 29b71af-29b71b0 call 29b6e1f 560->561 562 29b71b6-29b71be 560->562 565 29b71b5 561->565 565->562 567->556 567->560
                                                                                                    APIs
                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 029B7188
                                                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 029B71A8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1368074204.00000000029B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 029B2000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_29b2000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                    • String ID:
                                                                                                    • API String ID: 3833638111-0
                                                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                    • Instruction ID: cbff4820861b9a82bb7346e70bebe85d80d4056e3c00dbe15151e117bd004b39
                                                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                    • Instruction Fuzzy Hash: D9F0F6321003147FE7313BF4998CBEEB2ECAF88224F100228E642910C0DB70E8058A70

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 568 28e0e0f-28e0e24 SetErrorMode * 2 569 28e0e2b-28e0e2c 568->569 570 28e0e26 568->570 570->569
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(00000400,?,?,028E0223,?,?), ref: 028E0E19
                                                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,028E0223,?,?), ref: 028E0E1E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode
                                                                                                    • String ID:
                                                                                                    • API String ID: 2340568224-0
                                                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                    • Instruction ID: 1c072a56b2d644ec7deb6d0f39edbe5c90f887f2c3a704af385fe71bd3dcba02
                                                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                    • Instruction Fuzzy Hash: DCD0123514512877DB003A94DC09BCD7B1CDF05B66F008421FB0DE9080C7B0954046E5

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 571 406dc2-406dd5 572 406e33-406e35 571->572 573 406dd7-406df1 call 406cc9 call 40ef00 571->573 578 406df4-406df9 573->578 578->578 579 406dfb-406e00 578->579 580 406e02-406e22 GetVolumeInformationA 579->580 581 406e24 579->581 580->581 582 406e2e 580->582 581->582 582->572
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                      • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                      • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                      • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1823874839-0
                                                                                                    • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                    • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                    • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                    • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 583 409892-4098c0 584 4098c2-4098c5 583->584 585 4098d9 583->585 584->585 587 4098c7-4098d7 584->587 586 4098e0-4098f1 SetServiceStatus 585->586 587->586
                                                                                                    APIs
                                                                                                    • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ServiceStatus
                                                                                                    • String ID:
                                                                                                    • API String ID: 3969395364-0
                                                                                                    • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                    • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                                    • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                    • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 588 29b6e1f-29b6e59 call 29b7132 591 29b6e5b-29b6e8e VirtualAlloc call 29b6eac 588->591 592 29b6ea7 588->592 594 29b6e93-29b6ea5 591->594 592->592 594->592
                                                                                                    APIs
                                                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 029B6E70
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1368074204.00000000029B2000.00000040.00000020.00020000.00000000.sdmp, Offset: 029B2000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_29b2000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                    • Instruction ID: f180e687d4b9678f3b2094c02a5ba7f61b317aa1484ae4d43e46b2ea9b1806a8
                                                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                    • Instruction Fuzzy Hash: 66113C79A00208EFDB01DF98CA85E99BBF5AF08750F058094F9489B361D371EA50DF90

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 595 4098f2-4098f4 596 4098f6-409902 call 404280 595->596 599 409904-409913 Sleep 596->599 600 409917 596->600 599->596 601 409915 599->601 602 409919-409942 call 402544 call 40977c 600->602 603 40995e-409960 600->603 601->600 607 409947-409957 call 40ee2a 602->607 607->603
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                    • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateEventSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3100162736-0
                                                                                                    • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                    • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                                    • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                    • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 028E65F6
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 028E6610
                                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 028E6631
                                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 028E6652
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 1965334864-0
                                                                                                    • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                    • Instruction ID: ed7f85a96e4cd9cb746a9722703979391229d3fcea32e67809806f1a66ca25bd
                                                                                                    • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                    • Instruction Fuzzy Hash: 221154B9600228BFDB119F65DC45F9B3FACEB057A5F114024FA09D7291E7B1DD008AA4
                                                                                                    APIs
                                                                                                    • ExitProcess.KERNEL32 ref: 028E9E6D
                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 028E9FE1
                                                                                                    • lstrcat.KERNEL32(?,?), ref: 028E9FF2
                                                                                                    • lstrcat.KERNEL32(?,0041070C), ref: 028EA004
                                                                                                    • GetFileAttributesExA.KERNEL32(?,?,?), ref: 028EA054
                                                                                                    • DeleteFileA.KERNEL32(?), ref: 028EA09F
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 028EA0D6
                                                                                                    • lstrcpy.KERNEL32 ref: 028EA12F
                                                                                                    • lstrlen.KERNEL32(00000022), ref: 028EA13C
                                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 028E9F13
                                                                                                      • Part of subcall function 028E7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 028E7081
                                                                                                      • Part of subcall function 028E6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\aenzvwkq,028E7043), ref: 028E6F4E
                                                                                                      • Part of subcall function 028E6F30: GetProcAddress.KERNEL32(00000000), ref: 028E6F55
                                                                                                      • Part of subcall function 028E6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 028E6F7B
                                                                                                      • Part of subcall function 028E6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 028E6F92
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 028EA1A2
                                                                                                    • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 028EA1C5
                                                                                                    • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 028EA214
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 028EA21B
                                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 028EA265
                                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 028EA29F
                                                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 028EA2C5
                                                                                                    • lstrcat.KERNEL32(?,00000022), ref: 028EA2D9
                                                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 028EA2F4
                                                                                                    • wsprintfA.USER32 ref: 028EA31D
                                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 028EA345
                                                                                                    • lstrcat.KERNEL32(?,?), ref: 028EA364
                                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 028EA387
                                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 028EA398
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 028EA1D1
                                                                                                      • Part of subcall function 028E9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 028E999D
                                                                                                      • Part of subcall function 028E9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 028E99BD
                                                                                                      • Part of subcall function 028E9966: RegCloseKey.ADVAPI32(?), ref: 028E99C6
                                                                                                    • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 028EA3DB
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 028EA3E2
                                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 028EA41D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                    • String ID: "$"$"$D$P$\
                                                                                                    • API String ID: 1653845638-2605685093
                                                                                                    • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                    • Instruction ID: 23d11430cd6d42380bcdf6fcf563549d2a8cb3faf71cef5edfacead39a39126a
                                                                                                    • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                    • Instruction Fuzzy Hash: 07F164B9D40259EFDF15DBA4CC48FEF7BBCAB0A704F0444A5E60AE2041E7B586848F65
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                    • API String ID: 2238633743-3228201535
                                                                                                    • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                    • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                    • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                    • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                    • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                    • wsprintfA.USER32 ref: 0040B3B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                    • API String ID: 766114626-2976066047
                                                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                    • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                    • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                    • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                    • String ID: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe$D
                                                                                                    • API String ID: 2976863881-1536157608
                                                                                                    • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                    • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                    • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                    • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 028E7D21
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 028E7D46
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 028E7D7D
                                                                                                    • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 028E7DA2
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 028E7DC0
                                                                                                    • EqualSid.ADVAPI32(?,?), ref: 028E7DD1
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 028E7DE5
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 028E7DF3
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 028E7E03
                                                                                                    • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 028E7E12
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 028E7E19
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 028E7E35
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                    • String ID: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe$D
                                                                                                    • API String ID: 2976863881-1536157608
                                                                                                    • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                    • Instruction ID: fd35c7bdf1075b7e73c4aca562ad751efcbe638d9981088f1661011fac9848a3
                                                                                                    • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                    • Instruction Fuzzy Hash: ADA17C79900209AFDF21DFA0DC88FEEBBB9FB0A704F048169E506E6150D7758A84CB64
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                    • API String ID: 2400214276-165278494
                                                                                                    • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                    • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                    • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                    • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                    APIs
                                                                                                    • wsprintfA.USER32 ref: 0040A7FB
                                                                                                    • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                    • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                    • wsprintfA.USER32 ref: 0040A8AF
                                                                                                    • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                    • wsprintfA.USER32 ref: 0040A8E2
                                                                                                    • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                    • wsprintfA.USER32 ref: 0040A9B9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                                                    • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                    • API String ID: 3650048968-2394369944
                                                                                                    • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                    • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                    • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                    • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                    • String ID: D
                                                                                                    • API String ID: 3722657555-2746444292
                                                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                    • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                    • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 028E7A96
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 028E7ACD
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 028E7ADF
                                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 028E7B01
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 028E7B1F
                                                                                                    • EqualSid.ADVAPI32(?,?), ref: 028E7B39
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 028E7B4A
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 028E7B58
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 028E7B68
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 028E7B77
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 028E7B7E
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 028E7B9A
                                                                                                    • GetAce.ADVAPI32(?,?,?), ref: 028E7BCA
                                                                                                    • EqualSid.ADVAPI32(?,?), ref: 028E7BF1
                                                                                                    • DeleteAce.ADVAPI32(?,?), ref: 028E7C0A
                                                                                                    • EqualSid.ADVAPI32(?,?), ref: 028E7C2C
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 028E7CB1
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 028E7CBF
                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 028E7CD0
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 028E7CE0
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 028E7CEE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                    • String ID: D
                                                                                                    • API String ID: 3722657555-2746444292
                                                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                    • Instruction ID: f6a56185e6758f9c1b769e80de1dd7da57763cf99c2f87f7b85cf13bff95aaf5
                                                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                    • Instruction Fuzzy Hash: D1813B79900219ABEF21CFA4DD84FEEBBBCEF09304F04816AE50AE6150D7759641CB64
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                    • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                    • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                    • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseOpenQuery
                                                                                                    • String ID: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe$localcfg
                                                                                                    • API String ID: 237177642-1805428051
                                                                                                    • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                    • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                    • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                    • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                    APIs
                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShelllstrlen
                                                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                    • API String ID: 1628651668-1839596206
                                                                                                    • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                    • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                    • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                    • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                    • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                    • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                      • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                    • API String ID: 4207808166-1381319158
                                                                                                    • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                    • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                    • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                    • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                    APIs
                                                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                    • API String ID: 835516345-270533642
                                                                                                    • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                    • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                    • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                    • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 028E865A
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 028E867B
                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 028E86A8
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 028E86B1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseOpenQuery
                                                                                                    • String ID: "$C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe
                                                                                                    • API String ID: 237177642-2855230621
                                                                                                    • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                    • Instruction ID: fe6dccd64ba0efc02efe78e5e9609d7f96b8c296fc0eaa52937ac242fd333bb5
                                                                                                    • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                    • Instruction Fuzzy Hash: CFC1B2BD900149BEEF11ABA4DD85EEF7BBDEB06304F144065FA06E2060E7718A948F65
                                                                                                    APIs
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 00402A83
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 00402A86
                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                    • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                    • select.WS2_32 ref: 00402B28
                                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                    • htons.WS2_32(?), ref: 00402B71
                                                                                                    • htons.WS2_32(?), ref: 00402B8C
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 1639031587-0
                                                                                                    • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                    • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                    • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                    • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                    APIs
                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 028E1601
                                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 028E17D8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShelllstrlen
                                                                                                    • String ID: $<$@$D
                                                                                                    • API String ID: 1628651668-1974347203
                                                                                                    • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                    • Instruction ID: 114aa46676a785925a6ccee770d36c9b576ec75a5aa8d8ca1498b6f8ca1942d6
                                                                                                    • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                    • Instruction Fuzzy Hash: 01F1BCB81083419FDB20DF64C888BABB7E5FB8A705F40892DF59AD7290D7B49D44CB52
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 028E76D9
                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 028E7757
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 028E778F
                                                                                                    • ___ascii_stricmp.LIBCMT ref: 028E78B4
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 028E794E
                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 028E796D
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 028E797E
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 028E79AC
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 028E7A56
                                                                                                      • Part of subcall function 028EF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,028E772A,?), ref: 028EF414
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 028E79F6
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 028E7A4D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                    • String ID: "
                                                                                                    • API String ID: 3433985886-123907689
                                                                                                    • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                    • Instruction ID: a012001806d5b468a3e9118ff341f311230cec833829fae0dded368480aa82a7
                                                                                                    • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                    • Instruction Fuzzy Hash: 50C1B47D900219AFEF11DBA8DC44FEEBBB9EF5A314F1040A5E506E6150EB74DA80CB61
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 004070C2
                                                                                                    • RegEnumValueA.ADVAPI32(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 0040719E
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10,?,771B0F10,00000000), ref: 004071B2
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 00407208
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 00407291
                                                                                                    • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 004072D0
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 00407314
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 004073D8
                                                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                    • String ID: $"
                                                                                                    • API String ID: 4293430545-3817095088
                                                                                                    • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                    • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                    • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                    • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 028E2CED
                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 028E2D07
                                                                                                    • htons.WS2_32(00000000), ref: 028E2D42
                                                                                                    • select.WS2_32 ref: 028E2D8F
                                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 028E2DB1
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 028E2E62
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 127016686-0
                                                                                                    • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                    • Instruction ID: aedb246e5cf3382b172704470dc0da6e14e5895cfdeb0e3493558600da1aa556
                                                                                                    • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                    • Instruction Fuzzy Hash: 2D61047D50431AABCB20AF64CC08B6BBBECEB86355F004819FD4AD7151D7B4D880CBA6
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                      • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                      • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                      • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                      • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                    • wsprintfA.USER32 ref: 0040AEA5
                                                                                                      • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                    • wsprintfA.USER32 ref: 0040AE4F
                                                                                                    • wsprintfA.USER32 ref: 0040AE5E
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                    • API String ID: 3631595830-1816598006
                                                                                                    • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                    • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                    • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                    • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                    • htons.WS2_32(00000035), ref: 00402E88
                                                                                                    • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                    • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                    • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                    • API String ID: 929413710-2099955842
                                                                                                    • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                    • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                    • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                    • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                    APIs
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                                    • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                                    • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,771B0F10,00000000), ref: 0040688B
                                                                                                    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 00406906
                                                                                                    • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,771B0F10,00000000), ref: 0040691C
                                                                                                    • CloseHandle.KERNEL32(000000FF,?,771B0F10,00000000), ref: 00406971
                                                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2622201749-0
                                                                                                    • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                    • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                    • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                    • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                    • wsprintfA.USER32 ref: 004093CE
                                                                                                    • wsprintfA.USER32 ref: 0040940C
                                                                                                    • wsprintfA.USER32 ref: 0040948D
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                    • String ID: runas
                                                                                                    • API String ID: 3696105349-4000483414
                                                                                                    • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                    • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                    • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                    • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                    APIs
                                                                                                    • wsprintfA.USER32 ref: 0040B467
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$wsprintf
                                                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                    • API String ID: 1220175532-2340906255
                                                                                                    • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                    • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                    • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                    • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32 ref: 028E202D
                                                                                                    • GetSystemInfo.KERNEL32(?), ref: 028E204F
                                                                                                    • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 028E206A
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 028E2071
                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 028E2082
                                                                                                    • GetTickCount.KERNEL32 ref: 028E2230
                                                                                                      • Part of subcall function 028E1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 028E1E7C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                    • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                    • API String ID: 4207808166-1391650218
                                                                                                    • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                    • Instruction ID: 3cb1a2a2befa9d2b21cd547a61c9e1e2cff4388082f3276083294b06c926fe17
                                                                                                    • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                    • Instruction Fuzzy Hash: EF510679500348AFE730AF799C88F67BAECEB56708F00091DF99BC2141D7B4A584CB66
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00402078
                                                                                                    • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                    • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                    • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                    • GetTickCount.KERNEL32 ref: 00402132
                                                                                                    • GetTickCount.KERNEL32 ref: 00402142
                                                                                                      • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                      • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                      • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                      • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                      • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                    • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                    • API String ID: 3976553417-1522128867
                                                                                                    • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                    • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                    • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                    • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                    APIs
                                                                                                    • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                    • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: closesockethtonssocket
                                                                                                    • String ID: time_cfg
                                                                                                    • API String ID: 311057483-2401304539
                                                                                                    • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                    • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                    • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                    • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                    • ExitProcess.KERNEL32 ref: 00404121
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateEventExitProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 2404124870-0
                                                                                                    • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                    • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                    • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                    • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                      • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                    • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                    • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                    • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 1553760989-1857712256
                                                                                                    • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                    • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                    • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                    • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 028E3068
                                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 028E3078
                                                                                                    • GetProcAddress.KERNEL32(00000000,00410408), ref: 028E3095
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 028E30B6
                                                                                                    • htons.WS2_32(00000035), ref: 028E30EF
                                                                                                    • inet_addr.WS2_32(?), ref: 028E30FA
                                                                                                    • gethostbyname.WS2_32(?), ref: 028E310D
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 028E314D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                    • String ID: iphlpapi.dll
                                                                                                    • API String ID: 2869546040-3565520932
                                                                                                    • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                    • Instruction ID: fe6b7c1e2253daf268eb4159acaa11007b0ba371e04d1a5ff9fed909feb14959
                                                                                                    • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                    • Instruction Fuzzy Hash: F231C73DA00206BBDF119BB89C48BBE7778AF06364F1441A9F91EE3290DB74DD418B54
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(?), ref: 028E95A7
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 028E95D5
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 028E95DC
                                                                                                    • wsprintfA.USER32 ref: 028E9635
                                                                                                    • wsprintfA.USER32 ref: 028E9673
                                                                                                    • wsprintfA.USER32 ref: 028E96F4
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 028E9758
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 028E978D
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 028E97D8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                    • String ID:
                                                                                                    • API String ID: 3696105349-0
                                                                                                    • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                    • Instruction ID: d52a499908d6c722ff4f35bdb98ee029e045ad2d0d1724ac2492f895c18c9b2b
                                                                                                    • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                    • Instruction Fuzzy Hash: B0A18BBA90021CABEF21DFA4CC45FDA3BADEB06345F104026FA16D2151E7B5D584CFA5
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                                                    • API String ID: 3560063639-3847274415
                                                                                                    • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                    • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                    • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                    • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                    APIs
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmpi
                                                                                                    • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                    • API String ID: 1586166983-1625972887
                                                                                                    • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                    • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                    • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                    • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                    • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188212458-0
                                                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                    • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                    • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                    APIs
                                                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 028E67C3
                                                                                                    • htonl.WS2_32(?), ref: 028E67DF
                                                                                                    • htonl.WS2_32(?), ref: 028E67EE
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 028E68F1
                                                                                                    • ExitProcess.KERNEL32 ref: 028E69BC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                    • String ID: except_info$localcfg
                                                                                                    • API String ID: 1150517154-3605449297
                                                                                                    • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                    • Instruction ID: 73303b70a1d2849edf2a4a97c3651639c2883f86b1be2efc71dfda4aa36e896d
                                                                                                    • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                    • Instruction Fuzzy Hash: F4616E71A40218AFDF609FB4DC45FEA77E9FB09300F148066FA6DD2161EB7599908F14
                                                                                                    APIs
                                                                                                    • htons.WS2_32(028ECC84), ref: 028EF5B4
                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 028EF5CE
                                                                                                    • closesocket.WS2_32(00000000), ref: 028EF5DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: closesockethtonssocket
                                                                                                    • String ID: time_cfg
                                                                                                    • API String ID: 311057483-2401304539
                                                                                                    • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                    • Instruction ID: eef8cedaa32c4043c377951ca7c411c2a849a308b9bcbfeb86339e2023e637b0
                                                                                                    • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                    • Instruction Fuzzy Hash: E43182B990011CABDB10DFA5DC85DEE7BBCEF59314F104566FA0AD3160E7708A81CBA5
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                    • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                    • wsprintfA.USER32 ref: 00407036
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                    • String ID: /%d$|
                                                                                                    • API String ID: 676856371-4124749705
                                                                                                    • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                    • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                    • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                    • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 028E2FA1
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 028E2FB1
                                                                                                    • GetProcAddress.KERNEL32(00000000,004103F0), ref: 028E2FC8
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 028E3000
                                                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 028E3007
                                                                                                    • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 028E3032
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                    • String ID: dnsapi.dll
                                                                                                    • API String ID: 1242400761-3175542204
                                                                                                    • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                    • Instruction ID: 1ecba6b647f8abdf182da9002479b311280b7c13e505a04c39ee7102145d80c4
                                                                                                    • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                    • Instruction Fuzzy Hash: C621A179D00229BBCF329B94DC48AEEBBBCEF09B10F004461F906E7540D7B49A8187E4
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                    • API String ID: 1082366364-3395550214
                                                                                                    • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                    • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                    • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                    • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 028E9A18
                                                                                                    • GetThreadContext.KERNEL32(?,?), ref: 028E9A52
                                                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 028E9A60
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 028E9A98
                                                                                                    • SetThreadContext.KERNEL32(?,00010002), ref: 028E9AB5
                                                                                                    • ResumeThread.KERNEL32(?), ref: 028E9AC2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                    • String ID: D
                                                                                                    • API String ID: 2981417381-2746444292
                                                                                                    • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                    • Instruction ID: c9ec41b2ade67ca5502a58bbb078579ca0554799ba2fa6770417042b0b6a26dd
                                                                                                    • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                    • Instruction Fuzzy Hash: 3A213BB5E01229BBDF119BA1DC09EEF7BBCEF05754F404061FA1AE1050E7B58A54CBA4
                                                                                                    APIs
                                                                                                    • inet_addr.WS2_32(004102D8), ref: 028E1C18
                                                                                                    • LoadLibraryA.KERNEL32(004102C8), ref: 028E1C26
                                                                                                    • GetProcessHeap.KERNEL32 ref: 028E1C84
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 028E1C9D
                                                                                                    • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 028E1CC1
                                                                                                    • HeapFree.KERNEL32(?,00000000,00000000), ref: 028E1D02
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 028E1D0B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                    • String ID:
                                                                                                    • API String ID: 2324436984-0
                                                                                                    • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                    • Instruction ID: c9c1fffcff74d94e154a9cf8e7a4754f3494c346b7fab8c74334e50761362ab2
                                                                                                    • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                    • Instruction Fuzzy Hash: 15315E39E00209BFCF119FA4DC8C8EEBAB9EB46705B24447AE50AE2110D7B55E80DB94
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 028E6CE4
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 028E6D22
                                                                                                    • GetLastError.KERNEL32 ref: 028E6DA7
                                                                                                    • CloseHandle.KERNEL32(?), ref: 028E6DB5
                                                                                                    • GetLastError.KERNEL32 ref: 028E6DD6
                                                                                                    • DeleteFileA.KERNEL32(?), ref: 028E6DE7
                                                                                                    • GetLastError.KERNEL32 ref: 028E6DFD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                    • String ID:
                                                                                                    • API String ID: 3873183294-0
                                                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                    • Instruction ID: 57618a640335175cf7224a97212673c7bdecc9976c348a6f1f99564ae88d4f05
                                                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                    • Instruction Fuzzy Hash: 3A31E07EA00249BFCF019FA4DD48ADE7F7DEB5A310F148065E212E3250E771A6458B62
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\aenzvwkq,028E7043), ref: 028E6F4E
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 028E6F55
                                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 028E6F7B
                                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 028E6F92
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                    • String ID: C:\Windows\SysWOW64\$\\.\pipe\aenzvwkq
                                                                                                    • API String ID: 1082366364-1406706810
                                                                                                    • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                    • Instruction ID: 6384be63ea21f87ad689a9fc9c8c216880b3f1958a660006293b1ffa09ac6a1c
                                                                                                    • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                    • Instruction Fuzzy Hash: 2621262D74035039FB2253359C88FFB3E4D8B63764F1840A5F90AD5480EBD984D6826E
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen
                                                                                                    • String ID: $localcfg
                                                                                                    • API String ID: 1659193697-2018645984
                                                                                                    • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                    • Instruction ID: bd8251bdc09f893b9a5eebe1649604f1cb4d663aebc7d01bc9f94a6b7e3f64c7
                                                                                                    • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                    • Instruction Fuzzy Hash: 17714F7DB00308AAEF299B58DCC5FEE37699B43F19F144066F90BE2090DF6195C48756
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                      • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                    • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                    • String ID: flags_upd$localcfg
                                                                                                    • API String ID: 204374128-3505511081
                                                                                                    • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                    • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                    • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                    • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                    APIs
                                                                                                      • Part of subcall function 028EDF6C: GetCurrentThreadId.KERNEL32 ref: 028EDFBA
                                                                                                    • lstrcmp.KERNEL32(00410178,00000000), ref: 028EE8FA
                                                                                                    • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,028E6128), ref: 028EE950
                                                                                                    • lstrcmp.KERNEL32(?,00000008), ref: 028EE989
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                    • String ID: A$ A$ A
                                                                                                    • API String ID: 2920362961-1846390581
                                                                                                    • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                    • Instruction ID: 743881cedc14541dc30f7bfbab480e5592f2d9909516d16552de3108dfc6a629
                                                                                                    • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                    • Instruction Fuzzy Hash: 0E31A03DA007159BCF71AF24C8847A67BE4EB16736F00852AE56BC7550D370E884CB81
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Code
                                                                                                    • String ID:
                                                                                                    • API String ID: 3609698214-0
                                                                                                    • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                    • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                    • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                    • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Code
                                                                                                    • String ID:
                                                                                                    • API String ID: 3609698214-0
                                                                                                    • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                    • Instruction ID: 4ec890531389ed2b9827086b723cf95f7571b4291eda896d6b4ad8b2b7e4dd2c
                                                                                                    • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                    • Instruction Fuzzy Hash: 76213B7E10412ABFDF10ABB4EC48EDF3FADDB4A664B208465F507D1090EB71DA409674
                                                                                                    APIs
                                                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                    • wsprintfA.USER32 ref: 004090E9
                                                                                                    • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 2439722600-0
                                                                                                    • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                    • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                    • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                    • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                    APIs
                                                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 028E92E2
                                                                                                    • wsprintfA.USER32 ref: 028E9350
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 028E9375
                                                                                                    • lstrlen.KERNEL32(?,?,00000000), ref: 028E9389
                                                                                                    • WriteFile.KERNEL32(00000000,?,00000000), ref: 028E9394
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 028E939B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 2439722600-0
                                                                                                    • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                    • Instruction ID: f559c86d84a7421d73ba1524187e3a8e27e10a2bfebc754b74f3b37a5f1b2682
                                                                                                    • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                    • Instruction Fuzzy Hash: 94119AB97401147BEB206735DC0DFEF3A6EDBC6B10F00C065BB0AE5090EBB44A418A65
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                    • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                    • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,0040E538,?,771B0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                    • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3819781495-0
                                                                                                    • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                    • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                    • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                    • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 028EC6B4
                                                                                                    • InterlockedIncrement.KERNEL32(028EC74B), ref: 028EC715
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,028EC747), ref: 028EC728
                                                                                                    • CloseHandle.KERNEL32(00000000,?,028EC747,00413588,028E8A77), ref: 028EC733
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 1026198776-1857712256
                                                                                                    • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                    • Instruction ID: e33556840d804121a2f807128cc870f16b77722ba2d1fc7c7041b631f588701b
                                                                                                    • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                    • Instruction Fuzzy Hash: 10514EB9A01B458FDB248F29C5D562BBBE9FB49304B50593FE18BC7AA1D774E840CB10
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 0040815F
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408187
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 004081BE
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408210
                                                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                                      • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                                      • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                                      • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                    • String ID: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe
                                                                                                    • API String ID: 124786226-4065764218
                                                                                                    • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                    • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                    • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                    • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 028E71E1
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 028E7228
                                                                                                    • LocalFree.KERNEL32(?,?,?), ref: 028E7286
                                                                                                    • wsprintfA.USER32 ref: 028E729D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                    • String ID: |
                                                                                                    • API String ID: 2539190677-2343686810
                                                                                                    • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                    • Instruction ID: 1c2cb30a95976f0d21e5cfd967a36ee08e69b9a90a9d5056c8def77e06ed0fa4
                                                                                                    • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                    • Instruction Fuzzy Hash: 9731187AA00209BBDF11DFA8DC45BDA7BACEF05314F148066F95ADB200EB75D6488B94
                                                                                                    APIs
                                                                                                    • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                    • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                                                    • String ID: LocalHost
                                                                                                    • API String ID: 3695455745-3154191806
                                                                                                    • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                    • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                    • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                    • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                    • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue$CloseOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1586453840-0
                                                                                                    • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                    • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                    • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                    • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 028EB51A
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 028EB529
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 028EB548
                                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 028EB590
                                                                                                    • wsprintfA.USER32 ref: 028EB61E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 4026320513-0
                                                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                    • Instruction ID: 25f1530537e04e7d0fa01d73a3430e0f8f63cb089c662f9bb32a8779b09df4fc
                                                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                    • Instruction Fuzzy Hash: 90511FB5D0021CAACF14DFD5D8885EEBBB9BF49304F10816AF505A6150E7B84AC9CF98
                                                                                                    APIs
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                    • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2438460464-0
                                                                                                    • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                    • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                    • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                    • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                    APIs
                                                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 028E6303
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 028E632A
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 028E63B1
                                                                                                    • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 028E6405
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 3498078134-0
                                                                                                    • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                    • Instruction ID: 0631733288a1e0ddeef6a03272c305f84d3ee5d9276ce5576473470384d772fb
                                                                                                    • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                    • Instruction Fuzzy Hash: E6414D7DA00229EFDF14CF58C884BA9B7B8FF15358F188169E86AD7290E771E940CB50
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                    • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                    • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                    • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                    • lstrcmpA.KERNEL32(?,00000008,?,771B0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                    • String ID: A$ A
                                                                                                    • API String ID: 3343386518-686259309
                                                                                                    • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                    • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                    • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                    • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                    • htons.WS2_32(00000001), ref: 00402752
                                                                                                    • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                    • htons.WS2_32(00000001), ref: 004027E3
                                                                                                    • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                      • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                      • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                                    • String ID:
                                                                                                    • API String ID: 1802437671-0
                                                                                                    • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                    • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                    • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                    • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                    APIs
                                                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: setsockopt
                                                                                                    • String ID:
                                                                                                    • API String ID: 3981526788-0
                                                                                                    • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                    • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                    • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                    • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                    • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                    • wsprintfA.USER32 ref: 004091A9
                                                                                                      • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                      • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                      • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                      • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                      • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                      • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3857584221-0
                                                                                                    • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                    • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                    • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                    • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 028E93C6
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 028E93CD
                                                                                                    • CharToOemA.USER32(?,?), ref: 028E93DB
                                                                                                    • wsprintfA.USER32 ref: 028E9410
                                                                                                      • Part of subcall function 028E92CB: GetTempPathA.KERNEL32(00000400,?), ref: 028E92E2
                                                                                                      • Part of subcall function 028E92CB: wsprintfA.USER32 ref: 028E9350
                                                                                                      • Part of subcall function 028E92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 028E9375
                                                                                                      • Part of subcall function 028E92CB: lstrlen.KERNEL32(?,?,00000000), ref: 028E9389
                                                                                                      • Part of subcall function 028E92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 028E9394
                                                                                                      • Part of subcall function 028E92CB: CloseHandle.KERNEL32(00000000), ref: 028E939B
                                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 028E9448
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3857584221-0
                                                                                                    • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                    • Instruction ID: 967fc857c63ee5c8bd077e9d29a3f0f561625102ead1f69b9d2a2fa95e3914c2
                                                                                                    • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                    • Instruction Fuzzy Hash: E40152FA9001187BDB21A7619D49EDF3B7CDB96701F0040A1BB4AE2080DAF496C58F75
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$lstrcmpi
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 1808961391-1857712256
                                                                                                    • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                    • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                    • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                    • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                    • API String ID: 2574300362-1087626847
                                                                                                    • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                    • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                    • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                    • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                    APIs
                                                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                    • String ID: hi_id$localcfg
                                                                                                    • API String ID: 2777991786-2393279970
                                                                                                    • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                    • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                    • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                    • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                    APIs
                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                    • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                    • String ID: *p@
                                                                                                    • API String ID: 3429775523-2474123842
                                                                                                    • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                    • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                    • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                    • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbynameinet_addr
                                                                                                    • String ID: time_cfg$u6A
                                                                                                    • API String ID: 1594361348-1940331995
                                                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                    • Instruction ID: c16f7d51feb32b2618b0d47d4bd391434526ff716256e2faed6a3b0b62bb42a7
                                                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                    • Instruction Fuzzy Hash: D4E08C386081218FDB009B28F848AD537A9AF0B230F018181F859C32A4C7349C809640
                                                                                                    APIs
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 028E69E5
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 028E6A26
                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 028E6A3A
                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 028E6BD8
                                                                                                      • Part of subcall function 028EEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,028E1DCF,?), ref: 028EEEA8
                                                                                                      • Part of subcall function 028EEE95: HeapFree.KERNEL32(00000000), ref: 028EEEAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 3384756699-0
                                                                                                    • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                    • Instruction ID: 26be9e3968bc622b2e7ed04344e83377216a3f563e74984105dd3fa98dde7dd8
                                                                                                    • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                    • Instruction Fuzzy Hash: 4F711679D0022DEFDF109FA4CC80AEEBBB9FB45314F10456AE516E6190E7709E92CB60
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf
                                                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                    • API String ID: 2111968516-120809033
                                                                                                    • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                    • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                    • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                    • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                    APIs
                                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                    • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                                    • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                                    • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseCreateDelete
                                                                                                    • String ID:
                                                                                                    • API String ID: 2667537340-0
                                                                                                    • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                    • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                    • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                    • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                    APIs
                                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,028EE50A,00000000,00000000,00000000,00020106,00000000,028EE50A,00000000,000000E4), ref: 028EE319
                                                                                                    • RegSetValueExA.ADVAPI32(028EE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 028EE38E
                                                                                                    • RegDeleteValueA.ADVAPI32(028EE50A,?,?,?,?,?,000000C8,004122F8), ref: 028EE3BF
                                                                                                    • RegCloseKey.ADVAPI32(028EE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,028EE50A), ref: 028EE3C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseCreateDelete
                                                                                                    • String ID:
                                                                                                    • API String ID: 2667537340-0
                                                                                                    • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                    • Instruction ID: 420a984ac16423a8a048b8f2ee9f56cc16f22d3c181e41e7aafd048ba262ffef
                                                                                                    • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                    • Instruction Fuzzy Hash: 11216F79A0021DBBDF209FA4EC89EDE7F79EF09760F048061F919E6150E3718A54DBA1
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                    • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3373104450-0
                                                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                    • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                    • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                    APIs
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                    • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 888215731-0
                                                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                    • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                    • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                    APIs
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 028E421F
                                                                                                    • GetLastError.KERNEL32 ref: 028E4229
                                                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 028E423A
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 028E424D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 888215731-0
                                                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                    • Instruction ID: 4d709e8d4657076daab2aae10d588a9c2c8f1bccf9359e9aa110ace389b6bdc1
                                                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                    • Instruction Fuzzy Hash: C9010876511109AFDF01DF90ED84BEF7BACFB09256F0080A1F91AE2050D770EA549BB6
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 028E41AB
                                                                                                    • GetLastError.KERNEL32 ref: 028E41B5
                                                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 028E41C6
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 028E41D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3373104450-0
                                                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                    • Instruction ID: 6cf7cb0b35321913318753b6ea816038b23857507ac6041419fc580ac48ee3ad
                                                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                    • Instruction Fuzzy Hash: 8B010C7A51110AAFDF01DF90ED84BEF7B6CEB19259F004062F906E2050D770DA548BB5
                                                                                                    APIs
                                                                                                    • lstrcmp.KERNEL32(?,80000009), ref: 028EE066
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmp
                                                                                                    • String ID: A$ A$ A
                                                                                                    • API String ID: 1534048567-1846390581
                                                                                                    • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                    • Instruction ID: aefc7965587d1740679bb59b04fe3514368ee8a94b349ff034bbc939caacbf91
                                                                                                    • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                    • Instruction Fuzzy Hash: 5AF06D3A2007169BCF30CF25D884A82B7E9FB0A335B448A2AE95AC3460D374A498CB55
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                    • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                    • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                    • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                    • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                    • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                    • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                    • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                    • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                    • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                    • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                    • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                    • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                    • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                    • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00403103
                                                                                                    • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                    • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                    • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                    • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                    • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 028E83C6
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 028E8477
                                                                                                      • Part of subcall function 028E69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 028E69E5
                                                                                                      • Part of subcall function 028E69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 028E6A26
                                                                                                      • Part of subcall function 028E69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 028E6A3A
                                                                                                      • Part of subcall function 028EEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,028E1DCF,?), ref: 028EEEA8
                                                                                                      • Part of subcall function 028EEE95: HeapFree.KERNEL32(00000000), ref: 028EEEAF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                    • String ID: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe
                                                                                                    • API String ID: 359188348-4065764218
                                                                                                    • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                    • Instruction ID: 8111f746c21de0d9b5a6c5b92d315836c0079fc5f8c008d56991f5089745434e
                                                                                                    • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                    • Instruction Fuzzy Hash: 214173BE900109BFDF11EBA49E80EFF776DEF06348F0484A6E906D6060F7715A548B51
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 028EAFFF
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 028EB00D
                                                                                                      • Part of subcall function 028EAF6F: gethostname.WS2_32(?,00000080), ref: 028EAF83
                                                                                                      • Part of subcall function 028EAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 028EAFE6
                                                                                                      • Part of subcall function 028E331C: gethostname.WS2_32(?,00000080), ref: 028E333F
                                                                                                      • Part of subcall function 028E331C: gethostbyname.WS2_32(?), ref: 028E3349
                                                                                                      • Part of subcall function 028EAA0A: inet_ntoa.WS2_32(00000000), ref: 028EAA10
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                    • String ID: %OUTLOOK_BND_
                                                                                                    • API String ID: 1981676241-3684217054
                                                                                                    • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                    • Instruction ID: 7b40eeac551daf71a168d888f8d163f536ee124665b8cfd4d54d6d96bf918dd7
                                                                                                    • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                    • Instruction Fuzzy Hash: 08418E7A90020CABCF25EFA4DC45EEE3BADFB09304F144426FA29D2051EB75E6448F55
                                                                                                    APIs
                                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 028E9536
                                                                                                    • Sleep.KERNEL32(000001F4), ref: 028E955D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShellSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 4194306370-3916222277
                                                                                                    • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                    • Instruction ID: a173241034df20dadec73f1548cc1d66edb13b69079ca5afbea89d24dde27a58
                                                                                                    • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                    • Instruction Fuzzy Hash: 4F41F3BD808389AEEF368A68D8887B63BA59F03318F1841E5D49BD71A2D7F44981C751
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                    • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID: ,k@
                                                                                                    • API String ID: 3934441357-1053005162
                                                                                                    • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                    • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                    • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                    • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 028EB9D9
                                                                                                    • InterlockedIncrement.KERNEL32(00413648), ref: 028EBA3A
                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 028EBA94
                                                                                                    • GetTickCount.KERNEL32 ref: 028EBB79
                                                                                                    • GetTickCount.KERNEL32 ref: 028EBB99
                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 028EBE15
                                                                                                    • closesocket.WS2_32(00000000), ref: 028EBEB4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                    • String ID: %FROM_EMAIL
                                                                                                    • API String ID: 1869671989-2903620461
                                                                                                    • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                    • Instruction ID: 4e911922cb56cedb0bf919d93488260e960869bb4ec5a2ac50845884b6297059
                                                                                                    • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                    • Instruction Fuzzy Hash: 98319E79500249DFDF25DFA4DC84AEDB7A8FB46708F204066FA26D2160DB30D684CF11
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 536389180-1857712256
                                                                                                    • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                    • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                    • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                    • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTickwsprintf
                                                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                    • API String ID: 2424974917-1012700906
                                                                                                    • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                    • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                    • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                    • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                    APIs
                                                                                                      • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                      • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                    • String ID: %FROM_EMAIL
                                                                                                    • API String ID: 3716169038-2903620461
                                                                                                    • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                    • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                    • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                    • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 028E70BC
                                                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 028E70F4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Name$AccountLookupUser
                                                                                                    • String ID: |
                                                                                                    • API String ID: 2370142434-2343686810
                                                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                    • Instruction ID: ae8b8039ab439a83bd777cd7e1772763c24e16bcbea643b6c2a38e29cc5e0adc
                                                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                    • Instruction Fuzzy Hash: 59112A7A90025CEBDF11CBD4DC84ADEB7BCAB05305F1441A6E506E6094E7709B88EBA1
                                                                                                    APIs
                                                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 2777991786-1857712256
                                                                                                    • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                    • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                    • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                    • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                    APIs
                                                                                                    • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                    • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: IncrementInterlockedlstrcpyn
                                                                                                    • String ID: %FROM_EMAIL
                                                                                                    • API String ID: 224340156-2903620461
                                                                                                    • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                    • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                    • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                    • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                    APIs
                                                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                    • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 2112563974-1857712256
                                                                                                    • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                    • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                    • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                    • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                    APIs
                                                                                                    • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                                    • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbynameinet_addr
                                                                                                    • String ID: time_cfg
                                                                                                    • API String ID: 1594361348-2401304539
                                                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                    • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                    • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000), ref: 0040EAF2
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                    • String ID: ntdll.dll
                                                                                                    • API String ID: 2574300362-2227199552
                                                                                                    • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                    • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                    • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                    • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                    APIs
                                                                                                      • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                      • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1366646890.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1017166417-0
                                                                                                    • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                    • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                    • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                    • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                    APIs
                                                                                                      • Part of subcall function 028E2F88: GetModuleHandleA.KERNEL32(?), ref: 028E2FA1
                                                                                                      • Part of subcall function 028E2F88: LoadLibraryA.KERNEL32(?), ref: 028E2FB1
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 028E31DA
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 028E31E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.1367922427.00000000028E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_28e0000_ybyrikeu.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1017166417-0
                                                                                                    • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                    • Instruction ID: fcdde366f61de399b1405a5cf41938bb2afc19d1a815d340e929854b6559a11f
                                                                                                    • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                    • Instruction Fuzzy Hash: BA516D7990024AAFCF05DF68D884AFAB775FF16305F1445A9EC9AC7210E7329A19CB90

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:14.6%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:0.7%
                                                                                                    Total number of Nodes:1807
                                                                                                    Total number of Limit Nodes:18
                                                                                                    execution_graph 7902 2b8be31 lstrcmpiA 7903 2b8be55 lstrcmpiA 7902->7903 7909 2b8be71 7902->7909 7904 2b8be61 lstrcmpiA 7903->7904 7903->7909 7904->7909 7914 2b8bfc8 7904->7914 7905 2b8bf62 lstrcmpiA 7906 2b8bf70 7905->7906 7907 2b8bf77 lstrcmpiA 7905->7907 7910 2b8bfc2 7906->7910 7911 2b8ec2e codecvt 4 API calls 7906->7911 7906->7914 7907->7906 7908 2b8bf8c lstrcmpiA 7907->7908 7908->7906 7909->7905 7912 2b8ebcc 4 API calls 7909->7912 7913 2b8ec2e codecvt 4 API calls 7910->7913 7911->7906 7917 2b8beb6 7912->7917 7913->7914 7915 2b8bf5a 7915->7905 7916 2b8ebcc 4 API calls 7916->7917 7917->7905 7917->7914 7917->7915 7917->7916 7918 2b85d34 IsBadWritePtr 7919 2b85d47 7918->7919 7920 2b85d4a 7918->7920 7923 2b85389 7920->7923 7924 2b84bd1 4 API calls 7923->7924 7925 2b853a5 7924->7925 7926 2b84ae6 8 API calls 7925->7926 7928 2b853ad 7926->7928 7927 2b84ae6 8 API calls 7927->7928 7928->7927 7929 2b85407 7928->7929 7930 2b85029 7935 2b84a02 7930->7935 7936 2b84a18 7935->7936 7937 2b84a12 7935->7937 7939 2b8ec2e codecvt 4 API calls 7936->7939 7940 2b84a26 7936->7940 7938 2b8ec2e codecvt 4 API calls 7937->7938 7938->7936 7939->7940 7941 2b8ec2e codecvt 4 API calls 7940->7941 7942 2b84a34 7940->7942 7941->7942 6129 2b89a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6245 2b8ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6129->6245 6131 2b89a95 6132 2b89aa3 GetModuleHandleA GetModuleFileNameA 6131->6132 6137 2b8a3cc 6131->6137 6142 2b89ac4 6132->6142 6133 2b8a41c CreateThread WSAStartup 6246 2b8e52e 6133->6246 7321 2b8405e CreateEventA 6133->7321 6135 2b89afd GetCommandLineA 6145 2b89b22 6135->6145 6136 2b8a406 DeleteFileA 6136->6137 6138 2b8a40d 6136->6138 6137->6133 6137->6136 6137->6138 6140 2b8a3ed GetLastError 6137->6140 6138->6133 6139 2b8a445 6265 2b8eaaf 6139->6265 6140->6138 6143 2b8a3f8 Sleep 6140->6143 6142->6135 6143->6136 6144 2b8a44d 6269 2b81d96 6144->6269 6149 2b89c0c 6145->6149 6156 2b89b47 6145->6156 6147 2b8a457 6317 2b880c9 6147->6317 6509 2b896aa 6149->6509 6160 2b89b96 lstrlenA 6156->6160 6165 2b89b58 6156->6165 6157 2b89c39 6161 2b8a167 GetModuleHandleA GetModuleFileNameA 6157->6161 6515 2b84280 CreateEventA 6157->6515 6158 2b8a1d2 6166 2b8a1e3 GetCommandLineA 6158->6166 6160->6165 6163 2b8a189 6161->6163 6164 2b89c05 ExitProcess 6161->6164 6163->6164 6173 2b8a1b2 GetDriveTypeA 6163->6173 6165->6164 6468 2b8675c 6165->6468 6191 2b8a205 6166->6191 6173->6164 6175 2b8a1c5 6173->6175 6616 2b89145 GetModuleHandleA GetModuleFileNameA CharToOemA 6175->6616 6176 2b8675c 21 API calls 6178 2b89c79 6176->6178 6178->6161 6183 2b89e3e 6178->6183 6184 2b89ca0 GetTempPathA 6178->6184 6179 2b89bff 6179->6164 6181 2b8a491 6182 2b8a49f GetTickCount 6181->6182 6185 2b8a4be Sleep 6181->6185 6190 2b8a4b7 GetTickCount 6181->6190 6364 2b8c913 6181->6364 6182->6181 6182->6185 6195 2b89e6b GetEnvironmentVariableA 6183->6195 6196 2b89e04 6183->6196 6184->6183 6187 2b89cba 6184->6187 6185->6181 6541 2b899d2 lstrcpyA 6187->6541 6190->6185 6192 2b8a285 lstrlenA 6191->6192 6206 2b8a239 6191->6206 6192->6206 6195->6196 6197 2b89e7d 6195->6197 6611 2b8ec2e 6196->6611 6198 2b899d2 16 API calls 6197->6198 6200 2b89e9d 6198->6200 6200->6196 6203 2b89eb0 lstrcpyA lstrlenA 6200->6203 6201 2b89d5f 6555 2b86cc9 6201->6555 6205 2b89ef4 6203->6205 6204 2b8a3c2 6628 2b898f2 6204->6628 6209 2b86dc2 6 API calls 6205->6209 6213 2b89f03 6205->6213 6206->6206 6624 2b86ec3 6206->6624 6209->6213 6210 2b8a39d StartServiceCtrlDispatcherA 6210->6204 6211 2b89d72 lstrcpyA lstrcatA lstrcatA 6215 2b89cf6 6211->6215 6212 2b8a3c7 6212->6137 6214 2b89f32 RegOpenKeyExA 6213->6214 6217 2b89f48 RegSetValueExA RegCloseKey 6214->6217 6222 2b89f70 6214->6222 6564 2b89326 6215->6564 6216 2b8a35f 6216->6204 6216->6210 6217->6222 6220 2b89dde GetFileAttributesExA 6221 2b89e0c DeleteFileA 6220->6221 6223 2b89df7 6220->6223 6221->6183 6225 2b89f9d GetModuleHandleA GetModuleFileNameA 6222->6225 6223->6196 6601 2b896ff 6223->6601 6227 2b8a093 6225->6227 6228 2b89fc2 6225->6228 6229 2b8a103 CreateProcessA 6227->6229 6230 2b8a0a4 wsprintfA 6227->6230 6228->6227 6234 2b89ff1 GetDriveTypeA 6228->6234 6231 2b8a13a 6229->6231 6232 2b8a12a DeleteFileA 6229->6232 6607 2b82544 6230->6607 6231->6196 6238 2b896ff 3 API calls 6231->6238 6232->6231 6234->6227 6236 2b8a00d 6234->6236 6240 2b8a02d lstrcatA 6236->6240 6238->6196 6241 2b8a046 6240->6241 6242 2b8a052 lstrcatA 6241->6242 6243 2b8a064 lstrcatA 6241->6243 6242->6243 6243->6227 6244 2b8a081 lstrcatA 6243->6244 6244->6227 6245->6131 6635 2b8dd05 GetTickCount 6246->6635 6248 2b8e538 6643 2b8dbcf 6248->6643 6250 2b8e544 6251 2b8e555 GetFileSize 6250->6251 6255 2b8e5b8 6250->6255 6252 2b8e5b1 CloseHandle 6251->6252 6253 2b8e566 6251->6253 6252->6255 6667 2b8db2e 6253->6667 6653 2b8e3ca RegOpenKeyExA 6255->6653 6257 2b8e576 ReadFile 6257->6252 6259 2b8e58d 6257->6259 6671 2b8e332 6259->6671 6261 2b8e5f2 6263 2b8e3ca 19 API calls 6261->6263 6264 2b8e629 6261->6264 6263->6264 6264->6139 6266 2b8eabe 6265->6266 6268 2b8eaba 6265->6268 6267 2b8dd05 6 API calls 6266->6267 6266->6268 6267->6268 6268->6144 6270 2b8ee2a 6269->6270 6271 2b81db4 GetVersionExA 6270->6271 6272 2b81dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6271->6272 6274 2b81e24 6272->6274 6275 2b81e16 GetCurrentProcess 6272->6275 6729 2b8e819 6274->6729 6275->6274 6277 2b81e3d 6278 2b8e819 11 API calls 6277->6278 6279 2b81e4e 6278->6279 6280 2b81e77 6279->6280 6770 2b8df70 6279->6770 6736 2b8ea84 6280->6736 6284 2b81e6c 6286 2b8df70 12 API calls 6284->6286 6285 2b8e819 11 API calls 6287 2b81e93 6285->6287 6286->6280 6740 2b8199c inet_addr LoadLibraryA 6287->6740 6290 2b8e819 11 API calls 6291 2b81eb9 6290->6291 6292 2b81ed8 6291->6292 6294 2b8f04e 4 API calls 6291->6294 6293 2b8e819 11 API calls 6292->6293 6295 2b81eee 6293->6295 6296 2b81ec9 6294->6296 6304 2b81f0a 6295->6304 6754 2b81b71 6295->6754 6297 2b8ea84 30 API calls 6296->6297 6297->6292 6299 2b8e819 11 API calls 6302 2b81f23 6299->6302 6300 2b81efd 6301 2b8ea84 30 API calls 6300->6301 6301->6304 6310 2b81f3f 6302->6310 6758 2b81bdf 6302->6758 6303 2b8e819 11 API calls 6306 2b81f5e 6303->6306 6304->6299 6308 2b81f77 6306->6308 6311 2b8ea84 30 API calls 6306->6311 6766 2b830b5 6308->6766 6309 2b8ea84 30 API calls 6309->6310 6310->6303 6311->6308 6315 2b86ec3 2 API calls 6316 2b81f8e GetTickCount 6315->6316 6316->6147 6318 2b86ec3 2 API calls 6317->6318 6319 2b880eb 6318->6319 6320 2b880f9 6319->6320 6321 2b880ef 6319->6321 6837 2b8704c 6320->6837 6824 2b87ee6 6321->6824 6324 2b88269 CreateThread 6343 2b85e6c 6324->6343 7299 2b8877e 6324->7299 6325 2b880f4 6325->6324 6327 2b8675c 21 API calls 6325->6327 6326 2b88110 6326->6325 6328 2b88156 RegOpenKeyExA 6326->6328 6333 2b88244 6327->6333 6329 2b8816d RegQueryValueExA 6328->6329 6330 2b88216 6328->6330 6331 2b8818d 6329->6331 6332 2b881f7 6329->6332 6330->6325 6331->6332 6337 2b8ebcc 4 API calls 6331->6337 6334 2b8820d RegCloseKey 6332->6334 6336 2b8ec2e codecvt 4 API calls 6332->6336 6333->6324 6335 2b8ec2e codecvt 4 API calls 6333->6335 6334->6330 6335->6324 6338 2b881dd 6336->6338 6339 2b881a0 6337->6339 6338->6334 6339->6334 6340 2b881aa RegQueryValueExA 6339->6340 6340->6332 6341 2b881c4 6340->6341 6342 2b8ebcc 4 API calls 6341->6342 6342->6338 6939 2b8ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6343->6939 6345 2b85e71 6940 2b8e654 6345->6940 6347 2b85ec1 6348 2b83132 6347->6348 6349 2b8df70 12 API calls 6348->6349 6350 2b8313b 6349->6350 6351 2b8c125 6350->6351 6951 2b8ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6351->6951 6353 2b8c12d 6354 2b8e654 13 API calls 6353->6354 6355 2b8c2bd 6354->6355 6356 2b8e654 13 API calls 6355->6356 6357 2b8c2c9 6356->6357 6358 2b8e654 13 API calls 6357->6358 6359 2b8a47a 6358->6359 6360 2b88db1 6359->6360 6361 2b88dbc 6360->6361 6362 2b8e654 13 API calls 6361->6362 6363 2b88dec Sleep 6362->6363 6363->6181 6365 2b8c92f 6364->6365 6366 2b8c93c 6365->6366 6963 2b8c517 6365->6963 6368 2b8ca2b 6366->6368 6369 2b8e819 11 API calls 6366->6369 6368->6181 6370 2b8c96a 6369->6370 6371 2b8e819 11 API calls 6370->6371 6372 2b8c97d 6371->6372 6373 2b8e819 11 API calls 6372->6373 6374 2b8c990 6373->6374 6375 2b8c9aa 6374->6375 6376 2b8ebcc 4 API calls 6374->6376 6375->6368 6952 2b82684 6375->6952 6376->6375 6381 2b8ca26 6980 2b8c8aa 6381->6980 6384 2b8ca44 6385 2b8ca4b closesocket 6384->6385 6386 2b8ca83 6384->6386 6385->6381 6387 2b8ea84 30 API calls 6386->6387 6388 2b8caac 6387->6388 6389 2b8f04e 4 API calls 6388->6389 6390 2b8cab2 6389->6390 6391 2b8ea84 30 API calls 6390->6391 6392 2b8caca 6391->6392 6393 2b8ea84 30 API calls 6392->6393 6394 2b8cad9 6393->6394 6984 2b8c65c 6394->6984 6397 2b8cb60 closesocket 6397->6368 6399 2b8dad2 closesocket 6400 2b8e318 23 API calls 6399->6400 6401 2b8dae0 6400->6401 6401->6368 6402 2b8df4c 20 API calls 6460 2b8cb70 6402->6460 6407 2b8e654 13 API calls 6407->6460 6413 2b8cc1c GetTempPathA 6413->6460 6414 2b8ea84 30 API calls 6414->6460 6415 2b8d569 closesocket Sleep 7031 2b8e318 6415->7031 6416 2b8d815 wsprintfA 6416->6460 6417 2b8c517 23 API calls 6417->6460 6419 2b8f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6419->6460 6420 2b8e8a1 30 API calls 6420->6460 6421 2b8d582 ExitProcess 6422 2b8c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6422->6460 6423 2b8cfe3 GetSystemDirectoryA 6423->6460 6424 2b8675c 21 API calls 6424->6460 6425 2b8d027 GetSystemDirectoryA 6425->6460 6426 2b8cfad GetEnvironmentVariableA 6426->6460 6427 2b8d105 lstrcatA 6427->6460 6428 2b8ef1e lstrlenA 6428->6460 6429 2b8ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6429->6460 6430 2b8cc9f CreateFileA 6433 2b8ccc6 WriteFile 6430->6433 6430->6460 6431 2b88e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6431->6460 6432 2b8d15b CreateFileA 6434 2b8d182 WriteFile CloseHandle 6432->6434 6432->6460 6435 2b8cdcc CloseHandle 6433->6435 6436 2b8cced CloseHandle 6433->6436 6434->6460 6435->6460 6441 2b8cd2f 6436->6441 6437 2b8d149 SetFileAttributesA 6437->6432 6438 2b8cd16 wsprintfA 6438->6441 6439 2b8d36e GetEnvironmentVariableA 6439->6460 6440 2b8d1bf SetFileAttributesA 6440->6460 6441->6438 7013 2b87fcf 6441->7013 6442 2b87ead 6 API calls 6442->6460 6443 2b8d22d GetEnvironmentVariableA 6443->6460 6445 2b8d3af lstrcatA 6448 2b8d3f2 CreateFileA 6445->6448 6445->6460 6447 2b87fcf 64 API calls 6447->6460 6451 2b8d415 WriteFile CloseHandle 6448->6451 6448->6460 6449 2b8cda5 6453 2b87ee6 64 API calls 6449->6453 6450 2b8cd81 WaitForSingleObject CloseHandle CloseHandle 6452 2b8f04e 4 API calls 6450->6452 6451->6460 6452->6449 6454 2b8cdbd DeleteFileA 6453->6454 6454->6460 6455 2b8d4b1 CreateProcessA 6459 2b8d4e8 CloseHandle CloseHandle 6455->6459 6455->6460 6456 2b8d3e0 SetFileAttributesA 6456->6448 6457 2b8d26e lstrcatA 6458 2b8d2b1 CreateFileA 6457->6458 6457->6460 6458->6460 6461 2b8d2d8 WriteFile CloseHandle 6458->6461 6459->6460 6460->6399 6460->6402 6460->6407 6460->6413 6460->6414 6460->6415 6460->6416 6460->6417 6460->6419 6460->6420 6460->6422 6460->6423 6460->6424 6460->6425 6460->6426 6460->6427 6460->6428 6460->6429 6460->6430 6460->6431 6460->6432 6460->6437 6460->6439 6460->6440 6460->6442 6460->6443 6460->6445 6460->6447 6460->6448 6460->6455 6460->6456 6460->6457 6460->6458 6462 2b87ee6 64 API calls 6460->6462 6463 2b8d452 SetFileAttributesA 6460->6463 6464 2b8d29f SetFileAttributesA 6460->6464 6467 2b8d31d SetFileAttributesA 6460->6467 6992 2b8c75d 6460->6992 7004 2b87e2f 6460->7004 7026 2b87ead 6460->7026 7036 2b831d0 6460->7036 7053 2b83c09 6460->7053 7063 2b83a00 6460->7063 7067 2b8e7b4 6460->7067 7070 2b8c06c 6460->7070 7076 2b86f5f GetUserNameA 6460->7076 7087 2b8e854 6460->7087 7097 2b87dd6 6460->7097 6461->6460 6462->6460 6463->6460 6464->6458 6467->6460 6469 2b8677a SetFileAttributesA 6468->6469 6470 2b86784 CreateFileA 6468->6470 6469->6470 6471 2b867a4 CreateFileA 6470->6471 6472 2b867b5 6470->6472 6471->6472 6473 2b867ba SetFileAttributesA 6472->6473 6474 2b867c5 6472->6474 6473->6474 6475 2b867cf GetFileSize 6474->6475 6476 2b86977 6474->6476 6477 2b86965 6475->6477 6478 2b867e5 6475->6478 6476->6164 6496 2b86a60 CreateFileA 6476->6496 6479 2b8696e FindCloseChangeNotification 6477->6479 6478->6477 6480 2b867ed ReadFile 6478->6480 6479->6476 6480->6477 6481 2b86811 SetFilePointer 6480->6481 6481->6477 6482 2b8682a ReadFile 6481->6482 6482->6477 6483 2b86848 SetFilePointer 6482->6483 6483->6477 6484 2b86867 6483->6484 6485 2b86878 ReadFile 6484->6485 6486 2b868d5 6484->6486 6487 2b868d0 6485->6487 6489 2b86891 6485->6489 6486->6479 6488 2b8ebcc 4 API calls 6486->6488 6487->6486 6490 2b868f8 6488->6490 6489->6485 6489->6487 6490->6477 6491 2b86900 SetFilePointer 6490->6491 6492 2b8695a 6491->6492 6493 2b8690d ReadFile 6491->6493 6495 2b8ec2e codecvt 4 API calls 6492->6495 6493->6492 6494 2b86922 6493->6494 6494->6479 6495->6477 6497 2b86b8c GetLastError 6496->6497 6498 2b86a8f GetDiskFreeSpaceA 6496->6498 6507 2b86b86 6497->6507 6499 2b86ac5 6498->6499 6508 2b86ad7 6498->6508 7182 2b8eb0e 6499->7182 6503 2b86b56 CloseHandle 6506 2b86b65 GetLastError CloseHandle 6503->6506 6503->6507 6504 2b86b36 GetLastError CloseHandle 6505 2b86b7f DeleteFileA 6504->6505 6505->6507 6506->6505 6507->6179 7186 2b86987 6508->7186 6510 2b896b9 6509->6510 6511 2b873ff 17 API calls 6510->6511 6512 2b896e2 6511->6512 6513 2b896f7 6512->6513 6514 2b8704c 16 API calls 6512->6514 6513->6157 6513->6158 6514->6513 6516 2b8429d 6515->6516 6517 2b842a5 6515->6517 6516->6161 6516->6176 7192 2b83ecd 6517->7192 6519 2b842b0 7196 2b84000 6519->7196 6521 2b843c1 CloseHandle 6521->6516 6522 2b842b6 6522->6516 6522->6521 7202 2b83f18 WriteFile 6522->7202 6527 2b843ba CloseHandle 6527->6521 6528 2b84318 6529 2b83f18 4 API calls 6528->6529 6530 2b84331 6529->6530 6531 2b83f18 4 API calls 6530->6531 6532 2b8434a 6531->6532 6533 2b8ebcc 4 API calls 6532->6533 6534 2b84350 6533->6534 6535 2b83f18 4 API calls 6534->6535 6536 2b84389 6535->6536 6537 2b8ec2e codecvt 4 API calls 6536->6537 6538 2b8438f 6537->6538 6539 2b83f8c 4 API calls 6538->6539 6540 2b8439f CloseHandle CloseHandle 6539->6540 6540->6516 6542 2b899eb 6541->6542 6543 2b89a2f lstrcatA 6542->6543 6544 2b8ee2a 6543->6544 6545 2b89a4b lstrcatA 6544->6545 6546 2b86a60 13 API calls 6545->6546 6547 2b89a60 6546->6547 6547->6183 6547->6215 6548 2b86dc2 6547->6548 6549 2b86e33 6548->6549 6550 2b86dd7 6548->6550 6549->6201 6551 2b86cc9 5 API calls 6550->6551 6552 2b86ddc 6551->6552 6552->6552 6553 2b86e02 GetVolumeInformationA 6552->6553 6554 2b86e24 6552->6554 6553->6554 6554->6549 6556 2b86cdc GetModuleHandleA GetProcAddress 6555->6556 6557 2b86d8b 6555->6557 6558 2b86cfd 6556->6558 6559 2b86d12 GetSystemDirectoryA 6556->6559 6557->6211 6558->6557 6558->6559 6560 2b86d1e 6559->6560 6561 2b86d27 GetWindowsDirectoryA 6559->6561 6560->6557 6560->6561 6562 2b86d42 6561->6562 6563 2b8ef1e lstrlenA 6562->6563 6563->6557 7210 2b81910 6564->7210 6567 2b8934a GetModuleHandleA GetModuleFileNameA 6569 2b8937f 6567->6569 6570 2b893d9 6569->6570 6571 2b893a4 6569->6571 6573 2b89401 wsprintfA 6570->6573 6572 2b893c3 wsprintfA 6571->6572 6574 2b89415 6572->6574 6573->6574 6575 2b894a0 6574->6575 6577 2b86cc9 5 API calls 6574->6577 6576 2b86edd 5 API calls 6575->6576 6578 2b894ac 6576->6578 6584 2b89439 6577->6584 6579 2b8962f 6578->6579 6580 2b894e8 RegOpenKeyExA 6578->6580 6585 2b89646 6579->6585 7225 2b81820 6579->7225 6582 2b894fb 6580->6582 6583 2b89502 6580->6583 6582->6579 6589 2b8958a 6582->6589 6587 2b8951f RegQueryValueExA 6583->6587 6588 2b8ef1e lstrlenA 6584->6588 6594 2b895d6 6585->6594 7231 2b891eb 6585->7231 6590 2b89539 6587->6590 6591 2b89530 6587->6591 6592 2b89462 6588->6592 6589->6585 6593 2b89593 6589->6593 6596 2b89556 RegQueryValueExA 6590->6596 6595 2b8956e RegCloseKey 6591->6595 6597 2b8947e wsprintfA 6592->6597 6593->6594 7212 2b8f0e4 6593->7212 6594->6220 6594->6221 6595->6582 6596->6591 6596->6595 6597->6575 6599 2b895bb 6599->6594 7219 2b818e0 6599->7219 6602 2b82544 6601->6602 6603 2b8972d RegOpenKeyExA 6602->6603 6604 2b89740 6603->6604 6605 2b89765 6603->6605 6606 2b8974f RegDeleteValueA RegCloseKey 6604->6606 6605->6196 6606->6605 6608 2b82554 lstrcatA 6607->6608 6609 2b8ee2a 6608->6609 6610 2b8a0ec lstrcatA 6609->6610 6610->6229 6612 2b8a15d 6611->6612 6613 2b8ec37 6611->6613 6612->6161 6612->6164 6614 2b8eba0 codecvt 2 API calls 6613->6614 6615 2b8ec3d GetProcessHeap RtlFreeHeap 6614->6615 6615->6612 6617 2b82544 6616->6617 6618 2b8919e wsprintfA 6617->6618 6619 2b891bb 6618->6619 7270 2b89064 GetTempPathA 6619->7270 6622 2b891d5 ShellExecuteA 6623 2b891e7 6622->6623 6623->6179 6625 2b86ed5 6624->6625 6626 2b86ecc 6624->6626 6625->6216 6627 2b86e36 2 API calls 6626->6627 6627->6625 6630 2b898f6 6628->6630 6629 2b84280 30 API calls 6629->6630 6630->6629 6631 2b89904 Sleep 6630->6631 6632 2b89915 6630->6632 6631->6630 6631->6632 6634 2b89947 6632->6634 7277 2b8977c 6632->7277 6634->6212 6636 2b8dd41 InterlockedExchange 6635->6636 6637 2b8dd4a 6636->6637 6638 2b8dd20 GetCurrentThreadId 6636->6638 6639 2b8dd53 GetCurrentThreadId 6637->6639 6638->6639 6640 2b8dd2e GetTickCount 6638->6640 6639->6248 6641 2b8dd39 Sleep 6640->6641 6642 2b8dd4c 6640->6642 6641->6636 6642->6639 6644 2b8dbf0 6643->6644 6676 2b8db67 GetEnvironmentVariableA 6644->6676 6646 2b8dcda 6646->6250 6647 2b8dc19 6647->6646 6648 2b8db67 3 API calls 6647->6648 6649 2b8dc5c 6648->6649 6649->6646 6650 2b8db67 3 API calls 6649->6650 6651 2b8dc9b 6650->6651 6651->6646 6652 2b8db67 3 API calls 6651->6652 6652->6646 6654 2b8e528 6653->6654 6655 2b8e3f4 6653->6655 6654->6261 6656 2b8e434 RegQueryValueExA 6655->6656 6657 2b8e458 6656->6657 6658 2b8e51d RegCloseKey 6656->6658 6659 2b8e46e RegQueryValueExA 6657->6659 6658->6654 6659->6657 6660 2b8e488 6659->6660 6660->6658 6661 2b8db2e 8 API calls 6660->6661 6663 2b8e499 6661->6663 6662 2b8e4b9 RegQueryValueExA 6662->6663 6664 2b8e4e8 6662->6664 6663->6658 6663->6662 6663->6664 6664->6658 6665 2b8e332 14 API calls 6664->6665 6666 2b8e513 6665->6666 6666->6658 6668 2b8db3a 6667->6668 6669 2b8db55 6667->6669 6680 2b8ebed 6668->6680 6669->6252 6669->6257 6698 2b8f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6671->6698 6673 2b8e342 6674 2b8e3be 6673->6674 6701 2b8de24 6673->6701 6674->6252 6677 2b8db89 lstrcpyA CreateFileA 6676->6677 6678 2b8dbca 6676->6678 6677->6647 6678->6647 6681 2b8ec01 6680->6681 6682 2b8ebf6 6680->6682 6692 2b8eba0 6681->6692 6689 2b8ebcc GetProcessHeap RtlAllocateHeap 6682->6689 6690 2b8eb74 2 API calls 6689->6690 6691 2b8ebe8 6690->6691 6691->6669 6693 2b8ebbf GetProcessHeap HeapReAlloc 6692->6693 6694 2b8eba7 GetProcessHeap HeapSize 6692->6694 6695 2b8eb74 6693->6695 6694->6693 6696 2b8eb7b GetProcessHeap HeapSize 6695->6696 6697 2b8eb93 6695->6697 6696->6697 6697->6669 6712 2b8eb41 6698->6712 6700 2b8f0b7 6700->6673 6702 2b8de3a 6701->6702 6705 2b8de4e 6702->6705 6721 2b8dd84 6702->6721 6705->6673 6706 2b8de9e 6706->6705 6707 2b8ebed 8 API calls 6706->6707 6710 2b8def6 6707->6710 6708 2b8de76 6725 2b8ddcf 6708->6725 6710->6705 6711 2b8ddcf lstrcmpA 6710->6711 6711->6705 6713 2b8eb4a 6712->6713 6715 2b8eb61 6712->6715 6717 2b8eae4 6713->6717 6715->6700 6716 2b8eb54 6716->6700 6716->6715 6718 2b8eaed LoadLibraryA 6717->6718 6719 2b8eb02 GetProcAddress 6717->6719 6718->6719 6720 2b8eb01 6718->6720 6719->6716 6720->6716 6722 2b8ddc5 6721->6722 6723 2b8dd96 6721->6723 6722->6706 6722->6708 6723->6722 6724 2b8ddad lstrcmpiA 6723->6724 6724->6722 6724->6723 6726 2b8de20 6725->6726 6727 2b8dddd 6725->6727 6726->6705 6727->6726 6728 2b8ddfa lstrcmpA 6727->6728 6728->6727 6730 2b8dd05 6 API calls 6729->6730 6731 2b8e821 6730->6731 6732 2b8dd84 lstrcmpiA 6731->6732 6733 2b8e82c 6732->6733 6734 2b8e844 6733->6734 6779 2b82480 6733->6779 6734->6277 6737 2b8ea98 6736->6737 6788 2b8e8a1 6737->6788 6739 2b81e84 6739->6285 6741 2b819ce 6740->6741 6742 2b819d5 GetProcAddress GetProcAddress GetProcAddress 6740->6742 6741->6290 6743 2b81ab3 FreeLibrary 6742->6743 6744 2b81a04 6742->6744 6743->6741 6744->6743 6745 2b81a14 GetBestInterface GetProcessHeap 6744->6745 6745->6741 6746 2b81a2e HeapAlloc 6745->6746 6746->6741 6747 2b81a42 GetAdaptersInfo 6746->6747 6748 2b81a62 6747->6748 6749 2b81a52 HeapReAlloc 6747->6749 6750 2b81a69 GetAdaptersInfo 6748->6750 6751 2b81aa1 FreeLibrary 6748->6751 6749->6748 6750->6751 6752 2b81a75 HeapFree 6750->6752 6751->6741 6752->6751 6816 2b81ac3 LoadLibraryA 6754->6816 6757 2b81bcf 6757->6300 6759 2b81ac3 13 API calls 6758->6759 6760 2b81c09 6759->6760 6761 2b81c5a 6760->6761 6762 2b81c0d GetComputerNameA 6760->6762 6761->6309 6763 2b81c1f 6762->6763 6764 2b81c45 GetVolumeInformationA 6762->6764 6763->6764 6765 2b81c41 6763->6765 6764->6761 6765->6761 6767 2b8ee2a 6766->6767 6768 2b830d0 gethostname gethostbyname 6767->6768 6769 2b81f82 6768->6769 6769->6315 6769->6316 6771 2b8dd05 6 API calls 6770->6771 6772 2b8df7c 6771->6772 6773 2b8dd84 lstrcmpiA 6772->6773 6777 2b8df89 6773->6777 6774 2b8dfc4 6774->6284 6775 2b8ddcf lstrcmpA 6775->6777 6776 2b8ec2e codecvt 4 API calls 6776->6777 6777->6774 6777->6775 6777->6776 6778 2b8dd84 lstrcmpiA 6777->6778 6778->6777 6782 2b82419 lstrlenA 6779->6782 6781 2b82491 6781->6734 6783 2b8243d lstrlenA 6782->6783 6784 2b82474 6782->6784 6785 2b8244e lstrcmpiA 6783->6785 6786 2b82464 lstrlenA 6783->6786 6784->6781 6785->6786 6787 2b8245c 6785->6787 6786->6783 6786->6784 6787->6784 6787->6786 6789 2b8dd05 6 API calls 6788->6789 6790 2b8e8b4 6789->6790 6791 2b8dd84 lstrcmpiA 6790->6791 6792 2b8e8c0 6791->6792 6793 2b8e8c8 lstrcpynA 6792->6793 6803 2b8e90a 6792->6803 6795 2b8e8f5 6793->6795 6794 2b82419 4 API calls 6796 2b8e926 lstrlenA lstrlenA 6794->6796 6809 2b8df4c 6795->6809 6797 2b8e96a 6796->6797 6798 2b8e94c lstrlenA 6796->6798 6802 2b8ebcc 4 API calls 6797->6802 6804 2b8ea27 6797->6804 6798->6797 6800 2b8e901 6801 2b8dd84 lstrcmpiA 6800->6801 6801->6803 6805 2b8e98f 6802->6805 6803->6794 6803->6804 6804->6739 6805->6804 6806 2b8df4c 20 API calls 6805->6806 6807 2b8ea1e 6806->6807 6808 2b8ec2e codecvt 4 API calls 6807->6808 6808->6804 6810 2b8dd05 6 API calls 6809->6810 6811 2b8df51 6810->6811 6812 2b8f04e 4 API calls 6811->6812 6813 2b8df58 6812->6813 6814 2b8de24 10 API calls 6813->6814 6815 2b8df63 6814->6815 6815->6800 6817 2b81b68 GetComputerNameA GetVolumeInformationA 6816->6817 6818 2b81ae2 GetProcAddress 6816->6818 6817->6757 6818->6817 6821 2b81af5 6818->6821 6819 2b81b1c GetAdaptersAddresses 6819->6821 6822 2b81b29 6819->6822 6820 2b8ebed 8 API calls 6820->6821 6821->6819 6821->6820 6821->6822 6822->6817 6823 2b8ec2e codecvt 4 API calls 6822->6823 6823->6817 6825 2b86ec3 2 API calls 6824->6825 6826 2b87ef4 6825->6826 6836 2b87fc9 6826->6836 6860 2b873ff 6826->6860 6828 2b87f16 6828->6836 6880 2b87809 GetUserNameA 6828->6880 6830 2b87f63 6830->6836 6904 2b8ef1e lstrlenA 6830->6904 6833 2b8ef1e lstrlenA 6834 2b87fb7 6833->6834 6906 2b87a95 RegOpenKeyExA 6834->6906 6836->6325 6838 2b87073 6837->6838 6839 2b870b9 RegOpenKeyExA 6838->6839 6840 2b870d0 6839->6840 6854 2b871b8 6839->6854 6841 2b86dc2 6 API calls 6840->6841 6844 2b870d5 6841->6844 6842 2b8719b RegEnumValueA 6843 2b871af RegCloseKey 6842->6843 6842->6844 6843->6854 6844->6842 6846 2b871d0 6844->6846 6937 2b8f1a5 lstrlenA 6844->6937 6847 2b87205 RegCloseKey 6846->6847 6848 2b87227 6846->6848 6847->6854 6849 2b872b8 ___ascii_stricmp 6848->6849 6850 2b8728e RegCloseKey 6848->6850 6851 2b872cd RegCloseKey 6849->6851 6852 2b872dd 6849->6852 6850->6854 6851->6854 6853 2b87311 RegCloseKey 6852->6853 6855 2b87335 6852->6855 6853->6854 6854->6326 6856 2b873d5 RegCloseKey 6855->6856 6858 2b8737e GetFileAttributesExA 6855->6858 6859 2b87397 6855->6859 6857 2b873e4 6856->6857 6858->6859 6859->6856 6861 2b8741b 6860->6861 6862 2b86dc2 6 API calls 6861->6862 6863 2b8743f 6862->6863 6864 2b87469 RegOpenKeyExA 6863->6864 6865 2b877f9 6864->6865 6869 2b87487 ___ascii_stricmp 6864->6869 6865->6828 6866 2b87703 RegEnumKeyA 6867 2b87714 RegCloseKey 6866->6867 6866->6869 6867->6865 6868 2b874d2 RegOpenKeyExA 6868->6869 6869->6866 6869->6868 6870 2b8772c 6869->6870 6871 2b87521 RegQueryValueExA 6869->6871 6875 2b876e4 RegCloseKey 6869->6875 6877 2b8f1a5 lstrlenA 6869->6877 6878 2b8777e GetFileAttributesExA 6869->6878 6879 2b87769 6869->6879 6872 2b8774b 6870->6872 6873 2b87742 RegCloseKey 6870->6873 6871->6869 6874 2b877ec RegCloseKey 6872->6874 6873->6872 6874->6865 6875->6869 6876 2b877e3 RegCloseKey 6876->6874 6877->6869 6878->6879 6879->6876 6881 2b8783d LookupAccountNameA 6880->6881 6882 2b87a8d 6880->6882 6881->6882 6883 2b87874 GetLengthSid GetFileSecurityA 6881->6883 6882->6830 6883->6882 6884 2b878a8 GetSecurityDescriptorOwner 6883->6884 6885 2b8791d GetSecurityDescriptorDacl 6884->6885 6886 2b878c5 EqualSid 6884->6886 6885->6882 6894 2b87941 6885->6894 6886->6885 6887 2b878dc LocalAlloc 6886->6887 6887->6885 6888 2b878ef InitializeSecurityDescriptor 6887->6888 6889 2b878fb SetSecurityDescriptorOwner 6888->6889 6890 2b87916 LocalFree 6888->6890 6889->6890 6892 2b8790b SetFileSecurityA 6889->6892 6890->6885 6891 2b8795b GetAce 6891->6894 6892->6890 6893 2b87980 EqualSid 6893->6894 6894->6882 6894->6891 6894->6893 6895 2b87a3d 6894->6895 6896 2b879be EqualSid 6894->6896 6897 2b8799d DeleteAce 6894->6897 6895->6882 6898 2b87a43 LocalAlloc 6895->6898 6896->6894 6897->6894 6898->6882 6899 2b87a56 InitializeSecurityDescriptor 6898->6899 6900 2b87a62 SetSecurityDescriptorDacl 6899->6900 6901 2b87a86 LocalFree 6899->6901 6900->6901 6902 2b87a73 SetFileSecurityA 6900->6902 6901->6882 6902->6901 6903 2b87a83 6902->6903 6903->6901 6905 2b87fa6 6904->6905 6905->6833 6907 2b87acb GetUserNameA 6906->6907 6908 2b87ac4 6906->6908 6909 2b87aed LookupAccountNameA 6907->6909 6910 2b87da7 RegCloseKey 6907->6910 6908->6836 6909->6910 6911 2b87b24 RegGetKeySecurity 6909->6911 6910->6908 6911->6910 6912 2b87b49 GetSecurityDescriptorOwner 6911->6912 6913 2b87bb8 GetSecurityDescriptorDacl 6912->6913 6914 2b87b63 EqualSid 6912->6914 6915 2b87da6 6913->6915 6927 2b87bdc 6913->6927 6914->6913 6916 2b87b74 LocalAlloc 6914->6916 6915->6910 6916->6913 6917 2b87b8a InitializeSecurityDescriptor 6916->6917 6919 2b87bb1 LocalFree 6917->6919 6920 2b87b96 SetSecurityDescriptorOwner 6917->6920 6918 2b87bf8 GetAce 6918->6927 6919->6913 6920->6919 6921 2b87ba6 RegSetKeySecurity 6920->6921 6921->6919 6922 2b87c1d EqualSid 6922->6927 6923 2b87cd9 6923->6915 6926 2b87d5a LocalAlloc 6923->6926 6928 2b87cf2 RegOpenKeyExA 6923->6928 6924 2b87c5f EqualSid 6924->6927 6925 2b87c3a DeleteAce 6925->6927 6926->6915 6929 2b87d70 InitializeSecurityDescriptor 6926->6929 6927->6915 6927->6918 6927->6922 6927->6923 6927->6924 6927->6925 6928->6926 6934 2b87d0f 6928->6934 6930 2b87d7c SetSecurityDescriptorDacl 6929->6930 6931 2b87d9f LocalFree 6929->6931 6930->6931 6932 2b87d8c RegSetKeySecurity 6930->6932 6931->6915 6932->6931 6933 2b87d9c 6932->6933 6933->6931 6935 2b87d43 RegSetValueExA 6934->6935 6935->6926 6936 2b87d54 6935->6936 6936->6926 6938 2b8f1c3 6937->6938 6938->6844 6939->6345 6941 2b8dd05 6 API calls 6940->6941 6944 2b8e65f 6941->6944 6942 2b8e6a5 6943 2b8ebcc 4 API calls 6942->6943 6947 2b8e6f5 6942->6947 6946 2b8e6b0 6943->6946 6944->6942 6945 2b8e68c lstrcmpA 6944->6945 6945->6944 6946->6947 6949 2b8e6b7 6946->6949 6950 2b8e6e0 lstrcpynA 6946->6950 6948 2b8e71d lstrcmpA 6947->6948 6947->6949 6948->6947 6949->6347 6950->6947 6951->6353 6953 2b8268e 6952->6953 6954 2b82692 inet_addr 6952->6954 6956 2b8f428 6953->6956 6954->6953 6955 2b8269e gethostbyname 6954->6955 6955->6953 7104 2b8f315 6956->7104 6959 2b8f43e 6960 2b8f473 recv 6959->6960 6961 2b8f458 6960->6961 6962 2b8f47c 6960->6962 6961->6960 6961->6962 6962->6384 6964 2b8c532 6963->6964 6965 2b8c525 6963->6965 6966 2b8c548 6964->6966 7117 2b8e7ff 6964->7117 6965->6964 6967 2b8ec2e codecvt 4 API calls 6965->6967 6969 2b8e7ff lstrcmpiA 6966->6969 6976 2b8c54f 6966->6976 6967->6964 6970 2b8c615 6969->6970 6971 2b8ebcc 4 API calls 6970->6971 6970->6976 6971->6976 6972 2b8c5d1 6974 2b8ebcc 4 API calls 6972->6974 6974->6976 6975 2b8e819 11 API calls 6977 2b8c5b7 6975->6977 6976->6366 6978 2b8f04e 4 API calls 6977->6978 6979 2b8c5bf 6978->6979 6979->6966 6979->6972 6982 2b8c8d2 6980->6982 6981 2b8c907 6981->6368 6982->6981 6983 2b8c517 23 API calls 6982->6983 6983->6981 6985 2b8c670 6984->6985 6986 2b8c67d 6984->6986 6987 2b8ebcc 4 API calls 6985->6987 6988 2b8ebcc 4 API calls 6986->6988 6990 2b8c699 6986->6990 6987->6986 6988->6990 6989 2b8c6f3 6989->6397 6989->6460 6990->6989 6991 2b8c73c send 6990->6991 6991->6989 6993 2b8c770 6992->6993 6994 2b8c77d 6992->6994 6995 2b8ebcc 4 API calls 6993->6995 6996 2b8c799 6994->6996 6998 2b8ebcc 4 API calls 6994->6998 6995->6994 6997 2b8c7b5 6996->6997 6999 2b8ebcc 4 API calls 6996->6999 7000 2b8f43e recv 6997->7000 6998->6996 6999->6997 7001 2b8c7cb 7000->7001 7002 2b8f43e recv 7001->7002 7003 2b8c7d3 7001->7003 7002->7003 7003->6460 7120 2b87db7 7004->7120 7007 2b87e70 7009 2b87e96 7007->7009 7011 2b8f04e 4 API calls 7007->7011 7008 2b8f04e 4 API calls 7010 2b87e4c 7008->7010 7009->6460 7010->7007 7012 2b8f04e 4 API calls 7010->7012 7011->7009 7012->7007 7014 2b86ec3 2 API calls 7013->7014 7015 2b87fdd 7014->7015 7016 2b880c2 CreateProcessA 7015->7016 7017 2b873ff 17 API calls 7015->7017 7016->6449 7016->6450 7018 2b87fff 7017->7018 7018->7016 7019 2b87809 21 API calls 7018->7019 7020 2b8804d 7019->7020 7020->7016 7021 2b8ef1e lstrlenA 7020->7021 7022 2b8809e 7021->7022 7023 2b8ef1e lstrlenA 7022->7023 7024 2b880af 7023->7024 7025 2b87a95 24 API calls 7024->7025 7025->7016 7027 2b87db7 2 API calls 7026->7027 7028 2b87eb8 7027->7028 7029 2b8f04e 4 API calls 7028->7029 7030 2b87ece DeleteFileA 7029->7030 7030->6460 7032 2b8dd05 6 API calls 7031->7032 7033 2b8e31d 7032->7033 7124 2b8e177 7033->7124 7035 2b8e326 7035->6421 7037 2b831f3 7036->7037 7047 2b831ec 7036->7047 7038 2b8ebcc 4 API calls 7037->7038 7052 2b831fc 7038->7052 7039 2b8344b 7040 2b83459 7039->7040 7041 2b8349d 7039->7041 7042 2b8f04e 4 API calls 7040->7042 7043 2b8ec2e codecvt 4 API calls 7041->7043 7044 2b8345f 7042->7044 7043->7047 7045 2b830fa 4 API calls 7044->7045 7045->7047 7046 2b8ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7046->7052 7047->6460 7048 2b8344d 7049 2b8ec2e codecvt 4 API calls 7048->7049 7049->7039 7051 2b83141 lstrcmpiA 7051->7052 7052->7039 7052->7046 7052->7047 7052->7048 7052->7051 7150 2b830fa GetTickCount 7052->7150 7054 2b830fa 4 API calls 7053->7054 7055 2b83c1a 7054->7055 7056 2b83ce6 7055->7056 7155 2b83a72 7055->7155 7056->6460 7059 2b83a72 9 API calls 7060 2b83c5e 7059->7060 7060->7056 7061 2b83a72 9 API calls 7060->7061 7062 2b8ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7060->7062 7061->7060 7062->7060 7064 2b83a10 7063->7064 7065 2b830fa 4 API calls 7064->7065 7066 2b83a1a 7065->7066 7066->6460 7068 2b8dd05 6 API calls 7067->7068 7069 2b8e7be 7068->7069 7069->6460 7071 2b8c07e wsprintfA 7070->7071 7075 2b8c105 7070->7075 7164 2b8bfce GetTickCount wsprintfA 7071->7164 7073 2b8c0ef 7165 2b8bfce GetTickCount wsprintfA 7073->7165 7075->6460 7077 2b86f88 LookupAccountNameA 7076->7077 7078 2b87047 7076->7078 7080 2b86fcb 7077->7080 7081 2b87025 7077->7081 7078->6460 7083 2b86fdb ConvertSidToStringSidA 7080->7083 7166 2b86edd 7081->7166 7083->7081 7085 2b86ff1 7083->7085 7086 2b87013 LocalFree 7085->7086 7086->7081 7088 2b8dd05 6 API calls 7087->7088 7089 2b8e85c 7088->7089 7090 2b8dd84 lstrcmpiA 7089->7090 7091 2b8e867 7090->7091 7092 2b8e885 lstrcpyA 7091->7092 7177 2b824a5 7091->7177 7180 2b8dd69 7092->7180 7098 2b87db7 2 API calls 7097->7098 7099 2b87de1 7098->7099 7100 2b87e16 7099->7100 7101 2b8f04e 4 API calls 7099->7101 7100->6460 7102 2b87df2 7101->7102 7102->7100 7103 2b8f04e 4 API calls 7102->7103 7103->7100 7105 2b8f33b 7104->7105 7106 2b8ca1d 7104->7106 7107 2b8f347 htons socket 7105->7107 7106->6381 7106->6959 7108 2b8f382 ioctlsocket 7107->7108 7109 2b8f374 closesocket 7107->7109 7110 2b8f3aa connect select 7108->7110 7111 2b8f39d 7108->7111 7109->7106 7110->7106 7113 2b8f3f2 __WSAFDIsSet 7110->7113 7112 2b8f39f closesocket 7111->7112 7112->7106 7113->7112 7114 2b8f403 ioctlsocket 7113->7114 7116 2b8f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7114->7116 7116->7106 7118 2b8dd84 lstrcmpiA 7117->7118 7119 2b8c58e 7118->7119 7119->6966 7119->6972 7119->6975 7121 2b87dc8 InterlockedExchange 7120->7121 7122 2b87dc0 Sleep 7121->7122 7123 2b87dd4 7121->7123 7122->7121 7123->7007 7123->7008 7125 2b8e184 7124->7125 7126 2b8e2e4 7125->7126 7127 2b8e223 7125->7127 7140 2b8dfe2 7125->7140 7126->7035 7127->7126 7129 2b8dfe2 8 API calls 7127->7129 7133 2b8e23c 7129->7133 7130 2b8e1be 7130->7127 7131 2b8dbcf 3 API calls 7130->7131 7134 2b8e1d6 7131->7134 7132 2b8e21a CloseHandle 7132->7127 7133->7126 7144 2b8e095 RegCreateKeyExA 7133->7144 7134->7127 7134->7132 7135 2b8e1f9 WriteFile 7134->7135 7135->7132 7137 2b8e213 7135->7137 7137->7132 7138 2b8e2a3 7138->7126 7139 2b8e095 4 API calls 7138->7139 7139->7126 7141 2b8dffc 7140->7141 7143 2b8e024 7140->7143 7142 2b8db2e 8 API calls 7141->7142 7141->7143 7142->7143 7143->7130 7145 2b8e172 7144->7145 7147 2b8e0c0 7144->7147 7145->7138 7146 2b8e13d 7148 2b8e14e RegDeleteValueA RegCloseKey 7146->7148 7147->7146 7149 2b8e115 RegSetValueExA 7147->7149 7148->7145 7149->7146 7149->7147 7151 2b83122 InterlockedExchange 7150->7151 7152 2b8312e 7151->7152 7153 2b8310f GetTickCount 7151->7153 7152->7052 7153->7152 7154 2b8311a Sleep 7153->7154 7154->7151 7156 2b8f04e 4 API calls 7155->7156 7157 2b83a83 7156->7157 7158 2b83bc0 7157->7158 7162 2b83b66 lstrlenA 7157->7162 7163 2b83ac1 7157->7163 7159 2b83be6 7158->7159 7160 2b8ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7158->7160 7161 2b8ec2e codecvt 4 API calls 7159->7161 7160->7158 7161->7163 7162->7157 7162->7163 7163->7056 7163->7059 7164->7073 7165->7075 7167 2b86eef AllocateAndInitializeSid 7166->7167 7173 2b86f55 wsprintfA 7166->7173 7168 2b86f1c CheckTokenMembership 7167->7168 7171 2b86f44 7167->7171 7169 2b86f3b FreeSid 7168->7169 7170 2b86f2e 7168->7170 7169->7171 7170->7169 7171->7173 7174 2b86e36 GetUserNameW 7171->7174 7173->7078 7175 2b86e5f LookupAccountNameW 7174->7175 7176 2b86e97 7174->7176 7175->7176 7176->7173 7178 2b82419 4 API calls 7177->7178 7179 2b824b6 7178->7179 7179->7092 7181 2b8dd79 lstrlenA 7180->7181 7181->6460 7183 2b8eb17 7182->7183 7185 2b8eb21 7182->7185 7184 2b8eae4 2 API calls 7183->7184 7184->7185 7185->6508 7187 2b869b9 WriteFile 7186->7187 7189 2b86a3c 7187->7189 7191 2b869ff 7187->7191 7189->6503 7189->6504 7190 2b86a10 WriteFile 7190->7189 7190->7191 7191->7189 7191->7190 7193 2b83edc 7192->7193 7194 2b83ee2 7192->7194 7195 2b86dc2 6 API calls 7193->7195 7194->6519 7195->7194 7197 2b8400b CreateFileA 7196->7197 7198 2b8402c GetLastError 7197->7198 7199 2b84052 7197->7199 7198->7199 7200 2b84037 7198->7200 7199->6522 7200->7199 7201 2b84041 Sleep 7200->7201 7201->7197 7201->7199 7203 2b83f7c 7202->7203 7204 2b83f4e GetLastError 7202->7204 7206 2b83f8c ReadFile 7203->7206 7204->7203 7205 2b83f5b WaitForSingleObject GetOverlappedResult 7204->7205 7205->7203 7207 2b83fc2 GetLastError 7206->7207 7209 2b83ff0 7206->7209 7208 2b83fcf WaitForSingleObject GetOverlappedResult 7207->7208 7207->7209 7208->7209 7209->6527 7209->6528 7211 2b81924 GetVersionExA 7210->7211 7211->6567 7213 2b8f0ed 7212->7213 7214 2b8f0f1 7212->7214 7213->6599 7215 2b8f119 7214->7215 7216 2b8f0fa lstrlenA SysAllocStringByteLen 7214->7216 7217 2b8f11c MultiByteToWideChar 7215->7217 7216->7217 7218 2b8f117 7216->7218 7217->7218 7218->6599 7220 2b81820 17 API calls 7219->7220 7221 2b818f2 7220->7221 7222 2b818f9 7221->7222 7236 2b81280 7221->7236 7222->6594 7224 2b81908 7224->6594 7249 2b81000 7225->7249 7227 2b81839 7228 2b8183d 7227->7228 7229 2b81851 GetCurrentProcess 7227->7229 7228->6585 7230 2b81864 7229->7230 7230->6585 7232 2b8920e 7231->7232 7235 2b89308 7231->7235 7233 2b892f1 Sleep 7232->7233 7234 2b892bf ShellExecuteA 7232->7234 7232->7235 7233->7232 7234->7232 7234->7235 7235->6594 7240 2b812e1 ShellExecuteExW 7236->7240 7238 2b816f9 GetLastError 7241 2b81699 7238->7241 7239 2b813a8 7239->7241 7242 2b81570 lstrlenW 7239->7242 7243 2b815be GetStartupInfoW 7239->7243 7244 2b815ff CreateProcessWithLogonW 7239->7244 7248 2b81668 CloseHandle 7239->7248 7240->7238 7240->7239 7241->7224 7242->7239 7243->7239 7245 2b816bf GetLastError 7244->7245 7246 2b8163f WaitForSingleObject 7244->7246 7245->7241 7246->7239 7247 2b81659 CloseHandle 7246->7247 7247->7239 7248->7239 7250 2b8100d LoadLibraryA 7249->7250 7257 2b81023 7249->7257 7251 2b81021 7250->7251 7250->7257 7251->7227 7252 2b810b5 GetProcAddress 7253 2b8127b 7252->7253 7254 2b810d1 GetProcAddress 7252->7254 7253->7227 7254->7253 7255 2b810f0 GetProcAddress 7254->7255 7255->7253 7256 2b81110 GetProcAddress 7255->7256 7256->7253 7258 2b81130 GetProcAddress 7256->7258 7257->7252 7269 2b810ae 7257->7269 7258->7253 7259 2b8114f GetProcAddress 7258->7259 7259->7253 7260 2b8116f GetProcAddress 7259->7260 7260->7253 7261 2b8118f GetProcAddress 7260->7261 7261->7253 7262 2b811ae GetProcAddress 7261->7262 7262->7253 7263 2b811ce GetProcAddress 7262->7263 7263->7253 7264 2b811ee GetProcAddress 7263->7264 7264->7253 7265 2b81209 GetProcAddress 7264->7265 7265->7253 7266 2b81225 GetProcAddress 7265->7266 7266->7253 7267 2b81241 GetProcAddress 7266->7267 7267->7253 7268 2b8125c GetProcAddress 7267->7268 7268->7253 7269->7227 7271 2b8908d 7270->7271 7272 2b890e2 wsprintfA 7271->7272 7273 2b8ee2a 7272->7273 7274 2b890fd CreateFileA 7273->7274 7275 2b8911a lstrlenA WriteFile CloseHandle 7274->7275 7276 2b8913f 7274->7276 7275->7276 7276->6622 7276->6623 7278 2b8ee2a 7277->7278 7279 2b89794 CreateProcessA 7278->7279 7280 2b897bb 7279->7280 7281 2b897c2 7279->7281 7280->6634 7282 2b897d4 GetThreadContext 7281->7282 7283 2b89801 7282->7283 7284 2b897f5 7282->7284 7291 2b8637c 7283->7291 7285 2b897f6 TerminateProcess 7284->7285 7285->7280 7287 2b89816 7287->7285 7288 2b8981e WriteProcessMemory 7287->7288 7288->7284 7289 2b8983b SetThreadContext 7288->7289 7289->7284 7290 2b89858 ResumeThread 7289->7290 7290->7280 7292 2b8638a GetModuleHandleA VirtualAlloc 7291->7292 7293 2b86386 7291->7293 7294 2b863b6 7292->7294 7298 2b863f5 7292->7298 7293->7287 7295 2b863be VirtualAllocEx 7294->7295 7296 2b863d6 7295->7296 7295->7298 7297 2b863df WriteProcessMemory 7296->7297 7297->7298 7298->7287 7300 2b88791 7299->7300 7301 2b8879f 7299->7301 7302 2b8f04e 4 API calls 7300->7302 7303 2b887bc 7301->7303 7304 2b8f04e 4 API calls 7301->7304 7302->7301 7305 2b8e819 11 API calls 7303->7305 7304->7303 7306 2b887d7 7305->7306 7309 2b88803 7306->7309 7454 2b826b2 gethostbyaddr 7306->7454 7315 2b8e819 11 API calls 7309->7315 7316 2b888a0 Sleep 7309->7316 7317 2b826b2 2 API calls 7309->7317 7318 2b8f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7309->7318 7320 2b8e8a1 30 API calls 7309->7320 7351 2b88cee 7309->7351 7359 2b8c4d6 7309->7359 7362 2b8c4e2 7309->7362 7365 2b82011 7309->7365 7400 2b88328 7309->7400 7310 2b887eb 7310->7309 7312 2b8e8a1 30 API calls 7310->7312 7312->7309 7315->7309 7316->7309 7317->7309 7318->7309 7320->7309 7322 2b8407d 7321->7322 7323 2b84084 7321->7323 7324 2b83ecd 6 API calls 7323->7324 7325 2b8408f 7324->7325 7326 2b84000 3 API calls 7325->7326 7327 2b84095 7326->7327 7328 2b84130 7327->7328 7329 2b840c0 7327->7329 7330 2b83ecd 6 API calls 7328->7330 7334 2b83f18 4 API calls 7329->7334 7331 2b84159 CreateNamedPipeA 7330->7331 7332 2b84188 ConnectNamedPipe 7331->7332 7333 2b84167 Sleep 7331->7333 7337 2b84195 GetLastError 7332->7337 7347 2b841ab 7332->7347 7333->7328 7335 2b84176 CloseHandle 7333->7335 7336 2b840da 7334->7336 7335->7332 7340 2b83f8c 4 API calls 7336->7340 7338 2b8425e DisconnectNamedPipe 7337->7338 7337->7347 7338->7332 7339 2b83f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7339->7347 7341 2b840ec 7340->7341 7342 2b84127 CloseHandle 7341->7342 7343 2b84101 7341->7343 7342->7328 7345 2b83f18 4 API calls 7343->7345 7344 2b83f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7344->7347 7346 2b8411c ExitProcess 7345->7346 7347->7332 7347->7338 7347->7339 7347->7344 7348 2b8426a CloseHandle CloseHandle 7347->7348 7349 2b8e318 23 API calls 7348->7349 7350 2b8427b 7349->7350 7350->7350 7352 2b88dae 7351->7352 7353 2b88d02 GetTickCount 7351->7353 7352->7309 7353->7352 7355 2b88d19 7353->7355 7354 2b88da1 GetTickCount 7354->7352 7355->7354 7358 2b88d89 7355->7358 7459 2b8a677 7355->7459 7462 2b8a688 7355->7462 7358->7354 7470 2b8c2dc 7359->7470 7363 2b8c2dc 142 API calls 7362->7363 7364 2b8c4ec 7363->7364 7364->7309 7366 2b82020 7365->7366 7367 2b8202e 7365->7367 7368 2b8f04e 4 API calls 7366->7368 7369 2b8204b 7367->7369 7370 2b8f04e 4 API calls 7367->7370 7368->7367 7371 2b8206e GetTickCount 7369->7371 7372 2b8f04e 4 API calls 7369->7372 7370->7369 7373 2b820db GetTickCount 7371->7373 7374 2b82090 7371->7374 7377 2b82068 7372->7377 7375 2b82132 GetTickCount GetTickCount 7373->7375 7376 2b820e7 7373->7376 7378 2b820d4 GetTickCount 7374->7378 7382 2b82684 2 API calls 7374->7382 7386 2b820ce 7374->7386 7810 2b81978 7374->7810 7379 2b8f04e 4 API calls 7375->7379 7380 2b8212b GetTickCount 7376->7380 7392 2b81978 15 API calls 7376->7392 7393 2b82125 7376->7393 7800 2b82ef8 7376->7800 7377->7371 7378->7373 7381 2b82159 7379->7381 7380->7375 7384 2b8e854 13 API calls 7381->7384 7397 2b821b4 7381->7397 7382->7374 7387 2b8218e 7384->7387 7385 2b8f04e 4 API calls 7389 2b821d1 7385->7389 7386->7378 7391 2b8e819 11 API calls 7387->7391 7390 2b821f2 7389->7390 7394 2b8ea84 30 API calls 7389->7394 7390->7309 7395 2b8219c 7391->7395 7392->7376 7393->7380 7396 2b821ec 7394->7396 7395->7397 7815 2b81c5f 7395->7815 7398 2b8f04e 4 API calls 7396->7398 7397->7385 7398->7390 7401 2b87dd6 6 API calls 7400->7401 7402 2b8833c 7401->7402 7403 2b88340 7402->7403 7404 2b86ec3 2 API calls 7402->7404 7403->7309 7405 2b8834f 7404->7405 7406 2b8835c 7405->7406 7411 2b8846b 7405->7411 7407 2b873ff 17 API calls 7406->7407 7408 2b88373 7407->7408 7408->7403 7434 2b883ea RegOpenKeyExA 7408->7434 7441 2b88450 7408->7441 7409 2b88626 GetTempPathA 7428 2b88638 7409->7428 7410 2b8675c 21 API calls 7417 2b885df 7410->7417 7413 2b884a7 RegOpenKeyExA 7411->7413 7411->7441 7414 2b884c0 RegQueryValueExA 7413->7414 7422 2b8852f 7413->7422 7418 2b884dd 7414->7418 7419 2b88521 RegCloseKey 7414->7419 7415 2b88762 7421 2b88768 7415->7421 7416 2b886ad 7416->7415 7420 2b87e2f 6 API calls 7416->7420 7417->7409 7417->7421 7443 2b88671 7417->7443 7418->7419 7425 2b8ebcc 4 API calls 7418->7425 7419->7422 7433 2b886bb 7420->7433 7421->7403 7427 2b8ec2e codecvt 4 API calls 7421->7427 7423 2b88564 RegOpenKeyExA 7422->7423 7432 2b885a5 7422->7432 7424 2b88573 RegSetValueExA RegCloseKey 7423->7424 7423->7432 7424->7432 7430 2b884f0 7425->7430 7426 2b8875b DeleteFileA 7426->7415 7427->7403 7428->7443 7430->7419 7431 2b884f8 RegQueryValueExA 7430->7431 7431->7419 7435 2b88515 7431->7435 7436 2b8ec2e codecvt 4 API calls 7432->7436 7432->7441 7433->7426 7442 2b886e0 lstrcpyA lstrlenA 7433->7442 7437 2b883fd RegQueryValueExA 7434->7437 7434->7441 7440 2b8ec2e codecvt 4 API calls 7435->7440 7436->7441 7438 2b8842d RegSetValueExA 7437->7438 7439 2b8841e 7437->7439 7444 2b88447 RegCloseKey 7438->7444 7439->7438 7439->7444 7445 2b8851d 7440->7445 7441->7410 7441->7417 7446 2b87fcf 64 API calls 7442->7446 7887 2b86ba7 IsBadCodePtr 7443->7887 7444->7441 7445->7419 7447 2b88719 CreateProcessA 7446->7447 7448 2b8873d CloseHandle CloseHandle 7447->7448 7449 2b8874f 7447->7449 7448->7421 7450 2b87ee6 64 API calls 7449->7450 7451 2b88754 7450->7451 7452 2b87ead 6 API calls 7451->7452 7453 2b8875a 7452->7453 7453->7426 7455 2b826fb 7454->7455 7456 2b826cd 7454->7456 7455->7310 7457 2b826e1 inet_ntoa 7456->7457 7458 2b826de 7456->7458 7457->7458 7458->7310 7465 2b8a63d 7459->7465 7461 2b8a685 7461->7355 7463 2b8a63d GetTickCount 7462->7463 7464 2b8a696 7463->7464 7464->7355 7466 2b8a64d 7465->7466 7467 2b8a645 7465->7467 7468 2b8a65e GetTickCount 7466->7468 7469 2b8a66e 7466->7469 7467->7461 7468->7469 7469->7461 7487 2b8a4c7 GetTickCount 7470->7487 7473 2b8c47a 7478 2b8c4ab InterlockedIncrement CreateThread 7473->7478 7479 2b8c4d2 7473->7479 7474 2b8c300 GetTickCount 7476 2b8c337 7474->7476 7475 2b8c326 7475->7476 7477 2b8c32b GetTickCount 7475->7477 7476->7473 7481 2b8c363 GetTickCount 7476->7481 7477->7476 7478->7479 7480 2b8c4cb CloseHandle 7478->7480 7492 2b8b535 7478->7492 7479->7309 7480->7479 7481->7473 7482 2b8c373 7481->7482 7483 2b8c378 GetTickCount 7482->7483 7484 2b8c37f 7482->7484 7483->7484 7485 2b8c43b GetTickCount 7484->7485 7486 2b8c45e 7485->7486 7486->7473 7488 2b8a4f7 InterlockedExchange 7487->7488 7489 2b8a500 7488->7489 7490 2b8a4e4 GetTickCount 7488->7490 7489->7473 7489->7474 7489->7475 7490->7489 7491 2b8a4ef Sleep 7490->7491 7491->7488 7493 2b8b566 7492->7493 7494 2b8ebcc 4 API calls 7493->7494 7495 2b8b587 7494->7495 7496 2b8ebcc 4 API calls 7495->7496 7547 2b8b590 7496->7547 7497 2b8bdcd InterlockedDecrement 7498 2b8bde2 7497->7498 7500 2b8ec2e codecvt 4 API calls 7498->7500 7501 2b8bdea 7500->7501 7502 2b8ec2e codecvt 4 API calls 7501->7502 7504 2b8bdf2 7502->7504 7503 2b8bdb7 Sleep 7503->7547 7505 2b8be05 7504->7505 7507 2b8ec2e codecvt 4 API calls 7504->7507 7506 2b8bdcc 7506->7497 7507->7505 7508 2b8ebed 8 API calls 7508->7547 7511 2b8b6b6 lstrlenA 7511->7547 7512 2b830b5 2 API calls 7512->7547 7513 2b8b6ed lstrcpyA 7567 2b85ce1 7513->7567 7514 2b8e819 11 API calls 7514->7547 7517 2b8b71f lstrcmpA 7518 2b8b731 lstrlenA 7517->7518 7517->7547 7518->7547 7519 2b8b772 GetTickCount 7519->7547 7520 2b8bd49 InterlockedIncrement 7661 2b8a628 7520->7661 7521 2b8ab81 lstrcpynA InterlockedIncrement 7521->7547 7524 2b8bc5b InterlockedIncrement 7524->7547 7525 2b8b7ce InterlockedIncrement 7577 2b8acd7 7525->7577 7528 2b8b912 GetTickCount 7528->7547 7529 2b8b826 InterlockedIncrement 7529->7519 7530 2b8bcdc closesocket 7530->7547 7531 2b8b932 GetTickCount 7532 2b8bc6d InterlockedIncrement 7531->7532 7531->7547 7532->7547 7533 2b838f0 6 API calls 7533->7547 7535 2b8a7c1 22 API calls 7535->7547 7536 2b8bba6 InterlockedIncrement 7536->7547 7539 2b8bc4c closesocket 7539->7547 7542 2b85ce1 22 API calls 7542->7547 7543 2b8ba71 wsprintfA 7595 2b8a7c1 7543->7595 7544 2b85ded 12 API calls 7544->7547 7546 2b8ef1e lstrlenA 7546->7547 7547->7497 7547->7503 7547->7506 7547->7508 7547->7511 7547->7512 7547->7513 7547->7514 7547->7517 7547->7518 7547->7519 7547->7520 7547->7521 7547->7524 7547->7525 7547->7528 7547->7529 7547->7530 7547->7531 7547->7533 7547->7535 7547->7536 7547->7539 7547->7542 7547->7543 7547->7544 7547->7546 7548 2b8a688 GetTickCount 7547->7548 7549 2b83e10 7547->7549 7552 2b83e4f 7547->7552 7555 2b8384f 7547->7555 7575 2b8a7a3 inet_ntoa 7547->7575 7582 2b8abee 7547->7582 7594 2b81feb GetTickCount 7547->7594 7615 2b83cfb 7547->7615 7618 2b8b3c5 7547->7618 7649 2b8ab81 7547->7649 7548->7547 7550 2b830fa 4 API calls 7549->7550 7551 2b83e1d 7550->7551 7551->7547 7553 2b830fa 4 API calls 7552->7553 7554 2b83e5c 7553->7554 7554->7547 7556 2b830fa 4 API calls 7555->7556 7558 2b83863 7556->7558 7557 2b838b2 7557->7547 7558->7557 7559 2b838b9 7558->7559 7560 2b83889 7558->7560 7670 2b835f9 7559->7670 7664 2b83718 7560->7664 7565 2b83718 6 API calls 7565->7557 7566 2b835f9 6 API calls 7566->7557 7568 2b85cec 7567->7568 7569 2b85cf4 7567->7569 7676 2b84bd1 GetTickCount 7568->7676 7571 2b84bd1 4 API calls 7569->7571 7572 2b85d02 7571->7572 7681 2b85472 7572->7681 7576 2b8a7b9 7575->7576 7576->7547 7578 2b8f315 14 API calls 7577->7578 7579 2b8aceb 7578->7579 7580 2b8acff 7579->7580 7581 2b8f315 14 API calls 7579->7581 7580->7547 7581->7580 7583 2b8abfb 7582->7583 7586 2b8ac65 7583->7586 7744 2b82f22 7583->7744 7585 2b8f315 14 API calls 7585->7586 7586->7585 7587 2b8ac6f 7586->7587 7588 2b8ac8a 7586->7588 7590 2b8ab81 2 API calls 7587->7590 7588->7547 7589 2b8ac23 7589->7586 7592 2b82684 2 API calls 7589->7592 7591 2b8ac81 7590->7591 7752 2b838f0 7591->7752 7592->7589 7594->7547 7596 2b8a87d lstrlenA send 7595->7596 7599 2b8a7df 7595->7599 7597 2b8a899 7596->7597 7598 2b8a8bf 7596->7598 7600 2b8a8a5 wsprintfA 7597->7600 7614 2b8a89e 7597->7614 7601 2b8a8c4 send 7598->7601 7607 2b8a8f2 7598->7607 7599->7596 7603 2b8a7fa wsprintfA 7599->7603 7606 2b8a80a 7599->7606 7599->7607 7600->7614 7604 2b8a8d8 wsprintfA 7601->7604 7601->7607 7602 2b8a978 recv 7602->7607 7608 2b8a982 7602->7608 7603->7606 7604->7614 7605 2b8a9b0 wsprintfA 7605->7614 7606->7596 7607->7602 7607->7605 7607->7608 7609 2b830b5 2 API calls 7608->7609 7608->7614 7610 2b8ab05 7609->7610 7611 2b8e819 11 API calls 7610->7611 7612 2b8ab17 7611->7612 7613 2b8a7a3 inet_ntoa 7612->7613 7613->7614 7614->7547 7616 2b830fa 4 API calls 7615->7616 7617 2b83d0b 7616->7617 7617->7547 7619 2b85ce1 22 API calls 7618->7619 7620 2b8b3e6 7619->7620 7621 2b85ce1 22 API calls 7620->7621 7622 2b8b404 7621->7622 7624 2b8ef7c 3 API calls 7622->7624 7629 2b8b440 7622->7629 7623 2b8ef7c 3 API calls 7625 2b8b458 wsprintfA 7623->7625 7626 2b8b42b 7624->7626 7627 2b8ef7c 3 API calls 7625->7627 7628 2b8ef7c 3 API calls 7626->7628 7630 2b8b480 7627->7630 7628->7629 7629->7623 7631 2b8ef7c 3 API calls 7630->7631 7632 2b8b493 7631->7632 7633 2b8ef7c 3 API calls 7632->7633 7634 2b8b4bb 7633->7634 7768 2b8ad89 GetLocalTime SystemTimeToFileTime 7634->7768 7638 2b8b4cc 7639 2b8ef7c 3 API calls 7638->7639 7640 2b8b4dd 7639->7640 7641 2b8b211 7 API calls 7640->7641 7642 2b8b4ec 7641->7642 7643 2b8ef7c 3 API calls 7642->7643 7644 2b8b4fd 7643->7644 7645 2b8b211 7 API calls 7644->7645 7646 2b8b509 7645->7646 7647 2b8ef7c 3 API calls 7646->7647 7648 2b8b51a 7647->7648 7648->7547 7650 2b8abe9 GetTickCount 7649->7650 7652 2b8ab8c 7649->7652 7654 2b8a51d 7650->7654 7651 2b8aba8 lstrcpynA 7651->7652 7652->7650 7652->7651 7653 2b8abe1 InterlockedIncrement 7652->7653 7653->7652 7655 2b8a4c7 4 API calls 7654->7655 7656 2b8a52c 7655->7656 7657 2b8a542 GetTickCount 7656->7657 7659 2b8a539 GetTickCount 7656->7659 7657->7659 7660 2b8a56c 7659->7660 7660->7547 7662 2b8a4c7 4 API calls 7661->7662 7663 2b8a633 7662->7663 7663->7547 7665 2b8f04e 4 API calls 7664->7665 7667 2b8372a 7665->7667 7666 2b83847 7666->7557 7666->7565 7667->7666 7668 2b837b3 GetCurrentThreadId 7667->7668 7668->7667 7669 2b837c8 GetCurrentThreadId 7668->7669 7669->7667 7671 2b8f04e 4 API calls 7670->7671 7672 2b8360c 7671->7672 7673 2b836da GetCurrentThreadId 7672->7673 7675 2b836f1 7672->7675 7674 2b836e5 GetCurrentThreadId 7673->7674 7673->7675 7674->7675 7675->7557 7675->7566 7677 2b84bff InterlockedExchange 7676->7677 7678 2b84c08 7677->7678 7679 2b84bec GetTickCount 7677->7679 7678->7569 7679->7678 7680 2b84bf7 Sleep 7679->7680 7680->7677 7700 2b84763 7681->7700 7683 2b85b58 7710 2b84699 7683->7710 7686 2b84763 lstrlenA 7687 2b85b6e 7686->7687 7731 2b84f9f 7687->7731 7689 2b85b79 7689->7547 7691 2b85549 lstrlenA 7694 2b8548a 7691->7694 7693 2b8558d lstrcpynA 7693->7694 7694->7683 7694->7693 7695 2b85a9f lstrcpyA 7694->7695 7696 2b84ae6 8 API calls 7694->7696 7697 2b85935 lstrcpynA 7694->7697 7698 2b85472 13 API calls 7694->7698 7699 2b858e7 lstrcpyA 7694->7699 7704 2b84ae6 7694->7704 7708 2b8ef7c lstrlenA lstrlenA lstrlenA 7694->7708 7695->7694 7696->7694 7697->7694 7698->7694 7699->7694 7701 2b8477a 7700->7701 7702 2b84859 7701->7702 7703 2b8480d lstrlenA 7701->7703 7702->7694 7703->7701 7705 2b84af3 7704->7705 7707 2b84b03 7704->7707 7706 2b8ebed 8 API calls 7705->7706 7706->7707 7707->7691 7709 2b8efb4 7708->7709 7709->7694 7736 2b845b3 7710->7736 7713 2b845b3 7 API calls 7714 2b846c6 7713->7714 7715 2b845b3 7 API calls 7714->7715 7716 2b846d8 7715->7716 7717 2b845b3 7 API calls 7716->7717 7718 2b846ea 7717->7718 7719 2b845b3 7 API calls 7718->7719 7720 2b846ff 7719->7720 7721 2b845b3 7 API calls 7720->7721 7722 2b84711 7721->7722 7723 2b845b3 7 API calls 7722->7723 7724 2b84723 7723->7724 7725 2b8ef7c 3 API calls 7724->7725 7726 2b84735 7725->7726 7727 2b8ef7c 3 API calls 7726->7727 7728 2b8474a 7727->7728 7729 2b8ef7c 3 API calls 7728->7729 7730 2b8475c 7729->7730 7730->7686 7732 2b84fac 7731->7732 7735 2b84fb0 7731->7735 7732->7689 7733 2b84ffd 7733->7689 7734 2b84fd5 IsBadCodePtr 7734->7735 7735->7733 7735->7734 7737 2b845c8 7736->7737 7738 2b845c1 7736->7738 7740 2b8ebcc 4 API calls 7737->7740 7742 2b845e1 7737->7742 7739 2b8ebcc 4 API calls 7738->7739 7739->7737 7740->7742 7741 2b84691 7741->7713 7742->7741 7743 2b8ef7c 3 API calls 7742->7743 7743->7742 7759 2b82d21 GetModuleHandleA 7744->7759 7747 2b82fcf GetProcessHeap HeapFree 7751 2b82f44 7747->7751 7748 2b82f4f 7750 2b82f6b GetProcessHeap HeapFree 7748->7750 7749 2b82f85 7749->7747 7749->7749 7750->7751 7751->7589 7753 2b83900 7752->7753 7757 2b83980 7752->7757 7754 2b830fa 4 API calls 7753->7754 7758 2b8390a 7754->7758 7755 2b8391b GetCurrentThreadId 7755->7758 7756 2b83939 GetCurrentThreadId 7756->7758 7757->7588 7758->7755 7758->7756 7758->7757 7760 2b82d5b GetProcAddress 7759->7760 7761 2b82d46 LoadLibraryA 7759->7761 7762 2b82d6b DnsQuery_A 7760->7762 7765 2b82d54 7760->7765 7761->7760 7761->7765 7763 2b82d7d 7762->7763 7762->7765 7764 2b82d97 GetProcessHeap HeapAlloc 7763->7764 7763->7765 7764->7765 7767 2b82dac 7764->7767 7765->7748 7765->7749 7765->7751 7766 2b82db5 lstrcpynA 7766->7767 7767->7763 7767->7766 7769 2b8adbf 7768->7769 7793 2b8ad08 gethostname 7769->7793 7772 2b830b5 2 API calls 7773 2b8add3 7772->7773 7774 2b8a7a3 inet_ntoa 7773->7774 7775 2b8ade4 7773->7775 7774->7775 7776 2b8ae85 wsprintfA 7775->7776 7778 2b8ae36 wsprintfA wsprintfA 7775->7778 7777 2b8ef7c 3 API calls 7776->7777 7779 2b8aebb 7777->7779 7780 2b8ef7c 3 API calls 7778->7780 7781 2b8ef7c 3 API calls 7779->7781 7780->7775 7782 2b8aed2 7781->7782 7783 2b8b211 7782->7783 7784 2b8b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7783->7784 7785 2b8b2af GetLocalTime 7783->7785 7786 2b8b2d2 7784->7786 7785->7786 7787 2b8b2d9 SystemTimeToFileTime 7786->7787 7788 2b8b31c GetTimeZoneInformation 7786->7788 7789 2b8b2ec 7787->7789 7791 2b8b33a wsprintfA 7788->7791 7790 2b8b312 FileTimeToSystemTime 7789->7790 7790->7788 7791->7638 7794 2b8ad71 7793->7794 7799 2b8ad26 lstrlenA 7793->7799 7796 2b8ad79 lstrcpyA 7794->7796 7797 2b8ad85 7794->7797 7796->7797 7797->7772 7798 2b8ad68 lstrlenA 7798->7794 7799->7794 7799->7798 7801 2b82d21 7 API calls 7800->7801 7802 2b82f01 7801->7802 7803 2b82f14 7802->7803 7804 2b82f06 7802->7804 7805 2b82684 2 API calls 7803->7805 7823 2b82df2 GetModuleHandleA 7804->7823 7807 2b82f1d 7805->7807 7807->7376 7809 2b82f1f 7809->7376 7811 2b8f428 14 API calls 7810->7811 7812 2b8198a 7811->7812 7813 2b81998 7812->7813 7814 2b81990 closesocket 7812->7814 7813->7374 7814->7813 7816 2b81c80 7815->7816 7817 2b81cc2 wsprintfA 7816->7817 7818 2b81d1c 7816->7818 7821 2b81d79 7816->7821 7819 2b82684 2 API calls 7817->7819 7818->7818 7820 2b81d47 wsprintfA 7818->7820 7819->7816 7822 2b82684 2 API calls 7820->7822 7821->7397 7822->7821 7824 2b82e0b 7823->7824 7825 2b82e10 LoadLibraryA 7823->7825 7824->7825 7826 2b82e17 7824->7826 7825->7826 7827 2b82ef1 7826->7827 7828 2b82e28 GetProcAddress 7826->7828 7827->7803 7827->7809 7828->7827 7829 2b82e3e GetProcessHeap HeapAlloc 7828->7829 7830 2b82e62 7829->7830 7830->7827 7831 2b82ede GetProcessHeap HeapFree 7830->7831 7832 2b82e7f htons inet_addr 7830->7832 7833 2b82ea5 gethostbyname 7830->7833 7835 2b82ceb 7830->7835 7831->7827 7832->7830 7832->7833 7833->7830 7836 2b82cf2 7835->7836 7838 2b82d1c 7836->7838 7839 2b82d0e Sleep 7836->7839 7840 2b82a62 GetProcessHeap HeapAlloc 7836->7840 7838->7830 7839->7836 7839->7838 7841 2b82a99 socket 7840->7841 7842 2b82a92 7840->7842 7843 2b82cd3 GetProcessHeap HeapFree 7841->7843 7844 2b82ab4 7841->7844 7842->7836 7843->7842 7844->7843 7858 2b82abd 7844->7858 7845 2b82adb htons 7860 2b826ff 7845->7860 7847 2b82b04 select 7847->7858 7848 2b82ca4 7849 2b82cb3 GetProcessHeap HeapFree closesocket 7848->7849 7849->7842 7850 2b82b3f recv 7850->7858 7851 2b82b66 htons 7851->7848 7851->7858 7852 2b82b87 htons 7852->7848 7852->7858 7855 2b82bf3 GetProcessHeap HeapAlloc 7855->7858 7856 2b82c17 htons 7875 2b82871 7856->7875 7858->7845 7858->7847 7858->7848 7858->7849 7858->7850 7858->7851 7858->7852 7858->7855 7858->7856 7859 2b82c4d GetProcessHeap HeapFree 7858->7859 7867 2b82923 7858->7867 7879 2b82904 7858->7879 7859->7858 7861 2b8271d 7860->7861 7862 2b82717 7860->7862 7864 2b8272b GetTickCount htons 7861->7864 7863 2b8ebcc 4 API calls 7862->7863 7863->7861 7865 2b827cc htons htons sendto 7864->7865 7866 2b8278a 7864->7866 7865->7858 7866->7865 7868 2b82944 7867->7868 7870 2b8293d 7867->7870 7883 2b82816 htons 7868->7883 7870->7858 7871 2b82871 htons 7874 2b82950 7871->7874 7872 2b829bd htons htons htons 7872->7870 7873 2b829f6 GetProcessHeap HeapAlloc 7872->7873 7873->7870 7873->7874 7874->7870 7874->7871 7874->7872 7876 2b828e3 7875->7876 7877 2b82889 7875->7877 7876->7858 7877->7876 7878 2b828c3 htons 7877->7878 7878->7876 7878->7877 7880 2b82908 7879->7880 7882 2b82921 7879->7882 7881 2b82909 GetProcessHeap HeapFree 7880->7881 7881->7881 7881->7882 7882->7858 7884 2b8286b 7883->7884 7885 2b82836 7883->7885 7884->7874 7885->7884 7886 2b8285c htons 7885->7886 7886->7884 7886->7885 7888 2b86bbc 7887->7888 7889 2b86bc0 7887->7889 7888->7416 7890 2b8ebcc 4 API calls 7889->7890 7899 2b86bd4 7889->7899 7891 2b86be4 7890->7891 7892 2b86bfc 7891->7892 7893 2b86c07 CreateFileA 7891->7893 7891->7899 7894 2b8ec2e codecvt 4 API calls 7892->7894 7895 2b86c2a 7893->7895 7896 2b86c34 WriteFile 7893->7896 7894->7899 7900 2b8ec2e codecvt 4 API calls 7895->7900 7897 2b86c49 CloseHandle DeleteFileA 7896->7897 7898 2b86c5a CloseHandle 7896->7898 7897->7895 7901 2b8ec2e codecvt 4 API calls 7898->7901 7899->7416 7900->7899 7901->7899 8098 2b84960 8099 2b8496d 8098->8099 8101 2b8497d 8098->8101 8100 2b8ebed 8 API calls 8099->8100 8100->8101 7943 2b85e21 7944 2b85e29 7943->7944 7945 2b85e36 7943->7945 7947 2b850dc 7944->7947 7948 2b84bd1 4 API calls 7947->7948 7949 2b850f2 7948->7949 7950 2b84ae6 8 API calls 7949->7950 7956 2b850ff 7950->7956 7951 2b85130 7952 2b84ae6 8 API calls 7951->7952 7954 2b85138 7952->7954 7953 2b84ae6 8 API calls 7955 2b85110 lstrcmpA 7953->7955 7957 2b8513e 7954->7957 7958 2b8516e 7954->7958 7960 2b84ae6 8 API calls 7954->7960 7955->7951 7955->7956 7956->7951 7956->7953 7959 2b84ae6 8 API calls 7956->7959 7957->7945 7958->7957 7961 2b84ae6 8 API calls 7958->7961 7959->7956 7962 2b8515e 7960->7962 7963 2b851b6 7961->7963 7962->7958 7965 2b84ae6 8 API calls 7962->7965 7990 2b84a3d 7963->7990 7965->7958 7967 2b84ae6 8 API calls 7968 2b851c7 7967->7968 7969 2b84ae6 8 API calls 7968->7969 7970 2b851d7 7969->7970 7971 2b84ae6 8 API calls 7970->7971 7972 2b851e7 7971->7972 7972->7957 7973 2b84ae6 8 API calls 7972->7973 7974 2b85219 7973->7974 7975 2b84ae6 8 API calls 7974->7975 7976 2b85227 7975->7976 7977 2b84ae6 8 API calls 7976->7977 7978 2b8524f lstrcpyA 7977->7978 7979 2b84ae6 8 API calls 7978->7979 7983 2b85263 7979->7983 7980 2b84ae6 8 API calls 7981 2b85315 7980->7981 7982 2b84ae6 8 API calls 7981->7982 7984 2b85323 7982->7984 7983->7980 7985 2b84ae6 8 API calls 7984->7985 7987 2b85331 7985->7987 7986 2b84ae6 8 API calls 7986->7987 7987->7957 7987->7986 7988 2b84ae6 8 API calls 7987->7988 7989 2b85351 lstrcmpA 7988->7989 7989->7957 7989->7987 7991 2b84a4a 7990->7991 7992 2b84a53 7990->7992 7993 2b8ebed 8 API calls 7991->7993 7994 2b84a78 7992->7994 7995 2b8ebed 8 API calls 7992->7995 7993->7992 7996 2b84a8e 7994->7996 7997 2b84aa3 7994->7997 7995->7994 7998 2b84a9b 7996->7998 8000 2b8ec2e codecvt 4 API calls 7996->8000 7997->7998 7999 2b8ebed 8 API calls 7997->7999 7998->7967 7999->7998 8000->7998 8102 2b84861 IsBadWritePtr 8103 2b84876 8102->8103 8104 2b89961 RegisterServiceCtrlHandlerA 8105 2b8997d 8104->8105 8112 2b899cb 8104->8112 8114 2b89892 8105->8114 8107 2b8999a 8108 2b899ba 8107->8108 8109 2b89892 SetServiceStatus 8107->8109 8111 2b89892 SetServiceStatus 8108->8111 8108->8112 8110 2b899aa 8109->8110 8110->8108 8113 2b898f2 41 API calls 8110->8113 8111->8112 8113->8108 8115 2b898c2 SetServiceStatus 8114->8115 8115->8107 8001 2b835a5 8002 2b830fa 4 API calls 8001->8002 8004 2b835b3 8002->8004 8003 2b835ea 8004->8003 8008 2b8355d 8004->8008 8006 2b835da 8006->8003 8007 2b8355d 4 API calls 8006->8007 8007->8003 8009 2b8f04e 4 API calls 8008->8009 8010 2b8356a 8009->8010 8010->8006 8011 2b85099 8012 2b84bd1 4 API calls 8011->8012 8013 2b850a2 8012->8013 8121 2b8195b 8122 2b8196b 8121->8122 8123 2b81971 8121->8123 8124 2b8ec2e codecvt 4 API calls 8122->8124 8124->8123 8014 2b86511 wsprintfA IsBadReadPtr 8015 2b8656a htonl htonl wsprintfA wsprintfA 8014->8015 8016 2b8674e 8014->8016 8018 2b865f3 8015->8018 8017 2b8e318 23 API calls 8016->8017 8019 2b86753 ExitProcess 8017->8019 8020 2b8668a GetCurrentProcess StackWalk64 8018->8020 8021 2b866a0 wsprintfA 8018->8021 8023 2b86652 wsprintfA 8018->8023 8020->8018 8020->8021 8022 2b866ba 8021->8022 8024 2b86712 wsprintfA 8022->8024 8025 2b866da wsprintfA 8022->8025 8026 2b866ed wsprintfA 8022->8026 8023->8018 8027 2b8e8a1 30 API calls 8024->8027 8025->8026 8026->8022 8028 2b86739 8027->8028 8029 2b8e318 23 API calls 8028->8029 8030 2b86741 8029->8030 8125 2b88c51 8126 2b88c86 8125->8126 8128 2b88c5d 8125->8128 8127 2b88c8b lstrcmpA 8126->8127 8138 2b88c7b 8126->8138 8130 2b88c9e 8127->8130 8127->8138 8131 2b88c7d 8128->8131 8132 2b88c6e 8128->8132 8129 2b88cad 8137 2b8ebcc 4 API calls 8129->8137 8129->8138 8130->8129 8133 2b8ec2e codecvt 4 API calls 8130->8133 8147 2b88bb3 8131->8147 8139 2b88be7 8132->8139 8133->8129 8137->8138 8140 2b88bf2 8139->8140 8146 2b88c2a 8139->8146 8141 2b88bb3 6 API calls 8140->8141 8142 2b88bf8 8141->8142 8151 2b86410 8142->8151 8144 2b88c01 8144->8146 8166 2b86246 8144->8166 8146->8138 8148 2b88bbc 8147->8148 8150 2b88be4 8147->8150 8149 2b86246 6 API calls 8148->8149 8148->8150 8149->8150 8152 2b8641e 8151->8152 8153 2b86421 8151->8153 8152->8144 8154 2b8643a 8153->8154 8155 2b8643e VirtualAlloc 8153->8155 8154->8144 8156 2b8645b VirtualAlloc 8155->8156 8157 2b86472 8155->8157 8156->8157 8165 2b864fb 8156->8165 8158 2b8ebcc 4 API calls 8157->8158 8159 2b86479 8158->8159 8159->8165 8176 2b86069 8159->8176 8162 2b864da 8164 2b86246 6 API calls 8162->8164 8162->8165 8164->8165 8165->8144 8167 2b862b3 8166->8167 8170 2b86252 8166->8170 8167->8146 8168 2b86297 8171 2b862ad 8168->8171 8172 2b862a0 VirtualFree 8168->8172 8169 2b8628f 8174 2b8ec2e codecvt 4 API calls 8169->8174 8170->8168 8170->8169 8173 2b86281 FreeLibrary 8170->8173 8175 2b8ec2e codecvt 4 API calls 8171->8175 8172->8171 8173->8170 8174->8168 8175->8167 8177 2b86090 IsBadReadPtr 8176->8177 8179 2b86089 8176->8179 8177->8179 8183 2b860aa 8177->8183 8178 2b860c0 LoadLibraryA 8178->8179 8178->8183 8179->8162 8186 2b85f3f 8179->8186 8180 2b8ebcc 4 API calls 8180->8183 8181 2b8ebed 8 API calls 8181->8183 8182 2b86191 IsBadReadPtr 8182->8179 8182->8183 8183->8178 8183->8179 8183->8180 8183->8181 8183->8182 8184 2b86141 GetProcAddress 8183->8184 8185 2b86155 GetProcAddress 8183->8185 8184->8183 8185->8183 8187 2b85fe6 8186->8187 8189 2b85f61 8186->8189 8187->8162 8188 2b85fbf VirtualProtect 8188->8187 8188->8189 8189->8187 8189->8188 8031 2b84e92 GetTickCount 8032 2b84ec0 InterlockedExchange 8031->8032 8033 2b84ec9 8032->8033 8034 2b84ead GetTickCount 8032->8034 8034->8033 8035 2b84eb8 Sleep 8034->8035 8035->8032 8190 2b843d2 8191 2b843e0 8190->8191 8192 2b843ef 8191->8192 8193 2b81940 4 API calls 8191->8193 8193->8192 8036 2b85d93 IsBadWritePtr 8037 2b85da8 8036->8037 8039 2b85ddc 8036->8039 8038 2b85389 12 API calls 8037->8038 8037->8039 8038->8039 8194 2b84ed3 8199 2b84c9a 8194->8199 8201 2b84ca9 8199->8201 8202 2b84cd8 8199->8202 8200 2b8ec2e codecvt 4 API calls 8200->8202 8201->8200 8203 2b85453 8208 2b8543a 8203->8208 8211 2b85048 8208->8211 8212 2b84bd1 4 API calls 8211->8212 8213 2b85056 8212->8213 8214 2b8ec2e codecvt 4 API calls 8213->8214 8215 2b8508b 8213->8215 8214->8215 8040 2b88314 8041 2b8675c 21 API calls 8040->8041 8042 2b88324 8041->8042 8216 2b8e749 8217 2b8dd05 6 API calls 8216->8217 8218 2b8e751 8217->8218 8219 2b8e781 lstrcmpA 8218->8219 8220 2b8e799 8218->8220 8219->8218 8052 2b8448b 8054 2b84499 8052->8054 8053 2b844ab 8054->8053 8056 2b81940 8054->8056 8057 2b8ec2e codecvt 4 API calls 8056->8057 8058 2b81949 8057->8058 8058->8053 8059 2b85e0d 8060 2b850dc 17 API calls 8059->8060 8061 2b85e20 8060->8061 8062 2b84c0d 8063 2b84ae6 8 API calls 8062->8063 8064 2b84c17 8063->8064 8225 2b85e4d 8226 2b85048 8 API calls 8225->8226 8227 2b85e55 8226->8227 8228 2b85e64 8227->8228 8229 2b81940 4 API calls 8227->8229 8229->8228 8065 2b8f483 WSAStartup 8066 2b85b84 IsBadWritePtr 8067 2b85b99 8066->8067 8068 2b85b9d 8066->8068 8069 2b84bd1 4 API calls 8068->8069 8070 2b85bcc 8069->8070 8071 2b85472 18 API calls 8070->8071 8072 2b85be5 8071->8072 8073 2b8f304 8076 2b8f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8073->8076 8075 2b8f312 8076->8075 8077 2b85c05 IsBadWritePtr 8078 2b85ca6 8077->8078 8079 2b85c24 IsBadWritePtr 8077->8079 8079->8078 8080 2b85c32 8079->8080 8081 2b85c82 8080->8081 8082 2b84bd1 4 API calls 8080->8082 8083 2b84bd1 4 API calls 8081->8083 8082->8081 8084 2b85c90 8083->8084 8085 2b85472 18 API calls 8084->8085 8085->8078
                                                                                                    APIs
                                                                                                    • closesocket.WS2_32(?), ref: 02B8CA4E
                                                                                                    • closesocket.WS2_32(?), ref: 02B8CB63
                                                                                                    • GetTempPathA.KERNEL32(00000120,?), ref: 02B8CC28
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B8CCB4
                                                                                                    • WriteFile.KERNEL32(02B8A4B3,?,-000000E8,?,00000000), ref: 02B8CCDC
                                                                                                    • CloseHandle.KERNEL32(02B8A4B3), ref: 02B8CCED
                                                                                                    • wsprintfA.USER32 ref: 02B8CD21
                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02B8CD77
                                                                                                    • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02B8CD89
                                                                                                    • CloseHandle.KERNEL32(?), ref: 02B8CD98
                                                                                                    • CloseHandle.KERNEL32(?), ref: 02B8CD9D
                                                                                                    • DeleteFileA.KERNEL32(?), ref: 02B8CDC4
                                                                                                    • CloseHandle.KERNEL32(02B8A4B3), ref: 02B8CDCC
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B8CFB1
                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02B8CFEF
                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02B8D033
                                                                                                    • lstrcatA.KERNEL32(?,04300108), ref: 02B8D10C
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 02B8D155
                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02B8D171
                                                                                                    • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000), ref: 02B8D195
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02B8D19C
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 02B8D1C8
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B8D231
                                                                                                    • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 02B8D27C
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02B8D2AB
                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02B8D2C7
                                                                                                    • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02B8D2EB
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02B8D2F2
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02B8D326
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B8D372
                                                                                                    • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 02B8D3BD
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02B8D3EC
                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02B8D408
                                                                                                    • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02B8D428
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02B8D42F
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02B8D45B
                                                                                                    • CreateProcessA.KERNEL32(?,02B90264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02B8D4DE
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B8D4F4
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B8D4FC
                                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B8D513
                                                                                                    • closesocket.WS2_32(?), ref: 02B8D56C
                                                                                                    • Sleep.KERNEL32(000003E8), ref: 02B8D577
                                                                                                    • ExitProcess.KERNEL32 ref: 02B8D583
                                                                                                    • wsprintfA.USER32 ref: 02B8D81F
                                                                                                      • Part of subcall function 02B8C65C: send.WS2_32(00000000,?,00000000), ref: 02B8C74B
                                                                                                    • closesocket.WS2_32(?), ref: 02B8DAD5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                    • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                    • API String ID: 562065436-525379930
                                                                                                    • Opcode ID: 981d7f8e122b191e3c55bdc2ea51d458c13317c5f135db0676f2874a6b046498
                                                                                                    • Instruction ID: d0d36fdbf11391fdb2f706f2e3692a3c07edef69ce055031446d6d5693a9d22d
                                                                                                    • Opcode Fuzzy Hash: 981d7f8e122b191e3c55bdc2ea51d458c13317c5f135db0676f2874a6b046498
                                                                                                    • Instruction Fuzzy Hash: A1B2A3B2D44219ABEB14BFA4DD45FEA7BB9EB08344F1408EAF60DA3190D7309955CF60
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 02B89A7F
                                                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 02B89A83
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(02B86511), ref: 02B89A8A
                                                                                                      • Part of subcall function 02B8EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B8EC5E
                                                                                                      • Part of subcall function 02B8EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02B8EC72
                                                                                                      • Part of subcall function 02B8EC54: GetTickCount.KERNEL32 ref: 02B8EC78
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02B89AB3
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 02B89ABA
                                                                                                    • GetCommandLineA.KERNEL32 ref: 02B89AFD
                                                                                                    • lstrlenA.KERNEL32(?), ref: 02B89B99
                                                                                                    • ExitProcess.KERNEL32 ref: 02B89C06
                                                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 02B89CAC
                                                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 02B89D7A
                                                                                                    • lstrcatA.KERNEL32(?,?), ref: 02B89D8B
                                                                                                    • lstrcatA.KERNEL32(?,02B9070C), ref: 02B89D9D
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B89DED
                                                                                                    • DeleteFileA.KERNEL32(00000022), ref: 02B89E38
                                                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02B89E6F
                                                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02B89EC8
                                                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02B89ED5
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02B89F3B
                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02B89F5E
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02B89F6A
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02B89FAD
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B89FB4
                                                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B89FFE
                                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 02B8A038
                                                                                                    • lstrcatA.KERNEL32(00000022,02B90A34), ref: 02B8A05E
                                                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 02B8A072
                                                                                                    • lstrcatA.KERNEL32(00000022,02B90A34), ref: 02B8A08D
                                                                                                    • wsprintfA.USER32 ref: 02B8A0B6
                                                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 02B8A0DE
                                                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 02B8A0FD
                                                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02B8A120
                                                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B8A131
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02B8A174
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 02B8A17B
                                                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 02B8A1B6
                                                                                                    • GetCommandLineA.KERNEL32 ref: 02B8A1E5
                                                                                                      • Part of subcall function 02B899D2: lstrcpyA.KERNEL32(?,?,00000100,02B922F8,00000000,?,02B89E9D,?,00000022,?,?,?,?,?,?,?), ref: 02B899DF
                                                                                                      • Part of subcall function 02B899D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02B89E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02B89A3C
                                                                                                      • Part of subcall function 02B899D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02B89E9D,?,00000022,?,?,?), ref: 02B89A52
                                                                                                    • lstrlenA.KERNEL32(?), ref: 02B8A288
                                                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02B8A3B7
                                                                                                    • GetLastError.KERNEL32 ref: 02B8A3ED
                                                                                                    • Sleep.KERNEL32(000003E8), ref: 02B8A400
                                                                                                    • DeleteFileA.KERNELBASE(02B933D8), ref: 02B8A407
                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,02B8405E,00000000,00000000,00000000), ref: 02B8A42C
                                                                                                    • WSAStartup.WS2_32(00001010,?), ref: 02B8A43A
                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,02B8877E,00000000,00000000,00000000), ref: 02B8A469
                                                                                                    • Sleep.KERNELBASE(00000BB8), ref: 02B8A48A
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8A49F
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8A4B7
                                                                                                    • Sleep.KERNELBASE(00001A90), ref: 02B8A4C3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                    • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe$D$P$\$ptcoklzf
                                                                                                    • API String ID: 2089075347-3926062329
                                                                                                    • Opcode ID: d628e16513ca518245e9fd38091f0be4308bbfdf6b7b9931a00c8cbbb4e118db
                                                                                                    • Instruction ID: ee3b504fbd735829dfd620c9bd6322d38477e42b06750847df9adb35c65f37b4
                                                                                                    • Opcode Fuzzy Hash: d628e16513ca518245e9fd38091f0be4308bbfdf6b7b9931a00c8cbbb4e118db
                                                                                                    • Instruction Fuzzy Hash: EC5251B2D40259ABDF21BBA0CD49AEE7BBDEB04304F1448E6F60DA3141E7719A54CF61

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 905 2b8199c-2b819cc inet_addr LoadLibraryA 906 2b819ce-2b819d0 905->906 907 2b819d5-2b819fe GetProcAddress * 3 905->907 908 2b81abf-2b81ac2 906->908 909 2b81ab3-2b81ab6 FreeLibrary 907->909 910 2b81a04-2b81a06 907->910 912 2b81abc 909->912 910->909 911 2b81a0c-2b81a0e 910->911 911->909 913 2b81a14-2b81a28 GetBestInterface GetProcessHeap 911->913 914 2b81abe 912->914 913->912 915 2b81a2e-2b81a40 HeapAlloc 913->915 914->908 915->912 916 2b81a42-2b81a50 GetAdaptersInfo 915->916 917 2b81a62-2b81a67 916->917 918 2b81a52-2b81a60 HeapReAlloc 916->918 919 2b81a69-2b81a73 GetAdaptersInfo 917->919 920 2b81aa1-2b81aad FreeLibrary 917->920 918->917 919->920 921 2b81a75 919->921 920->912 922 2b81aaf-2b81ab1 920->922 923 2b81a77-2b81a80 921->923 922->914 924 2b81a8a-2b81a91 923->924 925 2b81a82-2b81a86 923->925 927 2b81a93 924->927 928 2b81a96-2b81a9b HeapFree 924->928 925->923 926 2b81a88 925->926 926->928 927->928 928->920
                                                                                                    APIs
                                                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 02B819B1
                                                                                                    • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02B81E9E), ref: 02B819BF
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02B819E2
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02B819ED
                                                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02B819F9
                                                                                                    • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02B81E9E), ref: 02B81A1B
                                                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02B81E9E), ref: 02B81A1D
                                                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02B81E9E), ref: 02B81A36
                                                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,02B81E9E,?,?,?,?,00000001,02B81E9E), ref: 02B81A4A
                                                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,02B81E9E,?,?,?,?,00000001,02B81E9E), ref: 02B81A5A
                                                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,02B81E9E,?,?,?,?,00000001,02B81E9E), ref: 02B81A6E
                                                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02B81E9E), ref: 02B81A9B
                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02B81E9E), ref: 02B81AA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                    • API String ID: 293628436-270533642
                                                                                                    • Opcode ID: c1b61a0bc2bf587e1f3295cf84e355ef7d4c95ede1f62a08da087701f310353d
                                                                                                    • Instruction ID: 92565ba4c86eb61357a21a71c79e09f6d80fd5330ce53bb47008cef29dd883b8
                                                                                                    • Opcode Fuzzy Hash: c1b61a0bc2bf587e1f3295cf84e355ef7d4c95ede1f62a08da087701f310353d
                                                                                                    • Instruction Fuzzy Hash: 8931A232D11219AFDF11BFE8CD888BEBBB9EF44641B1449B9F529E3110D7304A82CB60

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 696 2b87a95-2b87ac2 RegOpenKeyExA 697 2b87acb-2b87ae7 GetUserNameA 696->697 698 2b87ac4-2b87ac6 696->698 700 2b87aed-2b87b1e LookupAccountNameA 697->700 701 2b87da7-2b87db3 RegCloseKey 697->701 699 2b87db4-2b87db6 698->699 700->701 702 2b87b24-2b87b43 RegGetKeySecurity 700->702 701->699 702->701 703 2b87b49-2b87b61 GetSecurityDescriptorOwner 702->703 704 2b87bb8-2b87bd6 GetSecurityDescriptorDacl 703->704 705 2b87b63-2b87b72 EqualSid 703->705 706 2b87bdc-2b87be1 704->706 707 2b87da6 704->707 705->704 708 2b87b74-2b87b88 LocalAlloc 705->708 706->707 709 2b87be7-2b87bf2 706->709 707->701 708->704 710 2b87b8a-2b87b94 InitializeSecurityDescriptor 708->710 709->707 711 2b87bf8-2b87c08 GetAce 709->711 712 2b87bb1-2b87bb2 LocalFree 710->712 713 2b87b96-2b87ba4 SetSecurityDescriptorOwner 710->713 714 2b87c0e-2b87c1b 711->714 715 2b87cc6 711->715 712->704 713->712 716 2b87ba6-2b87bab RegSetKeySecurity 713->716 718 2b87c1d-2b87c2f EqualSid 714->718 719 2b87c4f-2b87c52 714->719 717 2b87cc9-2b87cd3 715->717 716->712 717->711 720 2b87cd9-2b87cdc 717->720 721 2b87c31-2b87c34 718->721 722 2b87c36-2b87c38 718->722 723 2b87c5f-2b87c71 EqualSid 719->723 724 2b87c54-2b87c5e 719->724 720->707 725 2b87ce2-2b87ce8 720->725 721->718 721->722 722->719 726 2b87c3a-2b87c4d DeleteAce 722->726 727 2b87c73-2b87c84 723->727 728 2b87c86 723->728 724->723 729 2b87d5a-2b87d6e LocalAlloc 725->729 730 2b87cea-2b87cf0 725->730 726->717 731 2b87c8b-2b87c8e 727->731 728->731 729->707 735 2b87d70-2b87d7a InitializeSecurityDescriptor 729->735 730->729 732 2b87cf2-2b87d0d RegOpenKeyExA 730->732 733 2b87c9d-2b87c9f 731->733 734 2b87c90-2b87c96 731->734 732->729 740 2b87d0f-2b87d16 732->740 736 2b87ca1-2b87ca5 733->736 737 2b87ca7-2b87cc3 733->737 734->733 738 2b87d7c-2b87d8a SetSecurityDescriptorDacl 735->738 739 2b87d9f-2b87da0 LocalFree 735->739 736->715 736->737 737->715 738->739 741 2b87d8c-2b87d9a RegSetKeySecurity 738->741 739->707 742 2b87d19-2b87d1e 740->742 741->739 743 2b87d9c 741->743 742->742 744 2b87d20-2b87d52 call 2b82544 RegSetValueExA 742->744 743->739 744->729 747 2b87d54 744->747 747->729
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02B87ABA
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 02B87ADF
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,02B9070C,?,?,?), ref: 02B87B16
                                                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02B87B3B
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02B87B59
                                                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 02B87B6A
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B87B7E
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B87B8C
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02B87B9C
                                                                                                    • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02B87BAB
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 02B87BB2
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,02B87FC9,?,00000000), ref: 02B87BCE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                    • String ID: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe$D
                                                                                                    • API String ID: 2976863881-1536157608
                                                                                                    • Opcode ID: b4148892485f93a38c949e269c90bc0e49214a2eb1f08a02a18c53c9b39ec8f7
                                                                                                    • Instruction ID: 4bf76ee32219a99cd24c0f3c43d81126639d6be62e4235733c94ad6e0f768879
                                                                                                    • Opcode Fuzzy Hash: b4148892485f93a38c949e269c90bc0e49214a2eb1f08a02a18c53c9b39ec8f7
                                                                                                    • Instruction Fuzzy Hash: E7A16FB5D40219AFDF11AFA0CD88FEEBBB9FB44348F1444A9E509E3150EB318A55DB60

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 748 2b87809-2b87837 GetUserNameA 749 2b8783d-2b8786e LookupAccountNameA 748->749 750 2b87a8e-2b87a94 748->750 749->750 751 2b87874-2b878a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 2b878a8-2b878c3 GetSecurityDescriptorOwner 751->752 753 2b8791d-2b8793b GetSecurityDescriptorDacl 752->753 754 2b878c5-2b878da EqualSid 752->754 755 2b87a8d 753->755 756 2b87941-2b87946 753->756 754->753 757 2b878dc-2b878ed LocalAlloc 754->757 755->750 756->755 758 2b8794c-2b87955 756->758 757->753 759 2b878ef-2b878f9 InitializeSecurityDescriptor 757->759 758->755 762 2b8795b-2b8796b GetAce 758->762 760 2b878fb-2b87909 SetSecurityDescriptorOwner 759->760 761 2b87916-2b87917 LocalFree 759->761 760->761 763 2b8790b-2b87910 SetFileSecurityA 760->763 761->753 764 2b87a2a 762->764 765 2b87971-2b8797e 762->765 763->761 768 2b87a2d-2b87a37 764->768 766 2b879ae-2b879b1 765->766 767 2b87980-2b87992 EqualSid 765->767 772 2b879be-2b879d0 EqualSid 766->772 773 2b879b3-2b879bd 766->773 769 2b87999-2b8799b 767->769 770 2b87994-2b87997 767->770 768->762 771 2b87a3d-2b87a41 768->771 769->766 774 2b8799d-2b879ac DeleteAce 769->774 770->767 770->769 771->755 775 2b87a43-2b87a54 LocalAlloc 771->775 776 2b879d2-2b879e3 772->776 777 2b879e5 772->777 773->772 774->768 775->755 779 2b87a56-2b87a60 InitializeSecurityDescriptor 775->779 778 2b879ea-2b879ed 776->778 777->778 780 2b879f8-2b879fb 778->780 781 2b879ef-2b879f5 778->781 782 2b87a62-2b87a71 SetSecurityDescriptorDacl 779->782 783 2b87a86-2b87a87 LocalFree 779->783 784 2b879fd-2b87a01 780->784 785 2b87a03-2b87a0e 780->785 781->780 782->783 786 2b87a73-2b87a81 SetFileSecurityA 782->786 783->755 784->764 784->785 788 2b87a19-2b87a24 785->788 789 2b87a10-2b87a17 785->789 786->783 787 2b87a83 786->787 787->783 790 2b87a27 788->790 789->790 790->764
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 02B8782F
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02B87866
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 02B87878
                                                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02B8789A
                                                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,02B87F63,?), ref: 02B878B8
                                                                                                    • EqualSid.ADVAPI32(?,02B87F63), ref: 02B878D2
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B878E3
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B878F1
                                                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02B87901
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02B87910
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 02B87917
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02B87933
                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 02B87963
                                                                                                    • EqualSid.ADVAPI32(?,02B87F63), ref: 02B8798A
                                                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 02B879A3
                                                                                                    • EqualSid.ADVAPI32(?,02B87F63), ref: 02B879C5
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B87A4A
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B87A58
                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02B87A69
                                                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02B87A79
                                                                                                    • LocalFree.KERNEL32(00000000), ref: 02B87A87
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                    • String ID: D
                                                                                                    • API String ID: 3722657555-2746444292
                                                                                                    • Opcode ID: 3f6819f5b2f7002a016f87e90aa398084ce8ef593f1b09a9f50a3c4e52c48979
                                                                                                    • Instruction ID: 3f064358290bc5bee743776bb6bcbf27fdd5b18433af232d4f7aa7896940cc08
                                                                                                    • Opcode Fuzzy Hash: 3f6819f5b2f7002a016f87e90aa398084ce8ef593f1b09a9f50a3c4e52c48979
                                                                                                    • Instruction Fuzzy Hash: 16814D75D0011EABDB21EFA4CD44FEEBBB8EF08348F2445A9E619E2140DB349651DF64

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 791 2b88328-2b8833e call 2b87dd6 794 2b88348-2b88356 call 2b86ec3 791->794 795 2b88340-2b88343 791->795 799 2b8846b-2b88474 794->799 800 2b8835c-2b88378 call 2b873ff 794->800 797 2b8877b-2b8877d 795->797 802 2b8847a-2b88480 799->802 803 2b885c2-2b885ce 799->803 810 2b8837e-2b88384 800->810 811 2b88464-2b88466 800->811 802->803 807 2b88486-2b884ba call 2b82544 RegOpenKeyExA 802->807 805 2b885d0-2b885da call 2b8675c 803->805 806 2b88615-2b88620 803->806 818 2b885df-2b885eb 805->818 808 2b88626-2b8864c GetTempPathA call 2b88274 call 2b8eca5 806->808 809 2b886a7-2b886b0 call 2b86ba7 806->809 824 2b884c0-2b884db RegQueryValueExA 807->824 825 2b88543-2b88571 call 2b82544 RegOpenKeyExA 807->825 846 2b8864e-2b8866f call 2b8eca5 808->846 847 2b88671-2b886a4 call 2b82544 call 2b8ef00 call 2b8ee2a 808->847 826 2b88762 809->826 827 2b886b6-2b886bd call 2b87e2f 809->827 810->811 816 2b8838a-2b8838d 810->816 817 2b88779-2b8877a 811->817 816->811 822 2b88393-2b88399 816->822 817->797 818->806 823 2b885ed-2b885ef 818->823 829 2b8839c-2b883a1 822->829 823->806 830 2b885f1-2b885fa 823->830 832 2b884dd-2b884e1 824->832 833 2b88521-2b8852d RegCloseKey 824->833 852 2b88573-2b8857b 825->852 853 2b885a5-2b885b7 call 2b8ee2a 825->853 836 2b88768-2b8876b 826->836 858 2b8875b-2b8875c DeleteFileA 827->858 859 2b886c3-2b8873b call 2b8ee2a * 2 lstrcpyA lstrlenA call 2b87fcf CreateProcessA 827->859 829->829 838 2b883a3-2b883af 829->838 830->806 840 2b885fc-2b8860f call 2b824c2 830->840 832->833 834 2b884e3-2b884e6 832->834 833->825 839 2b8852f-2b88541 call 2b8eed1 833->839 834->833 842 2b884e8-2b884f6 call 2b8ebcc 834->842 844 2b8876d-2b88775 call 2b8ec2e 836->844 845 2b88776-2b88778 836->845 848 2b883b1 838->848 849 2b883b3-2b883ba 838->849 839->825 839->853 840->806 840->836 842->833 875 2b884f8-2b88513 RegQueryValueExA 842->875 844->845 845->817 846->847 847->809 848->849 864 2b88450-2b8845f call 2b8ee2a 849->864 865 2b883c0-2b883fb call 2b82544 RegOpenKeyExA 849->865 855 2b8857e-2b88583 852->855 853->803 876 2b885b9-2b885c1 call 2b8ec2e 853->876 855->855 866 2b88585-2b8859f RegSetValueExA RegCloseKey 855->866 858->826 899 2b8873d-2b8874d CloseHandle * 2 859->899 900 2b8874f-2b8875a call 2b87ee6 call 2b87ead 859->900 864->803 865->864 885 2b883fd-2b8841c RegQueryValueExA 865->885 866->853 875->833 881 2b88515-2b8851e call 2b8ec2e 875->881 876->803 881->833 886 2b8842d-2b88441 RegSetValueExA 885->886 887 2b8841e-2b88421 885->887 894 2b88447-2b8844a RegCloseKey 886->894 887->886 893 2b88423-2b88426 887->893 893->886 897 2b88428-2b8842b 893->897 894->864 897->886 897->894 899->836 900->858
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02B90750,?,?,00000000,localcfg,00000000), ref: 02B883F3
                                                                                                    • RegQueryValueExA.KERNELBASE(02B90750,?,00000000,?,02B88893,?,?,?,00000000,00000103,02B90750,?,?,00000000,localcfg,00000000), ref: 02B88414
                                                                                                    • RegSetValueExA.KERNELBASE(02B90750,?,00000000,00000004,02B88893,00000004,?,?,00000000,00000103,02B90750,?,?,00000000,localcfg,00000000), ref: 02B88441
                                                                                                    • RegCloseKey.ADVAPI32(02B90750,?,?,00000000,00000103,02B90750,?,?,00000000,localcfg,00000000), ref: 02B8844A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseOpenQuery
                                                                                                    • String ID: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe$localcfg
                                                                                                    • API String ID: 237177642-1805428051
                                                                                                    • Opcode ID: ecb61b04516d4cd385837beebd883d1adf9f05dda1332da7a9b737c1624e6294
                                                                                                    • Instruction ID: c151386dcb56786e92eee4af7e1de870c74376ae409a4af7b5dbeb33bb619e14
                                                                                                    • Opcode Fuzzy Hash: ecb61b04516d4cd385837beebd883d1adf9f05dda1332da7a9b737c1624e6294
                                                                                                    • Instruction Fuzzy Hash: 47C190B2D8014DBFEB11BBA4DD85EEE7BBDEB04344F5448A5F509A6041EB308A94CF61

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32 ref: 02B81DC6
                                                                                                    • GetSystemInfo.KERNELBASE(?), ref: 02B81DE8
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02B81E03
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02B81E0A
                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 02B81E1B
                                                                                                    • GetTickCount.KERNEL32 ref: 02B81FC9
                                                                                                      • Part of subcall function 02B81BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02B81C15
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                    • API String ID: 4207808166-1381319158
                                                                                                    • Opcode ID: ebbd24a6ced868e6d03e96201094542d9450fcfad4b558ea58e4defc83e7a88f
                                                                                                    • Instruction ID: e3df007ebc4bc1ed9ddd1849966e3fefe898540d7677703d8a93c3a08e3910d2
                                                                                                    • Opcode Fuzzy Hash: ebbd24a6ced868e6d03e96201094542d9450fcfad4b558ea58e4defc83e7a88f
                                                                                                    • Instruction Fuzzy Hash: CC51B1B1909344AFE720BF798C85F2BBAECEB54748F044DADF59E82242D774A504CB61

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 999 2b873ff-2b87419 1000 2b8741b 999->1000 1001 2b8741d-2b87422 999->1001 1000->1001 1002 2b87424 1001->1002 1003 2b87426-2b8742b 1001->1003 1002->1003 1004 2b8742d 1003->1004 1005 2b87430-2b87435 1003->1005 1004->1005 1006 2b8743a-2b87481 call 2b86dc2 call 2b82544 RegOpenKeyExA 1005->1006 1007 2b87437 1005->1007 1012 2b877f9-2b877fe call 2b8ee2a 1006->1012 1013 2b87487-2b8749d call 2b8ee2a 1006->1013 1007->1006 1018 2b87801 1012->1018 1019 2b87703-2b8770e RegEnumKeyA 1013->1019 1022 2b87804-2b87808 1018->1022 1020 2b874a2-2b874b1 call 2b86cad 1019->1020 1021 2b87714-2b8771d RegCloseKey 1019->1021 1025 2b876ed-2b87700 1020->1025 1026 2b874b7-2b874cc call 2b8f1a5 1020->1026 1021->1018 1025->1019 1026->1025 1029 2b874d2-2b874f8 RegOpenKeyExA 1026->1029 1030 2b874fe-2b87530 call 2b82544 RegQueryValueExA 1029->1030 1031 2b87727-2b8772a 1029->1031 1030->1031 1038 2b87536-2b8753c 1030->1038 1033 2b8772c-2b87740 call 2b8ef00 1031->1033 1034 2b87755-2b87764 call 2b8ee2a 1031->1034 1042 2b8774b-2b8774e 1033->1042 1043 2b87742-2b87745 RegCloseKey 1033->1043 1044 2b876df-2b876e2 1034->1044 1041 2b8753f-2b87544 1038->1041 1041->1041 1045 2b87546-2b8754b 1041->1045 1046 2b877ec-2b877f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 2b876e4-2b876e7 RegCloseKey 1044->1047 1045->1034 1048 2b87551-2b8756b call 2b8ee95 1045->1048 1046->1022 1047->1025 1048->1034 1051 2b87571-2b87593 call 2b82544 call 2b8ee95 1048->1051 1056 2b87599-2b875a0 1051->1056 1057 2b87753 1051->1057 1058 2b875c8-2b875d7 call 2b8ed03 1056->1058 1059 2b875a2-2b875c6 call 2b8ef00 call 2b8ed03 1056->1059 1057->1034 1065 2b875d8-2b875da 1058->1065 1059->1065 1067 2b875dc 1065->1067 1068 2b875df-2b87623 call 2b8ee95 call 2b82544 call 2b8ee95 call 2b8ee2a 1065->1068 1067->1068 1077 2b87626-2b8762b 1068->1077 1077->1077 1078 2b8762d-2b87634 1077->1078 1079 2b87637-2b8763c 1078->1079 1079->1079 1080 2b8763e-2b87642 1079->1080 1081 2b8765c-2b87673 call 2b8ed23 1080->1081 1082 2b87644-2b87656 call 2b8ed77 1080->1082 1087 2b87680 1081->1087 1088 2b87675-2b8767e 1081->1088 1082->1081 1089 2b87769-2b8777c call 2b8ef00 1082->1089 1090 2b87683-2b8768e call 2b86cad 1087->1090 1088->1090 1094 2b877e3-2b877e6 RegCloseKey 1089->1094 1096 2b87722-2b87725 1090->1096 1097 2b87694-2b876bf call 2b8f1a5 call 2b86c96 1090->1097 1094->1046 1098 2b876dd 1096->1098 1103 2b876d8 1097->1103 1104 2b876c1-2b876c7 1097->1104 1098->1044 1103->1098 1104->1103 1105 2b876c9-2b876d2 1104->1105 1105->1103 1106 2b8777e-2b87797 GetFileAttributesExA 1105->1106 1107 2b87799 1106->1107 1108 2b8779a-2b8779f 1106->1108 1107->1108 1109 2b877a1 1108->1109 1110 2b877a3-2b877a8 1108->1110 1109->1110 1111 2b877aa-2b877c0 call 2b8ee08 1110->1111 1112 2b877c4-2b877c8 1110->1112 1111->1112 1114 2b877ca-2b877d6 call 2b8ef00 1112->1114 1115 2b877d7-2b877dc 1112->1115 1114->1115 1118 2b877de 1115->1118 1119 2b877e0-2b877e2 1115->1119 1118->1119 1119->1094
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 02B87472
                                                                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 02B874F0
                                                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 02B87528
                                                                                                    • ___ascii_stricmp.LIBCMT ref: 02B8764D
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 02B876E7
                                                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02B87706
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 02B87717
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 02B87745
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 02B877EF
                                                                                                      • Part of subcall function 02B8F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02B922F8,000000C8,02B87150,?), ref: 02B8F1AD
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B8778F
                                                                                                    • RegCloseKey.KERNELBASE(?), ref: 02B877E6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                    • String ID: "
                                                                                                    • API String ID: 3433985886-123907689
                                                                                                    • Opcode ID: a774605b9b31f1a2d1bd1ec66c2d4e6b2729709647238c265220aab7d5b4c51a
                                                                                                    • Instruction ID: bb5692d22c60d57b5076c46dabe1084a8d4ec30f6436d223649340eb86afc4a4
                                                                                                    • Opcode Fuzzy Hash: a774605b9b31f1a2d1bd1ec66c2d4e6b2729709647238c265220aab7d5b4c51a
                                                                                                    • Instruction Fuzzy Hash: A9C19076940209ABEB11BBA4DC45FEEBBBAEF45314F2404E5F508A6190EF31DA44DF60

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1121 2b8675c-2b86778 1122 2b8677a-2b8677e SetFileAttributesA 1121->1122 1123 2b86784-2b867a2 CreateFileA 1121->1123 1122->1123 1124 2b867a4-2b867b2 CreateFileA 1123->1124 1125 2b867b5-2b867b8 1123->1125 1124->1125 1126 2b867ba-2b867bf SetFileAttributesA 1125->1126 1127 2b867c5-2b867c9 1125->1127 1126->1127 1128 2b867cf-2b867df GetFileSize 1127->1128 1129 2b86977-2b86986 1127->1129 1130 2b8696b 1128->1130 1131 2b867e5-2b867e7 1128->1131 1132 2b8696e-2b86971 FindCloseChangeNotification 1130->1132 1131->1130 1133 2b867ed-2b8680b ReadFile 1131->1133 1132->1129 1133->1130 1134 2b86811-2b86824 SetFilePointer 1133->1134 1134->1130 1135 2b8682a-2b86842 ReadFile 1134->1135 1135->1130 1136 2b86848-2b86861 SetFilePointer 1135->1136 1136->1130 1137 2b86867-2b86876 1136->1137 1138 2b86878-2b8688f ReadFile 1137->1138 1139 2b868d5-2b868df 1137->1139 1140 2b86891-2b8689e 1138->1140 1141 2b868d2 1138->1141 1139->1132 1142 2b868e5-2b868eb 1139->1142 1143 2b868a0-2b868b5 1140->1143 1144 2b868b7-2b868ba 1140->1144 1141->1139 1145 2b868ed 1142->1145 1146 2b868f0-2b868fe call 2b8ebcc 1142->1146 1147 2b868bd-2b868c3 1143->1147 1144->1147 1145->1146 1146->1130 1152 2b86900-2b8690b SetFilePointer 1146->1152 1149 2b868c8-2b868ce 1147->1149 1150 2b868c5 1147->1150 1149->1138 1153 2b868d0 1149->1153 1150->1149 1154 2b8695a-2b86969 call 2b8ec2e 1152->1154 1155 2b8690d-2b86920 ReadFile 1152->1155 1153->1139 1154->1132 1155->1154 1156 2b86922-2b86958 1155->1156 1156->1132
                                                                                                    APIs
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 02B8677E
                                                                                                    • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 02B8679A
                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 02B867B0
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 02B867BF
                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 02B867D3
                                                                                                    • ReadFile.KERNELBASE(000000FF,?,00000040,02B88244,00000000,?,771B0F10,00000000), ref: 02B86807
                                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 02B8681F
                                                                                                    • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 02B8683E
                                                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 02B8685C
                                                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,02B88244,00000000,?,771B0F10,00000000), ref: 02B8688B
                                                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 02B86906
                                                                                                    • ReadFile.KERNEL32(000000FF,?,00000000,02B88244,00000000,?,771B0F10,00000000), ref: 02B8691C
                                                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,?,771B0F10,00000000), ref: 02B86971
                                                                                                      • Part of subcall function 02B8EC2E: GetProcessHeap.KERNEL32(00000000,02B8EA27,00000000,02B8EA27,00000000), ref: 02B8EC41
                                                                                                      • Part of subcall function 02B8EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02B8EC48
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1400801100-0
                                                                                                    • Opcode ID: 898e4390649cac6686d9b197fc6dddf1e83fb60dae44deb20148eb29fe6d2eec
                                                                                                    • Instruction ID: 6f211b48aaac104f767d92fbbccfb7daf7466901d6233fc17236f2cd523bad90
                                                                                                    • Opcode Fuzzy Hash: 898e4390649cac6686d9b197fc6dddf1e83fb60dae44deb20148eb29fe6d2eec
                                                                                                    • Instruction Fuzzy Hash: 89711971C0021DEFDF15AFA4CD84AEEBBB9FB08354F1045AAE519A6190E7309E51CF60

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1159 2b8f315-2b8f332 1160 2b8f33b-2b8f372 call 2b8ee2a htons socket 1159->1160 1161 2b8f334-2b8f336 1159->1161 1165 2b8f382-2b8f39b ioctlsocket 1160->1165 1166 2b8f374-2b8f37d closesocket 1160->1166 1162 2b8f424-2b8f427 1161->1162 1167 2b8f3aa-2b8f3f0 connect select 1165->1167 1168 2b8f39d 1165->1168 1166->1162 1170 2b8f421 1167->1170 1171 2b8f3f2-2b8f401 __WSAFDIsSet 1167->1171 1169 2b8f39f-2b8f3a8 closesocket 1168->1169 1172 2b8f423 1169->1172 1170->1172 1171->1169 1173 2b8f403-2b8f416 ioctlsocket call 2b8f26d 1171->1173 1172->1162 1175 2b8f41b-2b8f41f 1173->1175 1175->1172
                                                                                                    APIs
                                                                                                    • htons.WS2_32(02B8CA1D), ref: 02B8F34D
                                                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 02B8F367
                                                                                                    • closesocket.WS2_32(00000000), ref: 02B8F375
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: closesockethtonssocket
                                                                                                    • String ID: time_cfg
                                                                                                    • API String ID: 311057483-2401304539
                                                                                                    • Opcode ID: 05e22a48362a95dd3c41200bb8c195db6c8ce6e348be6a991ff77ecf1e7104f3
                                                                                                    • Instruction ID: daf7a66f28ce7b289f195995ac620867882de70757e2bdf07005a3936a3d5b35
                                                                                                    • Opcode Fuzzy Hash: 05e22a48362a95dd3c41200bb8c195db6c8ce6e348be6a991ff77ecf1e7104f3
                                                                                                    • Instruction Fuzzy Hash: 13317A72940119ABDB10EFA9DC849FEBBBCFF89350F1445A6F919E3140E7309A51CBA0

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1176 2b8405e-2b8407b CreateEventA 1177 2b8407d-2b84081 1176->1177 1178 2b84084-2b840a8 call 2b83ecd call 2b84000 1176->1178 1183 2b840ae-2b840be call 2b8ee2a 1178->1183 1184 2b84130-2b8413e call 2b8ee2a 1178->1184 1183->1184 1190 2b840c0-2b840f1 call 2b8eca5 call 2b83f18 call 2b83f8c 1183->1190 1189 2b8413f-2b84165 call 2b83ecd CreateNamedPipeA 1184->1189 1195 2b84188-2b84193 ConnectNamedPipe 1189->1195 1196 2b84167-2b84174 Sleep 1189->1196 1207 2b840f3-2b840ff 1190->1207 1208 2b84127-2b8412a CloseHandle 1190->1208 1200 2b841ab-2b841c0 call 2b83f8c 1195->1200 1201 2b84195-2b841a5 GetLastError 1195->1201 1196->1189 1198 2b84176-2b84182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 2b841c2-2b841f2 call 2b83f18 call 2b83f8c 1200->1209 1201->1200 1202 2b8425e-2b84265 DisconnectNamedPipe 1201->1202 1202->1195 1207->1208 1210 2b84101-2b84121 call 2b83f18 ExitProcess 1207->1210 1208->1184 1209->1202 1217 2b841f4-2b84200 1209->1217 1217->1202 1218 2b84202-2b84215 call 2b83f8c 1217->1218 1218->1202 1221 2b84217-2b8421b 1218->1221 1221->1202 1222 2b8421d-2b84230 call 2b83f8c 1221->1222 1222->1202 1225 2b84232-2b84236 1222->1225 1225->1195 1226 2b8423c-2b84251 call 2b83f18 1225->1226 1229 2b8426a-2b84276 CloseHandle * 2 call 2b8e318 1226->1229 1230 2b84253-2b84259 1226->1230 1232 2b8427b 1229->1232 1230->1195 1232->1232
                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02B84070
                                                                                                    • ExitProcess.KERNEL32 ref: 02B84121
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateEventExitProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 2404124870-0
                                                                                                    • Opcode ID: 55d1236d929c3b7a306c20e139e2104846d72376732211a5a4c7f1a656e32021
                                                                                                    • Instruction ID: 3a3f219f0085a52295a0677f38c327f27c20f485397a58b2830d15bf186a0e33
                                                                                                    • Opcode Fuzzy Hash: 55d1236d929c3b7a306c20e139e2104846d72376732211a5a4c7f1a656e32021
                                                                                                    • Instruction Fuzzy Hash: D85181B1D4021ABBEB21BBA08D45FBF7ABDEF15754F0004A5F618F6180E7358A41CBA1

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1233 2b82d21-2b82d44 GetModuleHandleA 1234 2b82d5b-2b82d69 GetProcAddress 1233->1234 1235 2b82d46-2b82d52 LoadLibraryA 1233->1235 1236 2b82d6b-2b82d7b DnsQuery_A 1234->1236 1237 2b82d54-2b82d56 1234->1237 1235->1234 1235->1237 1236->1237 1238 2b82d7d-2b82d88 1236->1238 1239 2b82dee-2b82df1 1237->1239 1240 2b82d8a-2b82d8b 1238->1240 1241 2b82deb 1238->1241 1242 2b82d90-2b82d95 1240->1242 1241->1239 1243 2b82de2-2b82de8 1242->1243 1244 2b82d97-2b82daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2b82dea 1243->1245 1244->1245 1246 2b82dac-2b82dd9 call 2b8ee2a lstrcpynA 1244->1246 1245->1241 1249 2b82ddb-2b82dde 1246->1249 1250 2b82de0 1246->1250 1249->1243 1250->1243
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,02B82F01,?,02B820FF,02B92000), ref: 02B82D3A
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 02B82D4A
                                                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02B82D61
                                                                                                    • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02B82D77
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02B82D99
                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 02B82DA0
                                                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02B82DCB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                                                    • API String ID: 233223969-3847274415
                                                                                                    • Opcode ID: 92f167badfcc1446b2a322b3faeb08939f6faab0aa5e50d2e980a493a582d0a3
                                                                                                    • Instruction ID: 4880d4dfbf2f01d25c239abd143bf63eaa4d0b440161ca5352f4d865a08bca71
                                                                                                    • Opcode Fuzzy Hash: 92f167badfcc1446b2a322b3faeb08939f6faab0aa5e50d2e980a493a582d0a3
                                                                                                    • Instruction Fuzzy Hash: 6C218E7194022AABCB21AF64DD44AAEBFB8EF08B50F104892FD09E3100E770D981CBD0

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1251 2b880c9-2b880ed call 2b86ec3 1254 2b880f9-2b88115 call 2b8704c 1251->1254 1255 2b880ef call 2b87ee6 1251->1255 1260 2b88225-2b8822b 1254->1260 1261 2b8811b-2b88121 1254->1261 1258 2b880f4 1255->1258 1258->1260 1262 2b8826c-2b88273 1260->1262 1263 2b8822d-2b88233 1260->1263 1261->1260 1264 2b88127-2b8812a 1261->1264 1263->1262 1265 2b88235-2b8823f call 2b8675c 1263->1265 1264->1260 1266 2b88130-2b88167 call 2b82544 RegOpenKeyExA 1264->1266 1269 2b88244-2b8824b 1265->1269 1272 2b8816d-2b8818b RegQueryValueExA 1266->1272 1273 2b88216-2b88222 call 2b8ee2a 1266->1273 1269->1262 1271 2b8824d-2b88269 call 2b824c2 call 2b8ec2e 1269->1271 1271->1262 1276 2b8818d-2b88191 1272->1276 1277 2b881f7-2b881fe 1272->1277 1273->1260 1276->1277 1282 2b88193-2b88196 1276->1282 1280 2b8820d-2b88210 RegCloseKey 1277->1280 1281 2b88200-2b88206 call 2b8ec2e 1277->1281 1280->1273 1290 2b8820c 1281->1290 1282->1277 1285 2b88198-2b881a8 call 2b8ebcc 1282->1285 1285->1280 1291 2b881aa-2b881c2 RegQueryValueExA 1285->1291 1290->1280 1291->1277 1292 2b881c4-2b881ca 1291->1292 1293 2b881cd-2b881d2 1292->1293 1293->1293 1294 2b881d4-2b881e5 call 2b8ebcc 1293->1294 1294->1280 1297 2b881e7-2b881f5 call 2b8ef00 1294->1297 1297->1290
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 02B8815F
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B8A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 02B88187
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02B8A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 02B881BE
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 02B88210
                                                                                                      • Part of subcall function 02B8675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 02B8677E
                                                                                                      • Part of subcall function 02B8675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 02B8679A
                                                                                                      • Part of subcall function 02B8675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 02B867B0
                                                                                                      • Part of subcall function 02B8675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 02B867BF
                                                                                                      • Part of subcall function 02B8675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 02B867D3
                                                                                                      • Part of subcall function 02B8675C: ReadFile.KERNELBASE(000000FF,?,00000040,02B88244,00000000,?,771B0F10,00000000), ref: 02B86807
                                                                                                      • Part of subcall function 02B8675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 02B8681F
                                                                                                      • Part of subcall function 02B8675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 02B8683E
                                                                                                      • Part of subcall function 02B8675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 02B8685C
                                                                                                      • Part of subcall function 02B8EC2E: GetProcessHeap.KERNEL32(00000000,02B8EA27,00000000,02B8EA27,00000000), ref: 02B8EC41
                                                                                                      • Part of subcall function 02B8EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02B8EC48
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                    • String ID: C:\Windows\SysWOW64\ptcoklzf\ybyrikeu.exe
                                                                                                    • API String ID: 124786226-4065764218
                                                                                                    • Opcode ID: 335b0355e35394974602f790c0b5b7508766de6f686bb1ddac20946d801ac50a
                                                                                                    • Instruction ID: 79a432d39e3262b513c6ceed07c7e256313cce5e5f93956e3f6e0490914ee32a
                                                                                                    • Opcode Fuzzy Hash: 335b0355e35394974602f790c0b5b7508766de6f686bb1ddac20946d801ac50a
                                                                                                    • Instruction Fuzzy Hash: 1C414CB2D4511DBFEB11BEA4DD80EBE77BDDB04344F5448EAE949A7000EB309A94CB61

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1300 2b81ac3-2b81adc LoadLibraryA 1301 2b81b6b-2b81b70 1300->1301 1302 2b81ae2-2b81af3 GetProcAddress 1300->1302 1303 2b81b6a 1302->1303 1304 2b81af5-2b81b01 1302->1304 1303->1301 1305 2b81b1c-2b81b27 GetAdaptersAddresses 1304->1305 1306 2b81b29-2b81b2b 1305->1306 1307 2b81b03-2b81b12 call 2b8ebed 1305->1307 1309 2b81b5b-2b81b5e 1306->1309 1310 2b81b2d-2b81b32 1306->1310 1307->1306 1315 2b81b14-2b81b1b 1307->1315 1312 2b81b69 1309->1312 1314 2b81b60-2b81b68 call 2b8ec2e 1309->1314 1310->1312 1313 2b81b34-2b81b3b 1310->1313 1312->1303 1316 2b81b3d-2b81b52 1313->1316 1317 2b81b54-2b81b59 1313->1317 1314->1312 1315->1305 1316->1316 1316->1317 1317->1309 1317->1313
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B81AD4
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B81AE9
                                                                                                    • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B81B20
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                    • API String ID: 3646706440-1087626847
                                                                                                    • Opcode ID: c913730d7559c244ea4cef80de6e8dbe9b0f419ba3909afeb5918340d20ecf21
                                                                                                    • Instruction ID: 4a39fd233fd71aa3f44f34e97b593a1ef383582f40db0c01fe220adb82137dc6
                                                                                                    • Opcode Fuzzy Hash: c913730d7559c244ea4cef80de6e8dbe9b0f419ba3909afeb5918340d20ecf21
                                                                                                    • Instruction Fuzzy Hash: 84119672E12138AFDB15BBADDD858EDBBBAEB44B50F1444D5F00DA7110E7309A42CB94

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1320 2b8e3ca-2b8e3ee RegOpenKeyExA 1321 2b8e528-2b8e52d 1320->1321 1322 2b8e3f4-2b8e3fb 1320->1322 1323 2b8e3fe-2b8e403 1322->1323 1323->1323 1324 2b8e405-2b8e40f 1323->1324 1325 2b8e411-2b8e413 1324->1325 1326 2b8e414-2b8e452 call 2b8ee08 call 2b8f1ed RegQueryValueExA 1324->1326 1325->1326 1331 2b8e458-2b8e486 call 2b8f1ed RegQueryValueExA 1326->1331 1332 2b8e51d-2b8e527 RegCloseKey 1326->1332 1335 2b8e488-2b8e48a 1331->1335 1332->1321 1335->1332 1336 2b8e490-2b8e4a1 call 2b8db2e 1335->1336 1336->1332 1339 2b8e4a3-2b8e4a6 1336->1339 1340 2b8e4a9-2b8e4d3 call 2b8f1ed RegQueryValueExA 1339->1340 1343 2b8e4e8-2b8e4ea 1340->1343 1344 2b8e4d5-2b8e4da 1340->1344 1343->1332 1346 2b8e4ec-2b8e516 call 2b82544 call 2b8e332 1343->1346 1344->1343 1345 2b8e4dc-2b8e4e6 1344->1345 1345->1340 1345->1343 1346->1332
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(80000001,02B8E5F2,00000000,00020119,02B8E5F2,02B922F8), ref: 02B8E3E6
                                                                                                    • RegQueryValueExA.ADVAPI32(02B8E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02B8E44E
                                                                                                    • RegQueryValueExA.ADVAPI32(02B8E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02B8E482
                                                                                                    • RegQueryValueExA.ADVAPI32(02B8E5F2,?,00000000,?,80000001,?), ref: 02B8E4CF
                                                                                                    • RegCloseKey.ADVAPI32(02B8E5F2,?,?,?,?,000000C8,000000E4), ref: 02B8E520
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue$CloseOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1586453840-0
                                                                                                    • Opcode ID: f83089a00264ea4035c0a7517d9ea43bf9b2ac3002c33ff87be3706ed4260d49
                                                                                                    • Instruction ID: ab38c81308bf4d1964254e887977449c5c93eb732295958f8fa131092d6a6d21
                                                                                                    • Opcode Fuzzy Hash: f83089a00264ea4035c0a7517d9ea43bf9b2ac3002c33ff87be3706ed4260d49
                                                                                                    • Instruction Fuzzy Hash: F941F8B2D0021DAFDF11AFD4DC81DEEBBBAEB08344F5445A6FA14A3150E3319A55CB60

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1351 2b8f26d-2b8f303 setsockopt * 5
                                                                                                    APIs
                                                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02B8F2A0
                                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02B8F2C0
                                                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02B8F2DD
                                                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02B8F2EC
                                                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02B8F2FD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: setsockopt
                                                                                                    • String ID:
                                                                                                    • API String ID: 3981526788-0
                                                                                                    • Opcode ID: ac26d304e500303b392364d22939a4cd2793c789da7ece8b58e9c0c786f4aa0b
                                                                                                    • Instruction ID: 3e2f31d9ae2d956ca6a29b2cda00748f8c6e746003b4e6abec4b978ed98c17b8
                                                                                                    • Opcode Fuzzy Hash: ac26d304e500303b392364d22939a4cd2793c789da7ece8b58e9c0c786f4aa0b
                                                                                                    • Instruction Fuzzy Hash: 3411FBB1A40248BAEB11DE94CD41FAE7FBCEB44751F004066BB04EA1D0E6B19A44CB94

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1352 2b81bdf-2b81c04 call 2b81ac3 1354 2b81c09-2b81c0b 1352->1354 1355 2b81c5a-2b81c5e 1354->1355 1356 2b81c0d-2b81c1d GetComputerNameA 1354->1356 1357 2b81c1f-2b81c24 1356->1357 1358 2b81c45-2b81c57 GetVolumeInformationA 1356->1358 1357->1358 1359 2b81c26-2b81c3b 1357->1359 1358->1355 1359->1359 1360 2b81c3d-2b81c3f 1359->1360 1360->1358 1361 2b81c41-2b81c43 1360->1361 1361->1355
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B81AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B81AD4
                                                                                                      • Part of subcall function 02B81AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B81AE9
                                                                                                      • Part of subcall function 02B81AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B81B20
                                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 02B81C15
                                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02B81C51
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                    • String ID: hi_id$localcfg
                                                                                                    • API String ID: 2794401326-2393279970
                                                                                                    • Opcode ID: 40665cde358024ad3b322f9b94314f9619e144b595b91cbf389cd512747ee99b
                                                                                                    • Instruction ID: 0dad8a4c3b0ef3b0ce7e1e20a531eedee4042f8a85f47e3300ff9fdb5365d75b
                                                                                                    • Opcode Fuzzy Hash: 40665cde358024ad3b322f9b94314f9619e144b595b91cbf389cd512747ee99b
                                                                                                    • Instruction Fuzzy Hash: CD01847691511CBBEB10EAECC8C59EFBBBCE744645F1008B5D70AE7100D2309D45DA60
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B81AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B81AD4
                                                                                                      • Part of subcall function 02B81AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B81AE9
                                                                                                      • Part of subcall function 02B81AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B81B20
                                                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 02B81BA3
                                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02B81EFD,00000000,00000000,00000000,00000000), ref: 02B81BB8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 2794401326-1857712256
                                                                                                    • Opcode ID: bbf29438aaa246c6ca58fa07271d9a5d8dce918b197c7a5cba116a8cfb71b6e0
                                                                                                    • Instruction ID: 4aa8349ee476e008f8c1af727a706b276ef685248b51ac0da8084475937382f2
                                                                                                    • Opcode Fuzzy Hash: bbf29438aaa246c6ca58fa07271d9a5d8dce918b197c7a5cba116a8cfb71b6e0
                                                                                                    • Instruction Fuzzy Hash: F2014FB7D0510CBFE701ABE9C8819EFFBBDEB48654F150561EB15E7140D5705E058AA0
                                                                                                    APIs
                                                                                                    • inet_addr.WS2_32(00000001), ref: 02B82693
                                                                                                    • gethostbyname.WS2_32(00000001), ref: 02B8269F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbynameinet_addr
                                                                                                    • String ID: time_cfg
                                                                                                    • API String ID: 1594361348-2401304539
                                                                                                    • Opcode ID: 3e2725fafcc25fdfeb9cc16dd5655e7ba59ef12b63593ae98fb5d7d974abd4a0
                                                                                                    • Instruction ID: 674ea08e3408de56dc314749d28b9fa75856f4cf33698b557b763891bd3cad14
                                                                                                    • Opcode Fuzzy Hash: 3e2725fafcc25fdfeb9cc16dd5655e7ba59ef12b63593ae98fb5d7d974abd4a0
                                                                                                    • Instruction Fuzzy Hash: DAE01730A145619FDB50AB28F844BEA7BE5EF4A270F0589C5F898D72A0D730EC81DB94
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B8DD05: GetTickCount.KERNEL32 ref: 02B8DD0F
                                                                                                      • Part of subcall function 02B8DD05: InterlockedExchange.KERNEL32(02B936B4,00000001), ref: 02B8DD44
                                                                                                      • Part of subcall function 02B8DD05: GetCurrentThreadId.KERNEL32 ref: 02B8DD53
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,771B0F10,?,00000000,?,02B8A445), ref: 02B8E558
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,771B0F10,?,00000000,?,02B8A445), ref: 02B8E583
                                                                                                    • CloseHandle.KERNEL32(00000000,?,771B0F10,?,00000000,?,02B8A445), ref: 02B8E5B2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                    • String ID:
                                                                                                    • API String ID: 3683885500-0
                                                                                                    • Opcode ID: 96b4037c69d1e0128c6bea033df7c3077d5821de51f1cd2a40820ab2cbde45d7
                                                                                                    • Instruction ID: 3dcf231b63bc03205aa10b69ca1444c03435a865d384f5b4c8b1f21fc0506bc8
                                                                                                    • Opcode Fuzzy Hash: 96b4037c69d1e0128c6bea033df7c3077d5821de51f1cd2a40820ab2cbde45d7
                                                                                                    • Instruction Fuzzy Hash: 7521E7F29803017AF6217A359D46F9B3A9DDB55750F1008E4FE0EB11D3EA51D910CAF1
                                                                                                    APIs
                                                                                                    • Sleep.KERNELBASE(000003E8), ref: 02B888A5
                                                                                                      • Part of subcall function 02B8F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02B8E342,00000000,7686EA50,80000001,00000000,02B8E513,?,00000000,00000000,?,000000E4), ref: 02B8F089
                                                                                                      • Part of subcall function 02B8F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02B8E342,00000000,7686EA50,80000001,00000000,02B8E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02B8F093
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$FileSystem$Sleep
                                                                                                    • String ID: localcfg$rresolv
                                                                                                    • API String ID: 1561729337-486471987
                                                                                                    • Opcode ID: 246b244c8fb959d5f79dee265e81d15a7e04bbdd12ab92e9b7c5100c377e1537
                                                                                                    • Instruction ID: 9d48e9f38d4c0eac7839446d788f4ccd5199a98550bd753374f3a7f139641a16
                                                                                                    • Opcode Fuzzy Hash: 246b244c8fb959d5f79dee265e81d15a7e04bbdd12ab92e9b7c5100c377e1537
                                                                                                    • Instruction Fuzzy Hash: 8C210932D883047FF314FB64AD45F7A3A9AEB00764FD44899FD0C860C1EBA19580C9B2
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02B922F8,02B842B6,00000000,00000001,02B922F8,00000000,?,02B898FD), ref: 02B84021
                                                                                                    • GetLastError.KERNEL32(?,02B898FD,00000001,00000100,02B922F8,02B8A3C7), ref: 02B8402C
                                                                                                    • Sleep.KERNEL32(000001F4,?,02B898FD,00000001,00000100,02B922F8,02B8A3C7), ref: 02B84046
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateErrorFileLastSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 408151869-0
                                                                                                    • Opcode ID: 249a3ab932c207a612e6cbcf58b525e61b6a333de6af0e45c3a4b9cd8ce30c85
                                                                                                    • Instruction ID: 1a70ad12dcc51680c820193104eaecdaeda9964a22269dda85bded012be9b0c1
                                                                                                    • Opcode Fuzzy Hash: 249a3ab932c207a612e6cbcf58b525e61b6a333de6af0e45c3a4b9cd8ce30c85
                                                                                                    • Instruction Fuzzy Hash: AFF0A7326402066BD7312A34AC49B1B3275EB81728F264F64F3B9F20D0C7308481DB14
                                                                                                    APIs
                                                                                                    • GetEnvironmentVariableA.KERNEL32(02B8DC19,?,00000104), ref: 02B8DB7F
                                                                                                    • lstrcpyA.KERNEL32(?,02B928F8), ref: 02B8DBA4
                                                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02B8DBC2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 2536392590-0
                                                                                                    • Opcode ID: 3e40b77140b9cc4872b760435e31e2c2ad69cdc84274ce52c9c37d4daadb272d
                                                                                                    • Instruction ID: 5fa61cdcdf5db0972b7ae92c3b55c8c0bd255ca4283d86984845161cdf3a0125
                                                                                                    • Opcode Fuzzy Hash: 3e40b77140b9cc4872b760435e31e2c2ad69cdc84274ce52c9c37d4daadb272d
                                                                                                    • Instruction Fuzzy Hash: 60F09A7054020AABEF20AF64DD89FE93B69AB10348F2049A4FB95A50D0D7F2D595CB20
                                                                                                    APIs
                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B8EC5E
                                                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02B8EC72
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8EC78
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                    • String ID:
                                                                                                    • API String ID: 1209300637-0
                                                                                                    • Opcode ID: 28db28ef3db96546fd27de1318a21d1c7f503f55fba421a391fe3ca119f6bbdb
                                                                                                    • Instruction ID: 1ba252498277acd327f0438f95a73259f6f5ce05476517b7256f22d1f200b0a6
                                                                                                    • Opcode Fuzzy Hash: 28db28ef3db96546fd27de1318a21d1c7f503f55fba421a391fe3ca119f6bbdb
                                                                                                    • Instruction Fuzzy Hash: 35E09AF5C50108BFE701ABB0DD4AE6B77BCEB08354F510A50F911D6090DA709A148B60
                                                                                                    APIs
                                                                                                    • gethostname.WS2_32(?,00000080), ref: 02B830D8
                                                                                                    • gethostbyname.WS2_32(?), ref: 02B830E2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbynamegethostname
                                                                                                    • String ID:
                                                                                                    • API String ID: 3961807697-0
                                                                                                    • Opcode ID: 29f1662b58b4b1548846affcdadd25fcc180e99d3590b6e9481f2657a919cc01
                                                                                                    • Instruction ID: 184ba2eed8863257d95cbc4420e215551126345f086984f2e7d59fa5c0de079d
                                                                                                    • Opcode Fuzzy Hash: 29f1662b58b4b1548846affcdadd25fcc180e99d3590b6e9481f2657a919cc01
                                                                                                    • Instruction Fuzzy Hash: 1CE06572D001199BCB10ABA8EC85F9A77ECFB04248F084461F945E3240EA34E504C790
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B8EBA0: GetProcessHeap.KERNEL32(00000000,00000000,02B8EC0A,00000000,80000001,?,02B8DB55,7FFF0001), ref: 02B8EBAD
                                                                                                      • Part of subcall function 02B8EBA0: HeapSize.KERNEL32(00000000,?,02B8DB55,7FFF0001), ref: 02B8EBB4
                                                                                                    • GetProcessHeap.KERNEL32(00000000,02B8EA27,00000000,02B8EA27,00000000), ref: 02B8EC41
                                                                                                    • RtlFreeHeap.NTDLL(00000000), ref: 02B8EC48
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$FreeSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1305341483-0
                                                                                                    • Opcode ID: d731c80e791a61d3163f7c851769fcb46588930171c15d1be4cefa0031d9f114
                                                                                                    • Instruction ID: 6d06869274b5e011bd18341b7ac0096cddb80be9086897fb4c2fe78efd947946
                                                                                                    • Opcode Fuzzy Hash: d731c80e791a61d3163f7c851769fcb46588930171c15d1be4cefa0031d9f114
                                                                                                    • Instruction Fuzzy Hash: 95C01232C462306BC5513A60B90CF9B6B58DF46A51F090C49F50967044876098808EE1
                                                                                                    APIs
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02B8EBFE,7FFF0001,?,02B8DB55,7FFF0001), ref: 02B8EBD3
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,02B8DB55,7FFF0001), ref: 02B8EBDA
                                                                                                      • Part of subcall function 02B8EB74: GetProcessHeap.KERNEL32(00000000,00000000,02B8EC28,00000000,?,02B8DB55,7FFF0001), ref: 02B8EB81
                                                                                                      • Part of subcall function 02B8EB74: HeapSize.KERNEL32(00000000,?,02B8DB55,7FFF0001), ref: 02B8EB88
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AllocateSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2559512979-0
                                                                                                    • Opcode ID: 68ff16f166cec9b2cbad00f62b4ca5889855bf11d0849520058a916751ea4c07
                                                                                                    • Instruction ID: 21359e0af8a597a3b20a296a7f03edd860ce13c8ab48eb1e50b8ee6cb1abbd46
                                                                                                    • Opcode Fuzzy Hash: 68ff16f166cec9b2cbad00f62b4ca5889855bf11d0849520058a916751ea4c07
                                                                                                    • Instruction Fuzzy Hash: 03C01232A48230ABC60137B4BD08B9A2A98AF08AA2F040844F609C2164CA2088908AA6
                                                                                                    APIs
                                                                                                    • recv.WS2_32(000000C8,?,00000000,02B8CA44), ref: 02B8F476
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: recv
                                                                                                    • String ID:
                                                                                                    • API String ID: 1507349165-0
                                                                                                    • Opcode ID: f9053f921c13babb46386d350d5a87bb888821b1f15046108c0e804b85e9f3c5
                                                                                                    • Instruction ID: e5a9b27b5a1394141b7de238647a2a76fc8dc16757cb148859f222319a947239
                                                                                                    • Opcode Fuzzy Hash: f9053f921c13babb46386d350d5a87bb888821b1f15046108c0e804b85e9f3c5
                                                                                                    • Instruction Fuzzy Hash: 16F01C7320155EAB9F11AE9ADC84CBB3BAEFB892507480562FA18D7110D631E821CBA0
                                                                                                    APIs
                                                                                                    • closesocket.WS2_32(00000000), ref: 02B81992
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: closesocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 2781271927-0
                                                                                                    • Opcode ID: c42a406d5c420abdca3b0eaa86fb2f4cfa5a22c9f5af8f47ae6dc5d60725b5c0
                                                                                                    • Instruction ID: f26d61221d704ef2352d1c4f7e6be21911099b9d395b571a9825d19844c5b4aa
                                                                                                    • Opcode Fuzzy Hash: c42a406d5c420abdca3b0eaa86fb2f4cfa5a22c9f5af8f47ae6dc5d60725b5c0
                                                                                                    • Instruction Fuzzy Hash: D2D012265496326A52113759B80447FBB9CDF456A2751985BFD8CC1150D734C842C795
                                                                                                    APIs
                                                                                                    • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02B8DDB5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmpi
                                                                                                    • String ID:
                                                                                                    • API String ID: 1586166983-0
                                                                                                    • Opcode ID: 05fbfbfb548ec7848902e7ea0e84b6a13d75b9f0d4b0239637a6cbcdde810f97
                                                                                                    • Instruction ID: 160fedf5b5f7af3451a3253b8bb7819bdfdc930cb5accc6ed91e78c0e63807ce
                                                                                                    • Opcode Fuzzy Hash: 05fbfbfb548ec7848902e7ea0e84b6a13d75b9f0d4b0239637a6cbcdde810f97
                                                                                                    • Instruction Fuzzy Hash: D7F058326002039BCB20AE349984656B7E8EB86329F5449ABE55D93280EB30D859CB11
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02B89816,EntryPoint), ref: 02B8638F
                                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02B89816,EntryPoint), ref: 02B863A9
                                                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02B863CA
                                                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02B863EB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 1965334864-0
                                                                                                    • Opcode ID: a20fea9954a0d93bc96de928163e21d3c6c6fe37051035663762651d73a58f4c
                                                                                                    • Instruction ID: 6dc3c5aa26b8e3d6625ee9e3f47e86dfb869fc9bcb9e91455a9e89c7a06f0660
                                                                                                    • Opcode Fuzzy Hash: a20fea9954a0d93bc96de928163e21d3c6c6fe37051035663762651d73a58f4c
                                                                                                    • Instruction Fuzzy Hash: 261191B2A00219BFDB51AE69DC49F9B3BACEB047A5F008464F918E7280D770DC10CAA0
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02B81839,02B89646), ref: 02B81012
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02B810C2
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02B810E1
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02B81101
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02B81121
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02B81140
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02B81160
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02B81180
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02B8119F
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02B811BF
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02B811DF
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02B811FE
                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02B8121A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                    • API String ID: 2238633743-3228201535
                                                                                                    • Opcode ID: a9593102874dac1eff9773b264f53c2776b7b83e3c7eb72e28e6370487bd42cc
                                                                                                    • Instruction ID: 3310f4cc400ea9ece554ec32eea417bcb255266f396d9ca2a87875d8866fc967
                                                                                                    • Opcode Fuzzy Hash: a9593102874dac1eff9773b264f53c2776b7b83e3c7eb72e28e6370487bd42cc
                                                                                                    • Instruction Fuzzy Hash: EC51B8719A3602EFDB11ABACAD4475232E4E3482A4F044BE6EA2FD31E0D770C492CF51
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 02B8B2B3
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02B8B2C2
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 02B8B2D0
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 02B8B2E1
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 02B8B31A
                                                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 02B8B329
                                                                                                    • wsprintfA.USER32 ref: 02B8B3B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                    • API String ID: 766114626-2976066047
                                                                                                    • Opcode ID: a4ca3192ded28ad2a4a833d2653ec87ab1ab5a8c569ab8159af77c87b0e310f3
                                                                                                    • Instruction ID: 06415bdfd7f4b13c92b4fbfd61611e9ef7e8dde1fff5f9ee94bf85a3e113025a
                                                                                                    • Opcode Fuzzy Hash: a4ca3192ded28ad2a4a833d2653ec87ab1ab5a8c569ab8159af77c87b0e310f3
                                                                                                    • Instruction Fuzzy Hash: 61510EB2E0021DAACF14EFD5D9849EFBBB9FF48309F1048E9E515B6150D3344A89CB54
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                    • API String ID: 2400214276-165278494
                                                                                                    • Opcode ID: dd7ecd7b0c187566a85ca7aa7b5cec0ac15da25a8835c5258d10ec9f3a3ccee8
                                                                                                    • Instruction ID: 605341d07cdbbf2225f911ddbf4c0edc8c6a18544666fb71137caf051c237790
                                                                                                    • Opcode Fuzzy Hash: dd7ecd7b0c187566a85ca7aa7b5cec0ac15da25a8835c5258d10ec9f3a3ccee8
                                                                                                    • Instruction Fuzzy Hash: 0F611972950208AFEF60AFA4DC45FEA77E9FF08300F1484A9F96DD2161EA719950CF50
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                                                    • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                    • API String ID: 3650048968-4264063882
                                                                                                    • Opcode ID: bb7579b256d74b058b8605a2c3e27ebe0da61e5e8e9f83c15af8fa8bc8104ad9
                                                                                                    • Instruction ID: 6ab301393eb6d248a434fc3fecd28533a89dd9671687dc8f2d671d92b48eab5e
                                                                                                    • Opcode Fuzzy Hash: bb7579b256d74b058b8605a2c3e27ebe0da61e5e8e9f83c15af8fa8bc8104ad9
                                                                                                    • Instruction Fuzzy Hash: BDA13D72944315ABEF20BA54DC85FBE7B6AFB00708F1408E7F90EA7090EB71A954CB55
                                                                                                    APIs
                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 02B8139A
                                                                                                    • lstrlenW.KERNEL32(-00000003), ref: 02B81571
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShelllstrlen
                                                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                                    • API String ID: 1628651668-1839596206
                                                                                                    • Opcode ID: e561550d906401daa488306bf7fa042f621cb04b3ca8302ed18edd4be29effad
                                                                                                    • Instruction ID: 071de74090f6340fbedf7316d9c1464e167d2be0f003fbede931442c42a32f12
                                                                                                    • Opcode Fuzzy Hash: e561550d906401daa488306bf7fa042f621cb04b3ca8302ed18edd4be29effad
                                                                                                    • Instruction Fuzzy Hash: 88F19BB55193419FD320EF68C888BAAB7E5FB88344F004DADFA9E87280D774D845CB52
                                                                                                    APIs
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 02B82A83
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 02B82A86
                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 02B82AA0
                                                                                                    • htons.WS2_32(00000000), ref: 02B82ADB
                                                                                                    • select.WS2_32 ref: 02B82B28
                                                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 02B82B4A
                                                                                                    • htons.WS2_32(?), ref: 02B82B71
                                                                                                    • htons.WS2_32(?), ref: 02B82B8C
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02B82BFB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 1639031587-0
                                                                                                    • Opcode ID: adfe9937f9e861e8204a99865665dac5c5fab05ea46afbe81fec3226cd066112
                                                                                                    • Instruction ID: e3ee372a836ca71d26e17e3906f463c2d8d621d9f31a47747b338a5db8f15124
                                                                                                    • Opcode Fuzzy Hash: adfe9937f9e861e8204a99865665dac5c5fab05ea46afbe81fec3226cd066112
                                                                                                    • Instruction Fuzzy Hash: 2961AE719043459FD720BF65DD08B7ABBE8EB48785F000849FE8997140D7B0D880CFA2
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 02B870C2
                                                                                                    • RegEnumValueA.ADVAPI32(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 02B8719E
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10,?,771B0F10,00000000), ref: 02B871B2
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 02B87208
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 02B87291
                                                                                                    • ___ascii_stricmp.LIBCMT ref: 02B872C2
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 02B872D0
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 02B87314
                                                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B8738D
                                                                                                    • RegCloseKey.ADVAPI32(771B0F10), ref: 02B873D8
                                                                                                      • Part of subcall function 02B8F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02B922F8,000000C8,02B87150,?), ref: 02B8F1AD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                    • String ID: $"
                                                                                                    • API String ID: 4293430545-3817095088
                                                                                                    • Opcode ID: 4dc03420bb0e57684a92d892059bb0618f486004e6ad0eeb76ae2956233cd785
                                                                                                    • Instruction ID: 02470a2e507750eeafe6603a770d5bc0651d581339539a48833f37ec7db46fdf
                                                                                                    • Opcode Fuzzy Hash: 4dc03420bb0e57684a92d892059bb0618f486004e6ad0eeb76ae2956233cd785
                                                                                                    • Instruction Fuzzy Hash: 8BB19376944209ABDF15FFA0DC45BEEB7B9EF05304F2004A6F509E2090EB719A84DB61
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 02B8AD98
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 02B8ADA6
                                                                                                      • Part of subcall function 02B8AD08: gethostname.WS2_32(?,00000080), ref: 02B8AD1C
                                                                                                      • Part of subcall function 02B8AD08: lstrlenA.KERNEL32(?), ref: 02B8AD60
                                                                                                      • Part of subcall function 02B8AD08: lstrlenA.KERNEL32(?), ref: 02B8AD69
                                                                                                      • Part of subcall function 02B8AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 02B8AD7F
                                                                                                      • Part of subcall function 02B830B5: gethostname.WS2_32(?,00000080), ref: 02B830D8
                                                                                                      • Part of subcall function 02B830B5: gethostbyname.WS2_32(?), ref: 02B830E2
                                                                                                    • wsprintfA.USER32 ref: 02B8AEA5
                                                                                                      • Part of subcall function 02B8A7A3: inet_ntoa.WS2_32(00000000), ref: 02B8A7A9
                                                                                                    • wsprintfA.USER32 ref: 02B8AE4F
                                                                                                    • wsprintfA.USER32 ref: 02B8AE5E
                                                                                                      • Part of subcall function 02B8EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02B8EF92
                                                                                                      • Part of subcall function 02B8EF7C: lstrlenA.KERNEL32(?), ref: 02B8EF99
                                                                                                      • Part of subcall function 02B8EF7C: lstrlenA.KERNEL32(00000000), ref: 02B8EFA0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                    • API String ID: 3631595830-1816598006
                                                                                                    • Opcode ID: 7f424982ec7831cd355bbab427a4e2641dd5e3861310d8a671ae1d4c0a00c72e
                                                                                                    • Instruction ID: 48658644a074344dab7af41fecd422ff44b8365995c7f0dd3dda26beeee30e55
                                                                                                    • Opcode Fuzzy Hash: 7f424982ec7831cd355bbab427a4e2641dd5e3861310d8a671ae1d4c0a00c72e
                                                                                                    • Instruction Fuzzy Hash: 5641EEB290025CABEF25BFA0DC45EEE3BADFB08344F1448A6F91992151EA71D554CF50
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,02B82F0F,?,02B820FF,02B92000), ref: 02B82E01
                                                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02B82F0F,?,02B820FF,02B92000), ref: 02B82E11
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02B82E2E
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02B82F0F,?,02B820FF,02B92000), ref: 02B82E4C
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,02B82F0F,?,02B820FF,02B92000), ref: 02B82E4F
                                                                                                    • htons.WS2_32(00000035), ref: 02B82E88
                                                                                                    • inet_addr.WS2_32(?), ref: 02B82E93
                                                                                                    • gethostbyname.WS2_32(?), ref: 02B82EA6
                                                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02B82F0F,?,02B820FF,02B92000), ref: 02B82EE3
                                                                                                    • HeapFree.KERNEL32(00000000,?,00000000,02B82F0F,?,02B820FF,02B92000), ref: 02B82EE6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                    • API String ID: 929413710-2099955842
                                                                                                    • Opcode ID: c632650ea7879f0c12aa042ca3082cf407b29297454e76926c98858cbb5bd7ec
                                                                                                    • Instruction ID: 3873e5a27c2f21fc3c27f6c91a469f74dcd9e143b15a505249fb1035be4c04a9
                                                                                                    • Opcode Fuzzy Hash: c632650ea7879f0c12aa042ca3082cf407b29297454e76926c98858cbb5bd7ec
                                                                                                    • Instruction Fuzzy Hash: 3631B133E4024AABDB10BBB89848B6E7BB8EF04766F140995FD1CE7290DB30D551CB58
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(?,?,02B89DD7,?,00000022,?,?,00000000,00000001), ref: 02B89340
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02B89DD7,?,00000022,?,?,00000000,00000001), ref: 02B8936E
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,02B89DD7,?,00000022,?,?,00000000,00000001), ref: 02B89375
                                                                                                    • wsprintfA.USER32 ref: 02B893CE
                                                                                                    • wsprintfA.USER32 ref: 02B8940C
                                                                                                    • wsprintfA.USER32 ref: 02B8948D
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02B894F1
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02B89526
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02B89571
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                    • String ID: runas
                                                                                                    • API String ID: 3696105349-4000483414
                                                                                                    • Opcode ID: 67d4ff2ce09f9788552c25a43940e7082af844fec85d8d275671f84def3c3a8c
                                                                                                    • Instruction ID: 7fadaee1e314da9dfc3441d2310a0d93ff968b11abd7ab850159adcd5c500960
                                                                                                    • Opcode Fuzzy Hash: 67d4ff2ce09f9788552c25a43940e7082af844fec85d8d275671f84def3c3a8c
                                                                                                    • Instruction Fuzzy Hash: 55A18FB2940648EFEF21AFA0CC45FEE3BADEB44740F1004A6FA0992251E771D594CFA0
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 02B82078
                                                                                                    • GetTickCount.KERNEL32 ref: 02B820D4
                                                                                                    • GetTickCount.KERNEL32 ref: 02B820DB
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8212B
                                                                                                    • GetTickCount.KERNEL32 ref: 02B82132
                                                                                                    • GetTickCount.KERNEL32 ref: 02B82142
                                                                                                      • Part of subcall function 02B8F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02B8E342,00000000,7686EA50,80000001,00000000,02B8E513,?,00000000,00000000,?,000000E4), ref: 02B8F089
                                                                                                      • Part of subcall function 02B8F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02B8E342,00000000,7686EA50,80000001,00000000,02B8E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02B8F093
                                                                                                      • Part of subcall function 02B8E854: lstrcpyA.KERNEL32(00000001,?,?,02B8D8DF,00000001,localcfg,except_info,00100000,02B90264), ref: 02B8E88B
                                                                                                      • Part of subcall function 02B8E854: lstrlenA.KERNEL32(00000001,?,02B8D8DF,00000001,localcfg,except_info,00100000,02B90264), ref: 02B8E899
                                                                                                      • Part of subcall function 02B81C5F: wsprintfA.USER32 ref: 02B81CE1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                    • String ID: iq_$localcfg$net_type$rbl_bl$rbl_ip
                                                                                                    • API String ID: 3976553417-930786573
                                                                                                    • Opcode ID: 7207a5137fab5147c09f07594764ca5353f57443a7bc969280abe8ea9d73d7c4
                                                                                                    • Instruction ID: d69611bd64593a5ca27a9fd232cfb90f9193f8d6d9ad6ed227d8abc08d96b95e
                                                                                                    • Opcode Fuzzy Hash: 7207a5137fab5147c09f07594764ca5353f57443a7bc969280abe8ea9d73d7c4
                                                                                                    • Instruction Fuzzy Hash: 925126B1D853866EE728FF34EE45B663BD5EB00354F20089DEE8DC7190DBB49498CA11
                                                                                                    APIs
                                                                                                    • wsprintfA.USER32 ref: 02B8B467
                                                                                                      • Part of subcall function 02B8EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02B8EF92
                                                                                                      • Part of subcall function 02B8EF7C: lstrlenA.KERNEL32(?), ref: 02B8EF99
                                                                                                      • Part of subcall function 02B8EF7C: lstrlenA.KERNEL32(00000000), ref: 02B8EFA0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$wsprintf
                                                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                    • API String ID: 1220175532-2340906255
                                                                                                    • Opcode ID: b7dc2c17e8b10429fe9f333cc7a6570860cb15b0a7d41d7cce999f6dad9bb5b9
                                                                                                    • Instruction ID: 0462936c5976a0d20d18b8ef31ba2df7ccf4b964a0ae7d82ab2b741d35641b9a
                                                                                                    • Opcode Fuzzy Hash: b7dc2c17e8b10429fe9f333cc7a6570860cb15b0a7d41d7cce999f6dad9bb5b9
                                                                                                    • Instruction Fuzzy Hash: FF413BB254011DBEEF01BAA4CCC1DBF7B7DEF49648F1404A5FA09B2010DB75AA58CBA1
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B8A4C7: GetTickCount.KERNEL32 ref: 02B8A4D1
                                                                                                      • Part of subcall function 02B8A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02B8A4FA
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8C31F
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8C32B
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8C363
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8C378
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8C44D
                                                                                                    • InterlockedIncrement.KERNEL32(02B8C4E4), ref: 02B8C4AE
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,02B8B535,00000000,?,02B8C4E0), ref: 02B8C4C1
                                                                                                    • CloseHandle.KERNEL32(00000000,?,02B8C4E0,02B93588,02B88810), ref: 02B8C4CC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 1553760989-1857712256
                                                                                                    • Opcode ID: 6e72787a3bf405879e2a89e426199f14407eb19c2c2dd94ff86b857b7e9de70a
                                                                                                    • Instruction ID: 71a4d92cae44980f7b4de927cad29148d6afa357a2c69f6425312d43bf91e82d
                                                                                                    • Opcode Fuzzy Hash: 6e72787a3bf405879e2a89e426199f14407eb19c2c2dd94ff86b857b7e9de70a
                                                                                                    • Instruction Fuzzy Hash: E2515DB1900B418FD728AF69C5C452ABBE9FB48304B549D7ED18BC7A90D774F845CB24
                                                                                                    APIs
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02B8BE4F
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02B8BE5B
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02B8BE67
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02B8BF6A
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02B8BF7F
                                                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02B8BF94
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmpi
                                                                                                    • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                    • API String ID: 1586166983-1625972887
                                                                                                    • Opcode ID: ff6f494e53e63a6b521d798c3a3e9963f11e94b74dc2c681482c79f74ff685af
                                                                                                    • Instruction ID: 2589a09a91bbff08115f29f29481333f310e655743e99bc0065595297c55ac25
                                                                                                    • Opcode Fuzzy Hash: ff6f494e53e63a6b521d798c3a3e9963f11e94b74dc2c681482c79f74ff685af
                                                                                                    • Instruction Fuzzy Hash: F4515E72A0461AEFDF11AE78C980B5EBBA9EF0534DF0444E9E949DB211D730E945CF90
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,02B89A60,?,?,02B89E9D), ref: 02B86A7D
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(02B89E9D,02B89A60,?,?,?,02B922F8,?,?,?,02B89A60,?,?,02B89E9D), ref: 02B86ABB
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,02B89A60,?,?,02B89E9D), ref: 02B86B40
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B89A60,?,?,02B89E9D), ref: 02B86B4E
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B89A60,?,?,02B89E9D), ref: 02B86B5F
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,02B89A60,?,?,02B89E9D), ref: 02B86B6F
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B89A60,?,?,02B89E9D), ref: 02B86B7D
                                                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02B89A60,?,?,02B89E9D), ref: 02B86B80
                                                                                                    • GetLastError.KERNEL32(?,?,?,02B89A60,?,?,02B89E9D,?,?,?,?,?,02B89E9D,?,00000022,?), ref: 02B86B96
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188212458-0
                                                                                                    • Opcode ID: 76220c365b44d86b73e54f957434a2c19b1dbce00647ad1c87376cd9089bd35a
                                                                                                    • Instruction ID: 309acf9819d27c3593682060b046ef025032984e47b034d4011684cee476b210
                                                                                                    • Opcode Fuzzy Hash: 76220c365b44d86b73e54f957434a2c19b1dbce00647ad1c87376cd9089bd35a
                                                                                                    • Instruction Fuzzy Hash: 4E31F2B2D0014DBFCB01BFA48A85ADE7B7DEF48344F1448A6E619A3200D73095A4CF61
                                                                                                    APIs
                                                                                                    • GetUserNameA.ADVAPI32(?,02B8D7C3), ref: 02B86F7A
                                                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02B8D7C3), ref: 02B86FC1
                                                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02B86FE8
                                                                                                    • LocalFree.KERNEL32(00000120), ref: 02B8701F
                                                                                                    • wsprintfA.USER32 ref: 02B87036
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                    • String ID: /%d$|
                                                                                                    • API String ID: 676856371-4124749705
                                                                                                    • Opcode ID: 0b98f37957213d93fb05c3ad41a7be5cbbdd9cd70679ba9cd21a2a4f212e1280
                                                                                                    • Instruction ID: 9a7dac60a60b4881b42085e2dd1a536c1c0f3f0248c21bac5695844efe86ba38
                                                                                                    • Opcode Fuzzy Hash: 0b98f37957213d93fb05c3ad41a7be5cbbdd9cd70679ba9cd21a2a4f212e1280
                                                                                                    • Instruction Fuzzy Hash: F6312976900219AFDB01EFA8D848ADA7BBCEF04354F1484A6F85DDB101EB35E608CB94
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02B922F8,000000E4,02B86DDC,000000C8), ref: 02B86CE7
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02B86CEE
                                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02B86D14
                                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02B86D2B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                    • API String ID: 1082366364-3395550214
                                                                                                    • Opcode ID: 183ebc6abba769727aa36318b455f4ec048fbd1d3d39ba8378a621a458553043
                                                                                                    • Instruction ID: 62ed1c0912e686918afa10f86767811e5e89fdf49352d21c218f52b99baf090a
                                                                                                    • Opcode Fuzzy Hash: 183ebc6abba769727aa36318b455f4ec048fbd1d3d39ba8378a621a458553043
                                                                                                    • Instruction Fuzzy Hash: BD212662EC565479FB2576225CC9F673F8DCB03784F0808D4FC0C97081E7948485C7A5
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(00000000,02B89947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02B922F8), ref: 02B897B1
                                                                                                    • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02B922F8), ref: 02B897EB
                                                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02B922F8), ref: 02B897F9
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02B922F8), ref: 02B89831
                                                                                                    • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02B922F8), ref: 02B8984E
                                                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02B922F8), ref: 02B8985B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                    • String ID: D
                                                                                                    • API String ID: 2981417381-2746444292
                                                                                                    • Opcode ID: 8347ac8177a40222afd5469d295e3c0be627fa0d9cb5c59fd5d65bec838b5f71
                                                                                                    • Instruction ID: 1cf4e3e6cd7ab37cddb91e32cc32df4bd8d3714d73d5c32920367b07feb54b29
                                                                                                    • Opcode Fuzzy Hash: 8347ac8177a40222afd5469d295e3c0be627fa0d9cb5c59fd5d65bec838b5f71
                                                                                                    • Instruction Fuzzy Hash: 97210C71D41129ABDF21AFA1DC49FEF7B7CEF09694F0048A1FA19E2150EB309654CEA0
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B8DD05: GetTickCount.KERNEL32 ref: 02B8DD0F
                                                                                                      • Part of subcall function 02B8DD05: InterlockedExchange.KERNEL32(02B936B4,00000001), ref: 02B8DD44
                                                                                                      • Part of subcall function 02B8DD05: GetCurrentThreadId.KERNEL32 ref: 02B8DD53
                                                                                                      • Part of subcall function 02B8DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02B8DDB5
                                                                                                    • lstrcpynA.KERNEL32(?,02B81E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02B8EAAA,?,?), ref: 02B8E8DE
                                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02B8EAAA,?,?,00000001,?,02B81E84,?), ref: 02B8E935
                                                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02B8EAAA,?,?,00000001,?,02B81E84,?,0000000A), ref: 02B8E93D
                                                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02B8EAAA,?,?,00000001,?,02B81E84,?), ref: 02B8E94F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                    • String ID: flags_upd$localcfg
                                                                                                    • API String ID: 204374128-3505511081
                                                                                                    • Opcode ID: 772ef09069f1e17e03f2ec9ceaff7fc0d459c1a336c06663d05ad5f85e80f447
                                                                                                    • Instruction ID: 4e3d504a2fffbab0c4c432216e02efd30df06cc19792e800381c43baee345532
                                                                                                    • Opcode Fuzzy Hash: 772ef09069f1e17e03f2ec9ceaff7fc0d459c1a336c06663d05ad5f85e80f447
                                                                                                    • Instruction Fuzzy Hash: 4A511E72D0020AAFCB11EFA8C9849AEB7F9FF48304F14456AE519A7250E775EA15CF50
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Code
                                                                                                    • String ID:
                                                                                                    • API String ID: 3609698214-0
                                                                                                    • Opcode ID: c167f8b9073aa5b60816bbc9240d45d5c95694b5ce3e34426ed12da009d33523
                                                                                                    • Instruction ID: 7ae191eb455839b3227f429e353cdb697d6ddf9043c2b647f30a154b00086f13
                                                                                                    • Opcode Fuzzy Hash: c167f8b9073aa5b60816bbc9240d45d5c95694b5ce3e34426ed12da009d33523
                                                                                                    • Instruction Fuzzy Hash: 25218176904115FFDB117B60EE49E9F3FADDB043A4B104895F60AE2040EB31DA10DB74
                                                                                                    APIs
                                                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,02B922F8), ref: 02B8907B
                                                                                                    • wsprintfA.USER32 ref: 02B890E9
                                                                                                    • CreateFileA.KERNEL32(02B922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B8910E
                                                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02B89122
                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02B8912D
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 02B89134
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 2439722600-0
                                                                                                    • Opcode ID: 93f687f013342e0e24df61c6dc945d006ce97e640a44e7d3f1edfb7735d9f82b
                                                                                                    • Instruction ID: eb517b17b54ea62987928ad40e7f7bf81ad9132440fccc5317c239774baf5c3b
                                                                                                    • Opcode Fuzzy Hash: 93f687f013342e0e24df61c6dc945d006ce97e640a44e7d3f1edfb7735d9f82b
                                                                                                    • Instruction Fuzzy Hash: 071187F2A401147BFB257661DD09EAF3A6FDFC4701F0088A5FB0EA6150EA708A51CE64
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8DD0F
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 02B8DD20
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8DD2E
                                                                                                    • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,02B8E538,?,771B0F10,?,00000000,?,02B8A445), ref: 02B8DD3B
                                                                                                    • InterlockedExchange.KERNEL32(02B936B4,00000001), ref: 02B8DD44
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 02B8DD53
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3819781495-0
                                                                                                    • Opcode ID: 623afdd2fbc4bc5386ba40bdeea9578e77135e452ed526315c05995e434bf8e5
                                                                                                    • Instruction ID: c2e8f005365cb69647349c3145ec300349348ba2c7b09c15331546b22754c00b
                                                                                                    • Opcode Fuzzy Hash: 623afdd2fbc4bc5386ba40bdeea9578e77135e452ed526315c05995e434bf8e5
                                                                                                    • Instruction Fuzzy Hash: FFF0897398C1099FDB407BB5AA84B2977F6E745391F000C96E50DC3181D7249465CF61
                                                                                                    APIs
                                                                                                    • gethostname.WS2_32(?,00000080), ref: 02B8AD1C
                                                                                                    • lstrlenA.KERNEL32(?), ref: 02B8AD60
                                                                                                    • lstrlenA.KERNEL32(?), ref: 02B8AD69
                                                                                                    • lstrcpyA.KERNEL32(?,LocalHost), ref: 02B8AD7F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                                                    • String ID: LocalHost
                                                                                                    • API String ID: 3695455745-3154191806
                                                                                                    • Opcode ID: a2fc2381f6aa12c6a147ce18c17440e2fca89813f7dc96af8bad75d246c0d727
                                                                                                    • Instruction ID: fa7ca69e367c735f0003e77975f34a2e377e0ae7acc3c663c2be2ef25eb38f08
                                                                                                    • Opcode Fuzzy Hash: a2fc2381f6aa12c6a147ce18c17440e2fca89813f7dc96af8bad75d246c0d727
                                                                                                    • Instruction Fuzzy Hash: EB01F1208841899EDF317A389844BB97F6AEB8674AF5014D7E4C8DB116FF649087C7A2
                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02B898FD,00000001,00000100,02B922F8,02B8A3C7), ref: 02B84290
                                                                                                    • CloseHandle.KERNEL32(02B8A3C7), ref: 02B843AB
                                                                                                    • CloseHandle.KERNEL32(00000001), ref: 02B843AE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle$CreateEvent
                                                                                                    • String ID:
                                                                                                    • API String ID: 1371578007-0
                                                                                                    • Opcode ID: 5bebafd56713f4ea95d46ace3d93daaa867e4a09912d11d6b8d412c8e2a46034
                                                                                                    • Instruction ID: 985541e810f6479290de08b557ad83be5978a6ff4457771d6b7a06eb40af779b
                                                                                                    • Opcode Fuzzy Hash: 5bebafd56713f4ea95d46ace3d93daaa867e4a09912d11d6b8d412c8e2a46034
                                                                                                    • Instruction Fuzzy Hash: 76419AB1C0020ABBDF21BBA1DD85FAFBFB9EF40364F1045A5F618A2180D7348650CBA0
                                                                                                    APIs
                                                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02B864CF,00000000), ref: 02B8609C
                                                                                                    • LoadLibraryA.KERNEL32(?,?,02B864CF,00000000), ref: 02B860C3
                                                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 02B8614A
                                                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02B8619E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2438460464-0
                                                                                                    • Opcode ID: 35883bf135ac2c939be8202f5e8c6e971825501273cef02927692147c838cb1f
                                                                                                    • Instruction ID: 86ec21ed28ff544b4a11b377636b01baaa2da488cb36863e60a53581a674b8ed
                                                                                                    • Opcode Fuzzy Hash: 35883bf135ac2c939be8202f5e8c6e971825501273cef02927692147c838cb1f
                                                                                                    • Instruction Fuzzy Hash: 8C417B71E0020AEFDB14FF58C884B79B7B9EF04358F1484A9E919D7292E730E980CB90
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 186121d30a8cd54086ae10d336930cb2fdcaf144ac5378ca0a1d0d9d75de2d16
                                                                                                    • Instruction ID: 5b2ee24ac212bc52da55ea4c82d03cb96ee19ed16e5fe13d9f287b215a31832a
                                                                                                    • Opcode Fuzzy Hash: 186121d30a8cd54086ae10d336930cb2fdcaf144ac5378ca0a1d0d9d75de2d16
                                                                                                    • Instruction Fuzzy Hash: B2319E72A00219ABDB20AFA9CC81BBEB7F4EF48741F104896E958E6241E374D641CB54
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8272E
                                                                                                    • htons.WS2_32(00000001), ref: 02B82752
                                                                                                    • htons.WS2_32(0000000F), ref: 02B827D5
                                                                                                    • htons.WS2_32(00000001), ref: 02B827E3
                                                                                                    • sendto.WS2_32(?,02B92BF8,00000009,00000000,00000010,00000010), ref: 02B82802
                                                                                                      • Part of subcall function 02B8EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02B8EBFE,7FFF0001,?,02B8DB55,7FFF0001), ref: 02B8EBD3
                                                                                                      • Part of subcall function 02B8EBCC: RtlAllocateHeap.NTDLL(00000000,?,02B8DB55,7FFF0001), ref: 02B8EBDA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                    • String ID:
                                                                                                    • API String ID: 1128258776-0
                                                                                                    • Opcode ID: c369a0397e892ee4e1ca0c7cac6d35bd23d936a7211060fc3dad2e62bf6611d5
                                                                                                    • Instruction ID: 6231ed917f0555507519696d67e7a4ff320b8cf019794d2f0d672585359c4fe5
                                                                                                    • Opcode Fuzzy Hash: c369a0397e892ee4e1ca0c7cac6d35bd23d936a7211060fc3dad2e62bf6611d5
                                                                                                    • Instruction Fuzzy Hash: B3316D38E803C6AFD710BF75D980AA577A0EF19358B2948ADEC59CB312D732D852CB50
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02B922F8), ref: 02B8915F
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 02B89166
                                                                                                    • CharToOemA.USER32(?,?), ref: 02B89174
                                                                                                    • wsprintfA.USER32 ref: 02B891A9
                                                                                                      • Part of subcall function 02B89064: GetTempPathA.KERNEL32(00000400,?,00000000,02B922F8), ref: 02B8907B
                                                                                                      • Part of subcall function 02B89064: wsprintfA.USER32 ref: 02B890E9
                                                                                                      • Part of subcall function 02B89064: CreateFileA.KERNEL32(02B922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B8910E
                                                                                                      • Part of subcall function 02B89064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02B89122
                                                                                                      • Part of subcall function 02B89064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02B8912D
                                                                                                      • Part of subcall function 02B89064: CloseHandle.KERNEL32(00000000), ref: 02B89134
                                                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02B891E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3857584221-0
                                                                                                    • Opcode ID: 2fb29e5ac5e8fd68e502b9ac6637d640b3a81c85971da08dd155debe137741bd
                                                                                                    • Instruction ID: 9ac7a91df0a241d2c3b5c773d0ee0c32b3d4a21257edf68417b7c99b6a9b5ff4
                                                                                                    • Opcode Fuzzy Hash: 2fb29e5ac5e8fd68e502b9ac6637d640b3a81c85971da08dd155debe137741bd
                                                                                                    • Instruction Fuzzy Hash: 150140F79401587BDA20B6619D49FEF7B7CDB95701F0004A2FB49E2040D6749685CF70
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02B82491,?,?,?,02B8E844,-00000030,?,?,?,00000001), ref: 02B82429
                                                                                                    • lstrlenA.KERNEL32(?,?,02B82491,?,?,?,02B8E844,-00000030,?,?,?,00000001,02B81E3D,00000001,localcfg,lid_file_upd), ref: 02B8243E
                                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 02B82452
                                                                                                    • lstrlenA.KERNEL32(?,?,02B82491,?,?,?,02B8E844,-00000030,?,?,?,00000001,02B81E3D,00000001,localcfg,lid_file_upd), ref: 02B82467
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$lstrcmpi
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 1808961391-1857712256
                                                                                                    • Opcode ID: c312dbc61a4227b707c85f7cb5dcdce64103029660e37f653f352d2bd54a0361
                                                                                                    • Instruction ID: 8bc89b5bdb0f103f98711c67bd31bc251ce4dcb58fd163edbc0e128c22ac16c2
                                                                                                    • Opcode Fuzzy Hash: c312dbc61a4227b707c85f7cb5dcdce64103029660e37f653f352d2bd54a0361
                                                                                                    • Instruction Fuzzy Hash: 2E010832A00258EF8F11BF69C88499E7BA9EF44394B09C465ED5997200E330EA50CBA0
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf
                                                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                    • API String ID: 2111968516-120809033
                                                                                                    • Opcode ID: 25107c91c898458f392e875bcef4180af6cf7bb8616c50ecddc0c534efc7fcf0
                                                                                                    • Instruction ID: 86083cc6d7079258b5754d888e6bb30bb7e525aec42971c2ca71a9f33549845f
                                                                                                    • Opcode Fuzzy Hash: 25107c91c898458f392e875bcef4180af6cf7bb8616c50ecddc0c534efc7fcf0
                                                                                                    • Instruction Fuzzy Hash: BC419D729042989FDB21EF798D44BEE3BE99F49310F240495FD68D3151E634E605CFA0
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B8DD05: GetTickCount.KERNEL32 ref: 02B8DD0F
                                                                                                      • Part of subcall function 02B8DD05: InterlockedExchange.KERNEL32(02B936B4,00000001), ref: 02B8DD44
                                                                                                      • Part of subcall function 02B8DD05: GetCurrentThreadId.KERNEL32 ref: 02B8DD53
                                                                                                    • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,02B85EC1), ref: 02B8E693
                                                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,02B85EC1), ref: 02B8E6E9
                                                                                                    • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,771B0F10,00000000,?,02B85EC1), ref: 02B8E722
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                    • String ID: 89ABCDEF
                                                                                                    • API String ID: 3343386518-71641322
                                                                                                    • Opcode ID: 100616fa52b15d83a05622ebaa5b08f7d6280fdad8d1ce670386d14614e72ce4
                                                                                                    • Instruction ID: 31f9c9270af815ae5dde6db0852f1644059eb4991f1b0f4a2a7b00f91aa381ec
                                                                                                    • Opcode Fuzzy Hash: 100616fa52b15d83a05622ebaa5b08f7d6280fdad8d1ce670386d14614e72ce4
                                                                                                    • Instruction Fuzzy Hash: 7F31CF32A00716EBCF31AF64D884B667BE5FB01764F1048AAF95D8B552E770E884CB91
                                                                                                    APIs
                                                                                                    • RegCreateKeyExA.ADVAPI32(80000001,02B8E2A3,00000000,00000000,00000000,00020106,00000000,02B8E2A3,00000000,000000E4), ref: 02B8E0B2
                                                                                                    • RegSetValueExA.ADVAPI32(02B8E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02B922F8), ref: 02B8E127
                                                                                                    • RegDeleteValueA.ADVAPI32(02B8E2A3,?,?,?,?,?,000000C8,02B922F8), ref: 02B8E158
                                                                                                    • RegCloseKey.ADVAPI32(02B8E2A3,?,?,?,?,000000C8,02B922F8,?,?,?,?,?,?,?,?,02B8E2A3), ref: 02B8E161
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseCreateDelete
                                                                                                    • String ID:
                                                                                                    • API String ID: 2667537340-0
                                                                                                    • Opcode ID: 45b1e92f3937bd8a69e966786ae0f927da2f736314d09e0eef61076291bbf1d4
                                                                                                    • Instruction ID: ed7eb40953d39d5beebc3a23e6d02807d63e147fbc346e94f9b3aa8c10c641b1
                                                                                                    • Opcode Fuzzy Hash: 45b1e92f3937bd8a69e966786ae0f927da2f736314d09e0eef61076291bbf1d4
                                                                                                    • Instruction Fuzzy Hash: 01212F72A00219BBDF21AEA4DC89EAE7FB9EF05790F0044A1F908A6150E671DA54DB90
                                                                                                    APIs
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,02B8A3C7,00000000,00000000,000007D0,00000001), ref: 02B83FB8
                                                                                                    • GetLastError.KERNEL32 ref: 02B83FC2
                                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 02B83FD3
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B83FE6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 888215731-0
                                                                                                    • Opcode ID: 21cbd8750953f1a8c078a13c4d2664595a6fecb430befa746baa531b8b062f45
                                                                                                    • Instruction ID: 572d556b3564055bbff241c33d9cfdc4e3fe148730c1b2f1f74244563bcd3007
                                                                                                    • Opcode Fuzzy Hash: 21cbd8750953f1a8c078a13c4d2664595a6fecb430befa746baa531b8b062f45
                                                                                                    • Instruction Fuzzy Hash: 4E01E97291011AABDF11EF94D945BEE7BBCEB04755F004491F906E2040DB71DA64CBB1
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(00000000,00000000,02B8A3C7,00000000,00000000,000007D0,00000001), ref: 02B83F44
                                                                                                    • GetLastError.KERNEL32 ref: 02B83F4E
                                                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 02B83F5F
                                                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B83F72
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3373104450-0
                                                                                                    • Opcode ID: fee62b420c95218c7ff01fd36844286885d7f19c58da10e09c2deae1d404f4fa
                                                                                                    • Instruction ID: 0bb21c16112d3c8a403e57e01462b0ae94fc497ccdca81b9c0683a89e1ce061f
                                                                                                    • Opcode Fuzzy Hash: fee62b420c95218c7ff01fd36844286885d7f19c58da10e09c2deae1d404f4fa
                                                                                                    • Instruction Fuzzy Hash: 4901D372911119ABDB01EF90D984BEE7BBCEB04795F1048A6FA05E2040D7349A24CBA2
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 02B84E9E
                                                                                                    • GetTickCount.KERNEL32 ref: 02B84EAD
                                                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 02B84EBA
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02B84EC3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 8f6cd665a8c8846b8623afbdb4bcc81134cf79b0e7096a193de293eaa1377a69
                                                                                                    • Instruction ID: 9e318bd9cd5d5a851d2ee233be20698f160687ae0f68595e155fb0141442632e
                                                                                                    • Opcode Fuzzy Hash: 8f6cd665a8c8846b8623afbdb4bcc81134cf79b0e7096a193de293eaa1377a69
                                                                                                    • Instruction Fuzzy Hash: ECE0863364121957D61036B9AD84F6776599B453A2F010D71E60DD3180D656946285B1
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8A4D1
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8A4E4
                                                                                                    • Sleep.KERNEL32(00000000,?,02B8C2E9,02B8C4E0,00000000,localcfg,?,02B8C4E0,02B93588,02B88810), ref: 02B8A4F1
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02B8A4FA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: c523013d1113274ca132ba65cbae137b36aee710f096a5026817c8bbd5a5f27a
                                                                                                    • Instruction ID: 04a8c6875b159f4fbe9187f217b23f0d21a275d43bd130008f9226b1c4247968
                                                                                                    • Opcode Fuzzy Hash: c523013d1113274ca132ba65cbae137b36aee710f096a5026817c8bbd5a5f27a
                                                                                                    • Instruction Fuzzy Hash: BAE07D3324020857CF0037B5AD84FAA33C8EB497F1F0A08A2FF0CE3141C61AA561C2B2
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 02B84BDD
                                                                                                    • GetTickCount.KERNEL32 ref: 02B84BEC
                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,0301E054,02B850F2), ref: 02B84BF9
                                                                                                    • InterlockedExchange.KERNEL32(0301E048,00000001), ref: 02B84C02
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 6e7563d8f1b0ccffa57892ba84bbf48e2338d534df8eb35bc6d5df8d7f9adaf7
                                                                                                    • Instruction ID: 6bc97fae1444fdc1aaca54abc7d8e25e2187e66d38b9ac860242e1836e1cf0b8
                                                                                                    • Opcode Fuzzy Hash: 6e7563d8f1b0ccffa57892ba84bbf48e2338d534df8eb35bc6d5df8d7f9adaf7
                                                                                                    • Instruction Fuzzy Hash: 02E0CD3768121957C71037B65E84F5677ACDB453A1F060CB2F70CD3140C5569451C6B1
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 02B83103
                                                                                                    • GetTickCount.KERNEL32 ref: 02B8310F
                                                                                                    • Sleep.KERNEL32(00000000), ref: 02B8311C
                                                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02B83128
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2207858713-0
                                                                                                    • Opcode ID: 1e4990814211adf4f85c30ffd08dc1cfcc741483694d0817a6aa87a221539e86
                                                                                                    • Instruction ID: cd3c15247a57dc4441cc2edce791579171ee1a6848052a92aaaf55c393fdfd29
                                                                                                    • Opcode Fuzzy Hash: 1e4990814211adf4f85c30ffd08dc1cfcc741483694d0817a6aa87a221539e86
                                                                                                    • Instruction Fuzzy Hash: 99E0C23164021AABDB007B75AE85B696A9ADF84FA1F010CB1F209D3090C6504860CA71
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 536389180-1857712256
                                                                                                    • Opcode ID: 18368221942263617a2ff1e840e59c1412471849dd4a090bc8953ed22083f74b
                                                                                                    • Instruction ID: cfa7dff07abd37bcccf6cde28cacf1d87874995000a3d2309484d1535c5e7a0f
                                                                                                    • Opcode Fuzzy Hash: 18368221942263617a2ff1e840e59c1412471849dd4a090bc8953ed22083f74b
                                                                                                    • Instruction Fuzzy Hash: FC21D232A1411DAFCB10BF68D98065ABBBAEF20354BA505DED409D7111EB30E950CB50
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02B8C057
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTickwsprintf
                                                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                    • API String ID: 2424974917-1012700906
                                                                                                    • Opcode ID: 67e851854120f861f5da0a5e2ac450dead785364edfb7bd8f7d5f71c1c107c44
                                                                                                    • Instruction ID: cbb7d4051d49d3701157e1e934642a758c08c05ab8da35a36d6ed5a1e5008366
                                                                                                    • Opcode Fuzzy Hash: 67e851854120f861f5da0a5e2ac450dead785364edfb7bd8f7d5f71c1c107c44
                                                                                                    • Instruction Fuzzy Hash: CC119772500100FFDB429AA9CD44E567FA6FF88358B34859CF6188E126D633D863EB50
                                                                                                    APIs
                                                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02B826C3
                                                                                                    • inet_ntoa.WS2_32(?), ref: 02B826E4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                                                    • String ID: localcfg
                                                                                                    • API String ID: 2112563974-1857712256
                                                                                                    • Opcode ID: ac16451542a2f8624ea68b959944c1e1a9c50dabbf14823b21a7bc579d00891e
                                                                                                    • Instruction ID: c4cf4a56181b61b40c377091f8e230a2f1f209a53951736367eb91f0b32988eb
                                                                                                    • Opcode Fuzzy Hash: ac16451542a2f8624ea68b959944c1e1a9c50dabbf14823b21a7bc579d00891e
                                                                                                    • Instruction Fuzzy Hash: F3F037775482097FEF007FA4ED05AAA379DDF05650F144865FD0CDA090DB71E950D798
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,02B8EB54,_alldiv,02B8F0B7,80000001,00000000,00989680,00000000,?,?,?,02B8E342,00000000,7686EA50,80000001,00000000), ref: 02B8EAF2
                                                                                                    • GetProcAddress.KERNEL32(776F0000,00000000), ref: 02B8EB07
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                    • String ID: ntdll.dll
                                                                                                    • API String ID: 2574300362-2227199552
                                                                                                    • Opcode ID: 3eb7ba9bc0bbc0294932af9c97b584b8a91a872c15caee6188a578beaeb07832
                                                                                                    • Instruction ID: 9192a5ab57e31185019da1a535d4331d15903d011fbf6c8c52e16620fa29fb64
                                                                                                    • Opcode Fuzzy Hash: 3eb7ba9bc0bbc0294932af9c97b584b8a91a872c15caee6188a578beaeb07832
                                                                                                    • Instruction Fuzzy Hash: 6CD0C935A843039BDF126FA9AB8BE0A7AE8EB50781B504C95F40AD3210E731E464DA00
                                                                                                    APIs
                                                                                                      • Part of subcall function 02B82D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,02B82F01,?,02B820FF,02B92000), ref: 02B82D3A
                                                                                                      • Part of subcall function 02B82D21: LoadLibraryA.KERNEL32(?), ref: 02B82D4A
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B82F73
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 02B82F7A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000015.00000002.2522813570.0000000002B80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B80000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_21_2_2b80000_svchost.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 1017166417-0
                                                                                                    • Opcode ID: a9ba42362c8ce043f60e80fa953c219e35f14a2f5e7f7c14abe8c66429398163
                                                                                                    • Instruction ID: e4acbb5a4c534cadd83bcb581ec8b2d215b198ee274eac7429d50bb62985f418
                                                                                                    • Opcode Fuzzy Hash: a9ba42362c8ce043f60e80fa953c219e35f14a2f5e7f7c14abe8c66429398163
                                                                                                    • Instruction Fuzzy Hash: 99518F7190025AAFDF01AF64D888AF9B7B5FF05704F1445A9EC9AD7210E732DA19CF90