Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Eduhazqw4u.exe

Overview

General Information

Sample name:Eduhazqw4u.exe
renamed because original name is a hash value
Original sample name:fc8ad7d6d34699bb9beeabc22729013c.exe
Analysis ID:1489271
MD5:fc8ad7d6d34699bb9beeabc22729013c
SHA1:24280d911c9b4bd748da28561e6405d2a83120c2
SHA256:c73713c849c89dbdb505fdf76aac56dfa62643bf6e089909e1fda8cfa3a8ee7b
Tags:exeTofsee
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • Eduhazqw4u.exe (PID: 5788 cmdline: "C:\Users\user\Desktop\Eduhazqw4u.exe" MD5: FC8AD7D6D34699BB9BEEABC22729013C)
    • cmd.exe (PID: 6800 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zuvmebno\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2888 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\irxigvn.exe" C:\Windows\SysWOW64\zuvmebno\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4372 cmdline: "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5676 cmdline: "C:\Windows\System32\sc.exe" description zuvmebno "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2944 cmdline: "C:\Windows\System32\sc.exe" start zuvmebno MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 3752 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 1708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 1204 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • irxigvn.exe (PID: 2724 cmdline: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d"C:\Users\user\Desktop\Eduhazqw4u.exe" MD5: 8A86AE967FDA0C3619EE55E3473A57DB)
    • svchost.exe (PID: 2604 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 2468 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 556 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 3396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 552 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 1632 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 6508 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5788 -ip 5788 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5784 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5788 -ip 5788 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5492 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2724 -ip 2724 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2724 -ip 2724 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 2556 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2090526061.000000000297E000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x4773:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      12.2.irxigvn.exe.3080000.2.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.irxigvn.exe.3080000.2.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.irxigvn.exe.3080000.2.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        0.3.Eduhazqw4u.exe.2a10000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        0.3.Eduhazqw4u.exe.2a10000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xe110:$s2: loader_id
        • 0xe140:$s3: start_srv
        • 0xe170:$s4: lid_file_upd
        • 0xe164:$s5: localcfg
        • 0xe894:$s6: Incorrect respons
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d"C:\Users\user\Desktop\Eduhazqw4u.exe", ParentImage: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe, ParentProcessId: 2724, ParentProcessName: irxigvn.exe, ProcessCommandLine: svchost.exe, ProcessId: 2604, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\Eduhazqw4u.exe", ParentImage: C:\Users\user\Desktop\Eduhazqw4u.exe, ParentProcessId: 5788, ParentProcessName: Eduhazqw4u.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 4372, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.8.49, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 2604, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d"C:\Users\user\Desktop\Eduhazqw4u.exe", ParentImage: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe, ParentProcessId: 2724, ParentProcessName: irxigvn.exe, ProcessCommandLine: svchost.exe, ProcessId: 2604, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2604, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\zuvmebno
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\Eduhazqw4u.exe", ParentImage: C:\Users\user\Desktop\Eduhazqw4u.exe, ParentProcessId: 5788, ParentProcessName: Eduhazqw4u.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 4372, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 1632, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: 0.2.Eduhazqw4u.exe.400000.0.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
        Source: C:\Users\user\AppData\Local\Temp\irxigvn.exeJoe Sandbox ML: detected
        Source: Eduhazqw4u.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeUnpacked PE file: 0.2.Eduhazqw4u.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeUnpacked PE file: 12.2.irxigvn.exe.400000.0.unpack
        Source: Eduhazqw4u.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\zuvmebnoJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.109 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.173.26 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 213.226.112.95 213.226.112.95
        Source: Joe Sandbox ViewIP Address: 67.195.228.109 67.195.228.109
        Source: Joe Sandbox ViewIP Address: 52.101.8.49 52.101.8.49
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewASN Name: RETN-ASEU RETN-ASEU
        Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 52.101.8.49:25
        Source: global trafficTCP traffic: 192.168.2.5:49713 -> 67.195.228.109:25
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 142.251.173.26:25
        Source: global trafficTCP traffic: 192.168.2.5:49717 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 12.2.irxigvn.exe.3080000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.irxigvn.exe.3040000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.29f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.2860e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.svchost.exe.2980000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.Eduhazqw4u.exe.2a10000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.svchost.exe.2980000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.3080000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Eduhazqw4u.exe PID: 5788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: irxigvn.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2604, type: MEMORYSTR

        System Summary

        barindex
        Source: 12.2.irxigvn.exe.3080000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.irxigvn.exe.3080000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.Eduhazqw4u.exe.2a10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.Eduhazqw4u.exe.2a10000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.Eduhazqw4u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.Eduhazqw4u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.irxigvn.exe.3040000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.irxigvn.exe.3040000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.irxigvn.exe.2860e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.irxigvn.exe.3040000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.irxigvn.exe.2860e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.irxigvn.exe.3040000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.Eduhazqw4u.exe.29f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.Eduhazqw4u.exe.29f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.irxigvn.exe.2860e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.irxigvn.exe.2860e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.2.svchost.exe.2980000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.2.svchost.exe.2980000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.Eduhazqw4u.exe.29f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.Eduhazqw4u.exe.29f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.Eduhazqw4u.exe.2a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.Eduhazqw4u.exe.2a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 20.2.svchost.exe.2980000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 20.2.svchost.exe.2980000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.irxigvn.exe.3080000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.irxigvn.exe.3080000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.irxigvn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.irxigvn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.Eduhazqw4u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.Eduhazqw4u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.irxigvn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.irxigvn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2090526061.000000000297E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2074784475.0000000002AA2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\zuvmebno\Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_0298C91320_2_0298C913
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: String function: 029F27AB appears 35 times
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5788 -ip 5788
        Source: Eduhazqw4u.exe, 00000000.00000002.2074825539.0000000002AFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOdilesigo: vs Eduhazqw4u.exe
        Source: Eduhazqw4u.exe, 00000000.00000000.2014350413.000000000282F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesOdilesigo: vs Eduhazqw4u.exe
        Source: Eduhazqw4u.exeBinary or memory string: OriginalFilenamesOdilesigo: vs Eduhazqw4u.exe
        Source: Eduhazqw4u.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 12.2.irxigvn.exe.3080000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.irxigvn.exe.3080000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.Eduhazqw4u.exe.2a10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.Eduhazqw4u.exe.2a10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.Eduhazqw4u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.Eduhazqw4u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.irxigvn.exe.3040000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.irxigvn.exe.3040000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.irxigvn.exe.2860e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.irxigvn.exe.3040000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.irxigvn.exe.2860e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.irxigvn.exe.3040000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.Eduhazqw4u.exe.29f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.Eduhazqw4u.exe.29f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.irxigvn.exe.2860e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.irxigvn.exe.2860e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.2.svchost.exe.2980000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.2.svchost.exe.2980000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.Eduhazqw4u.exe.29f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.Eduhazqw4u.exe.29f0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.Eduhazqw4u.exe.2a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.Eduhazqw4u.exe.2a10000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 20.2.svchost.exe.2980000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 20.2.svchost.exe.2980000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.irxigvn.exe.3080000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.irxigvn.exe.3080000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.irxigvn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.irxigvn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.Eduhazqw4u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.Eduhazqw4u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.irxigvn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.irxigvn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2090526061.000000000297E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2074784475.0000000002AA2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: Eduhazqw4u.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@40/3@9/5
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_02AA6F21 CreateToolhelp32Snapshot,Module32First,0_2_02AA6F21
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_02989A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,20_2_02989A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2508:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6508:64:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6648:64:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5492:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5784:64:WilError_03
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeFile created: C:\Users\user\AppData\Local\Temp\irxigvn.exeJump to behavior
        Source: Eduhazqw4u.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeFile read: C:\Users\user\Desktop\Eduhazqw4u.exeJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-14984
        Source: unknownProcess created: C:\Users\user\Desktop\Eduhazqw4u.exe "C:\Users\user\Desktop\Eduhazqw4u.exe"
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zuvmebno\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\irxigvn.exe" C:\Windows\SysWOW64\zuvmebno\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description zuvmebno "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start zuvmebno
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d"C:\Users\user\Desktop\Eduhazqw4u.exe"
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5788 -ip 5788
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 636
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5788 -ip 5788
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 1204
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2724 -ip 2724
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 556
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2724 -ip 2724
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 552
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zuvmebno\Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\irxigvn.exe" C:\Windows\SysWOW64\zuvmebno\Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description zuvmebno "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start zuvmebnoJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5788 -ip 5788Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 636Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5788 -ip 5788Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 1204Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2724 -ip 2724Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 556Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2724 -ip 2724Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 552Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: Eduhazqw4u.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeUnpacked PE file: 0.2.Eduhazqw4u.exe.400000.0.unpack .text:ER;.data:W;.kop:R;.fugadeh:R;.zimig:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeUnpacked PE file: 12.2.irxigvn.exe.400000.0.unpack .text:ER;.data:W;.kop:R;.fugadeh:R;.zimig:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeUnpacked PE file: 0.2.Eduhazqw4u.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeUnpacked PE file: 12.2.irxigvn.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: Eduhazqw4u.exeStatic PE information: section name: .kop
        Source: Eduhazqw4u.exeStatic PE information: section name: .fugadeh
        Source: Eduhazqw4u.exeStatic PE information: section name: .zimig
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_02AAA209 push 0000002Bh; iretd 0_2_02AAA20F
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeCode function: 12_2_02985A89 push 0000002Bh; iretd 12_2_02985A8F
        Source: Eduhazqw4u.exeStatic PE information: section name: .text entropy: 7.259879439772542

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeFile created: C:\Users\user\AppData\Local\Temp\irxigvn.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zuvmebnoJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\eduhazqw4u.exeJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,20_2_0298199C
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15295
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_20-7592
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-16316
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_20-6128
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15367
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_20-7311
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16016
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_20-7432
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-15062
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-15000
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14837
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeAPI coverage: 5.4 %
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeAPI coverage: 3.9 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 320Thread sleep count: 36 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 320Thread sleep time: -36000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000014.00000002.3270539706.0000000002E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL<Ame
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeAPI call chain: ExitProcess graph end nodegraph_12-15371
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_20-6421

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-16377
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_20-7653
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_029F0D90 mov eax, dword ptr fs:[00000030h]0_2_029F0D90
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_029F092B mov eax, dword ptr fs:[00000030h]0_2_029F092B
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_02AA67FE push dword ptr fs:[00000030h]0_2_02AA67FE
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeCode function: 12_2_02860D90 mov eax, dword ptr fs:[00000030h]12_2_02860D90
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeCode function: 12_2_0286092B mov eax, dword ptr fs:[00000030h]12_2_0286092B
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeCode function: 12_2_0298207E push dword ptr fs:[00000030h]12_2_0298207E
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_02989A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,20_2_02989A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.109 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.173.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2980000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2980000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2980000Jump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BFF008Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zuvmebno\Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\irxigvn.exe" C:\Windows\SysWOW64\zuvmebno\Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description zuvmebno "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start zuvmebnoJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5788 -ip 5788Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 636Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5788 -ip 5788Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 1204Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2724 -ip 2724Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 556Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2724 -ip 2724Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 552Jump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 12.2.irxigvn.exe.3080000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.irxigvn.exe.3040000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.29f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.2860e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.svchost.exe.2980000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.Eduhazqw4u.exe.2a10000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.svchost.exe.2980000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.3080000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Eduhazqw4u.exe PID: 5788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: irxigvn.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2604, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 12.2.irxigvn.exe.3080000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.irxigvn.exe.3040000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.29f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.2860e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.svchost.exe.2980000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.Eduhazqw4u.exe.2a10000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 20.2.svchost.exe.2980000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.3080000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Eduhazqw4u.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.irxigvn.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Eduhazqw4u.exe PID: 5788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: irxigvn.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2604, type: MEMORYSTR
        Source: C:\Users\user\Desktop\Eduhazqw4u.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\zuvmebno\irxigvn.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 20_2_029888B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,20_2_029888B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        3
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        22
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489271 Sample: Eduhazqw4u.exe Startdate: 07/08/2024 Architecture: WINDOWS Score: 100 55 yahoo.com 2->55 57 vanaheim.cn 2->57 59 6 other IPs or domains 2->59 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 8 other signatures 2->73 8 irxigvn.exe 2->8         started        11 Eduhazqw4u.exe 2 2->11         started        14 svchost.exe 6 10 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 83 Detected unpacking (changes PE section rights) 8->83 85 Detected unpacking (overwrites its own PE header) 8->85 87 Found API chain indicative of debugger detection 8->87 93 3 other signatures 8->93 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        24 WerFault.exe 2 8->24         started        53 C:\Users\user\AppData\Local\...\irxigvn.exe, PE32 11->53 dropped 89 Uses netsh to modify the Windows network and firewall settings 11->89 91 Modifies the windows firewall 11->91 26 cmd.exe 1 11->26         started        29 netsh.exe 2 11->29         started        31 cmd.exe 2 11->31         started        35 5 other processes 11->35 33 WerFault.exe 2 14->33         started        37 3 other processes 14->37 signatures6 process7 dnsIp8 61 mta7.am0.yahoodns.net 67.195.228.109, 25 YAHOO-GQ1US United States 18->61 63 vanaheim.cn 213.226.112.95, 443, 49706, 49715 RETN-ASEU Russian Federation 18->63 65 3 other IPs or domains 18->65 75 System process connects to network (likely due to code injection or exploit) 18->75 77 Found API chain indicative of debugger detection 18->77 79 Deletes itself after installation 18->79 81 Adds extensions / path to Windows Defender exclusion list (Registry) 18->81 51 C:\Windows\SysWOW64\...\irxigvn.exe (copy), PE32 26->51 dropped 39 conhost.exe 26->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        Eduhazqw4u.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\irxigvn.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        vanaheim.cn:443100%Avira URL Cloudphishing
        jotunheim.name:443100%Avira URL Cloudmalware
        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        217.69.139.150
        truetrue
          unknown
          mta7.am0.yahoodns.net
          67.195.228.109
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.8.49
            truetrue
              unknown
              vanaheim.cn
              213.226.112.95
              truetrue
                unknown
                smtp.google.com
                142.251.173.26
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        213.226.112.95
                        vanaheim.cnRussian Federation
                        9002RETN-ASEUtrue
                        67.195.228.109
                        mta7.am0.yahoodns.netUnited States
                        36647YAHOO-GQ1UStrue
                        142.251.173.26
                        smtp.google.comUnited States
                        15169GOOGLEUSfalse
                        52.101.8.49
                        microsoft-com.mail.protection.outlook.comUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        217.69.139.150
                        mxs.mail.ruRussian Federation
                        47764MAILRU-ASMailRuRUtrue
                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1489271
                        Start date and time:2024-08-07 08:48:01 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 51s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:28
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Eduhazqw4u.exe
                        renamed because original name is a hash value
                        Original Sample Name:fc8ad7d6d34699bb9beeabc22729013c.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@40/3@9/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 61
                        • Number of non-executed functions: 257
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.76.201.171, 20.236.44.162, 20.112.250.133, 20.70.246.20, 20.231.239.246
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: Eduhazqw4u.exe
                        TimeTypeDescription
                        02:49:38API Interceptor9x Sleep call for process: svchost.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        213.226.112.95igvdwmhd.exeGet hashmaliciousTofseeBrowse
                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                            SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                              Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                  rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                    67.195.228.109file.exeGet hashmaliciousPhorpiexBrowse
                                      file.exeGet hashmaliciousPhorpiexBrowse
                                        RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                          gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                              l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                document_excel.exeGet hashmaliciousUnknownBrowse
                                                  data.log.exeGet hashmaliciousUnknownBrowse
                                                    message.txt.exeGet hashmaliciousUnknownBrowse
                                                      test.msg.exeGet hashmaliciousUnknownBrowse
                                                        52.101.8.49 .exeGet hashmaliciousUnknownBrowse
                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                            kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                              Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                    mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                      U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                        bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                                          t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                            217.69.139.150SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                              Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                  SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                    vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                        I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                            dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                              rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                mta7.am0.yahoodns.netsetup.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.76
                                                                                                m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.204.77
                                                                                                SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.204.74
                                                                                                AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.94
                                                                                                dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.94
                                                                                                rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                                • 98.136.96.91
                                                                                                SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                                                • 67.195.228.94
                                                                                                SecuriteInfo.com.Win32.BotX-gen.31335.5127.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.204.73
                                                                                                file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                • 67.195.228.111
                                                                                                file.exeGet hashmaliciousPhorpiexBrowse
                                                                                                • 98.136.96.77
                                                                                                microsoft-com.mail.protection.outlook.comigvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.40.26
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.42.0
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.11.0
                                                                                                .exeGet hashmaliciousUnknownBrowse
                                                                                                • 52.101.40.26
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.42.0
                                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.8.49
                                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.42.0
                                                                                                setup.exeGet hashmaliciousTofseeBrowse
                                                                                                • 52.101.40.26
                                                                                                m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                                • 104.47.53.36
                                                                                                SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                • 104.47.54.36
                                                                                                vanaheim.cnigvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                setup.exeGet hashmaliciousTofseeBrowse
                                                                                                • 185.218.0.41
                                                                                                m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                                • 195.133.13.231
                                                                                                SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                • 195.133.13.231
                                                                                                SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                                • 195.133.13.231
                                                                                                mxs.mail.ruigvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                setup.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                                                                • 94.100.180.31
                                                                                                m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                RETN-ASEUhttp://pagalfree.comGet hashmaliciousUnknownBrowse
                                                                                                • 139.45.197.236
                                                                                                igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                http://baghoorg.xyzGet hashmaliciousUnknownBrowse
                                                                                                • 139.45.197.153
                                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 139.45.197.236
                                                                                                LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 139.45.197.236
                                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                • 213.226.112.95
                                                                                                YAHOO-GQ1USigvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.110
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.94
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.106
                                                                                                .exeGet hashmaliciousUnknownBrowse
                                                                                                • 67.195.228.84
                                                                                                botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                • 98.137.77.194
                                                                                                qD7cj0t7Ag.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                • 98.137.186.234
                                                                                                AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.94
                                                                                                I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.110
                                                                                                https://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                                                • 98.137.11.164
                                                                                                dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                                • 67.195.228.94
                                                                                                MAILRU-ASMailRuRUigvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                SecuriteInfo.com.Trojan.Crypt.28917.30010.exeGet hashmaliciousUnknownBrowse
                                                                                                • 5.61.236.163
                                                                                                IISz6QDXkY.elfGet hashmaliciousMiraiBrowse
                                                                                                • 5.61.23.77
                                                                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                                • 217.69.139.150
                                                                                                7Y18r(123).exeGet hashmaliciousUnknownBrowse
                                                                                                • 94.100.180.106
                                                                                                rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                setup.exeGet hashmaliciousTofseeBrowse
                                                                                                • 94.100.180.31
                                                                                                MICROSOFT-CORP-MSN-AS-BLOCKUSContract.exeGet hashmaliciousFormBookBrowse
                                                                                                • 20.2.249.7
                                                                                                https://sanetlink.co.za/sjjsyGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 204.79.197.203
                                                                                                https://ec1e4c015cd1479f5c60e53df3c5168f90e345ae5f216f4c80d1e8325e.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 13.107.246.60
                                                                                                f485caf9-fe36-f720-8653-e449ede99650.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                • 20.44.10.122
                                                                                                botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                • 52.187.112.141
                                                                                                https://hhhfhbsvdgghsdghf.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 13.107.246.60
                                                                                                https://appdownload.deepl.com/windows/0install/deepl.xmlGet hashmaliciousUnknownBrowse
                                                                                                • 20.50.88.241
                                                                                                http://wmd.god21.net/ViewSwitcher/SwitchView?mobile=False&returnUrl=https://alch.servicesending.com/OgBHr?e=bWFyay5wZXJraW5zQGZpcnN0b250YXJpby5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                                • 13.107.246.73
                                                                                                https://t.co/P0R2WIgttNGet hashmaliciousUnknownBrowse
                                                                                                • 13.107.246.60
                                                                                                http://0204livestapi.staging.rachrah.com/Get hashmaliciousUnknownBrowse
                                                                                                • 137.116.139.59
                                                                                                No context
                                                                                                No context
                                                                                                Process:C:\Users\user\Desktop\Eduhazqw4u.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):11221504
                                                                                                Entropy (8bit):4.6802352313984725
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:u8UkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkD:
                                                                                                MD5:8A86AE967FDA0C3619EE55E3473A57DB
                                                                                                SHA1:11EADB0AB7074599DE67780B63C38B5DDE3B74E4
                                                                                                SHA-256:7A5FDBEC2D00709E1442E1D2E70C43681BF1D34FF2EA3769DA6FBCFA5B934858
                                                                                                SHA-512:E18FA3DE8A905174C63FE936D93DE9B5B9A562A982C6BC452D81EF215989B687AE5E93D2C7199A1E845D3DE21C15F8CF03252789CD3C50A18362E77A3D7FB574
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........73..V],.V],.V],. .,.V],. .,.V],. .,eV],...,.V],.V\,`V],. .,.V],. .,.V],. .,.V],Rich.V],........PE..L...!.Ne.....................$A......[............@...........................C......................................................B.............................d................................A..@............................................text...t........................... ..`.data...T.?......|..................@....kop....F.....B......8..............@..@.fugadeh......B......R..............@..@.zimig........B......V..............@....rsrc.........B.....Z..............@..@................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):11221504
                                                                                                Entropy (8bit):4.6802352313984725
                                                                                                Encrypted:false
                                                                                                SSDEEP:98304:u8UkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkD:
                                                                                                MD5:8A86AE967FDA0C3619EE55E3473A57DB
                                                                                                SHA1:11EADB0AB7074599DE67780B63C38B5DDE3B74E4
                                                                                                SHA-256:7A5FDBEC2D00709E1442E1D2E70C43681BF1D34FF2EA3769DA6FBCFA5B934858
                                                                                                SHA-512:E18FA3DE8A905174C63FE936D93DE9B5B9A562A982C6BC452D81EF215989B687AE5E93D2C7199A1E845D3DE21C15F8CF03252789CD3C50A18362E77A3D7FB574
                                                                                                Malicious:true
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........73..V],.V],.V],. .,.V],. .,.V],. .,eV],...,.V],.V\,`V],. .,.V],. .,.V],. .,.V],Rich.V],........PE..L...!.Ne.....................$A......[............@...........................C......................................................B.............................d................................A..@............................................text...t........................... ..`.data...T.?......|..................@....kop....F.....B......8..............@..@.fugadeh......B......R..............@..@.zimig........B......V..............@....rsrc.........B.....Z..............@..@................................................................................................................................................................................................................................................................................................
                                                                                                Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):3773
                                                                                                Entropy (8bit):4.7109073551842435
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                                MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                                SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                                SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                                SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                                Malicious:false
                                                                                                Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Entropy (8bit):5.1953609609080615
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:Eduhazqw4u.exe
                                                                                                File size:326'144 bytes
                                                                                                MD5:fc8ad7d6d34699bb9beeabc22729013c
                                                                                                SHA1:24280d911c9b4bd748da28561e6405d2a83120c2
                                                                                                SHA256:c73713c849c89dbdb505fdf76aac56dfa62643bf6e089909e1fda8cfa3a8ee7b
                                                                                                SHA512:2684c138f709bb2e6d497e2678795a5f2c09342d00a96f62df2a79d89bc69e8a452c05c80df391a85874ef0a4540f1c68f2dd6af1c453218ecc973ee4f1347b8
                                                                                                SSDEEP:3072:mmVvJpPS4uAmZQcC3SN5hiN9QO2d5pM9AYw82diDc6b/3VBNaZ+TT:RLPTGQcAc5hk21ZFWFBNu+T
                                                                                                TLSH:9A64BE21B2A4C032DCA7163088F4D6B12E7FBC63677585BB37946B3F6D706C16A6131A
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........73..V],.V],.V],. .,.V],. .,.V],. .,eV],...,.V],.V\,`V],. .,.V],. .,.V],. .,.V],Rich.V],........PE..L...!.Ne...................
                                                                                                Icon Hash:cd4d3d2e4e054d07
                                                                                                Entrypoint:0x405bcd
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x654E9B21 [Fri Nov 10 21:05:37 2023 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:5
                                                                                                OS Version Minor:1
                                                                                                File Version Major:5
                                                                                                File Version Minor:1
                                                                                                Subsystem Version Major:5
                                                                                                Subsystem Version Minor:1
                                                                                                Import Hash:42b9ff7c49af3020989d2bd49c20164f
                                                                                                Instruction
                                                                                                call 00007F571CF63EFFh
                                                                                                jmp 00007F571CF5F46Eh
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                call 00007F571CF5F61Ch
                                                                                                xchg cl, ch
                                                                                                jmp 00007F571CF5F604h
                                                                                                call 00007F571CF5F613h
                                                                                                fxch st(0), st(1)
                                                                                                jmp 00007F571CF5F5FBh
                                                                                                fabs
                                                                                                fld1
                                                                                                mov ch, cl
                                                                                                xor cl, cl
                                                                                                jmp 00007F571CF5F5F1h
                                                                                                mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                                                                fabs
                                                                                                fxch st(0), st(1)
                                                                                                fabs
                                                                                                fxch st(0), st(1)
                                                                                                fpatan
                                                                                                or cl, cl
                                                                                                je 00007F571CF5F5E6h
                                                                                                fldpi
                                                                                                fsubrp st(1), st(0)
                                                                                                or ch, ch
                                                                                                je 00007F571CF5F5E4h
                                                                                                fchs
                                                                                                ret
                                                                                                fabs
                                                                                                fld st(0), st(0)
                                                                                                fld st(0), st(0)
                                                                                                fld1
                                                                                                fsubrp st(1), st(0)
                                                                                                fxch st(0), st(1)
                                                                                                fld1
                                                                                                faddp st(1), st(0)
                                                                                                fmulp st(1), st(0)
                                                                                                ftst
                                                                                                wait
                                                                                                fstsw word ptr [ebp-000000A0h]
                                                                                                wait
                                                                                                test byte ptr [ebp-0000009Fh], 00000001h
                                                                                                jne 00007F571CF5F5E7h
                                                                                                xor ch, ch
                                                                                                fsqrt
                                                                                                ret
                                                                                                pop eax
                                                                                                jmp 00007F571CF5FFFFh
                                                                                                fstp st(0)
                                                                                                fld tbyte ptr [00401C9Ah]
                                                                                                ret
                                                                                                fstp st(0)
                                                                                                or cl, cl
                                                                                                je 00007F571CF5F5EDh
                                                                                                fstp st(0)
                                                                                                fldpi
                                                                                                or ch, ch
                                                                                                je 00007F571CF5F5E4h
                                                                                                fchs
                                                                                                ret
                                                                                                fstp st(0)
                                                                                                fldz
                                                                                                or ch, ch
                                                                                                je 00007F571CF5F5D9h
                                                                                                fchs
                                                                                                ret
                                                                                                fstp st(0)
                                                                                                jmp 00007F571CF5FFD5h
                                                                                                fstp st(0)
                                                                                                mov cl, ch
                                                                                                jmp 00007F571CF5F5E2h
                                                                                                call 00007F571CF5F5AEh
                                                                                                jmp 00007F571CF5FFE0h
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                int3
                                                                                                push ebp
                                                                                                mov ebp, esp
                                                                                                add esp, 00000000h
                                                                                                Programming Language:
                                                                                                • [C++] VS2010 build 30319
                                                                                                • [ASM] VS2010 build 30319
                                                                                                • [ C ] VS2010 build 30319
                                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                                • [RES] VS2010 build 30319
                                                                                                • [LNK] VS2010 build 30319
                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2bad80x8c.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x242f0000x9e10.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2bb640x1c.text
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x41980x40.text
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x200.text
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x2b6740x2b800b26a6b43014c816d875ad43bc1c017c5False0.7340663164511494data7.259879439772542IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .data0x2d0000x23fd7540x17c009d7196c6b479127de143079117598fdcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .kop0x242b0000x18460x1a003c63825015aabd810674f44afac6d12bFalse0.004356971153846154data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .fugadeh0x242d0000x2d30x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .zimig0x242e0000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .rsrc0x242f0000x9e100xa0009f5434e1edbcb483662711ade1f3a682False0.42646484375data4.654582085204266IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                RT_CURSOR0x2435d580x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                                                                RT_CURSOR0x2435e880xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                                                                RT_CURSOR0x2435f600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                                                                RT_CURSOR0x2436e080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                                                                RT_CURSOR0x24376b00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                                                                RT_ICON0x242f4e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.47121535181236673
                                                                                                RT_ICON0x242f4e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.47121535181236673
                                                                                                RT_ICON0x24303880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5879963898916968
                                                                                                RT_ICON0x24303880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5879963898916968
                                                                                                RT_ICON0x2430c300x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.646889400921659
                                                                                                RT_ICON0x2430c300x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.646889400921659
                                                                                                RT_ICON0x24312f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6972543352601156
                                                                                                RT_ICON0x24312f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6972543352601156
                                                                                                RT_ICON0x24318600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilIndia0.37105809128630707
                                                                                                RT_ICON0x24318600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TamilSri Lanka0.37105809128630707
                                                                                                RT_ICON0x2433e080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilIndia0.4648217636022514
                                                                                                RT_ICON0x2433e080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TamilSri Lanka0.4648217636022514
                                                                                                RT_ICON0x2434eb00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilIndia0.5405737704918033
                                                                                                RT_ICON0x2434eb00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TamilSri Lanka0.5405737704918033
                                                                                                RT_ICON0x24358380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilIndia0.6356382978723404
                                                                                                RT_ICON0x24358380x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TamilSri Lanka0.6356382978723404
                                                                                                RT_STRING0x2437e800x446dataTamilIndia0.45429616087751373
                                                                                                RT_STRING0x2437e800x446dataTamilSri Lanka0.45429616087751373
                                                                                                RT_STRING0x24382c80x28edataTamilIndia0.481651376146789
                                                                                                RT_STRING0x24382c80x28edataTamilSri Lanka0.481651376146789
                                                                                                RT_STRING0x24385580x658dataTamilIndia0.42980295566502463
                                                                                                RT_STRING0x24385580x658dataTamilSri Lanka0.42980295566502463
                                                                                                RT_STRING0x2438bb00x25adataTamilIndia0.47840531561461797
                                                                                                RT_STRING0x2438bb00x25adataTamilSri Lanka0.47840531561461797
                                                                                                RT_ACCELERATOR0x2435d180x40dataTamilIndia0.875
                                                                                                RT_ACCELERATOR0x2435d180x40dataTamilSri Lanka0.875
                                                                                                RT_GROUP_CURSOR0x2435f380x22data1.0588235294117647
                                                                                                RT_GROUP_CURSOR0x2437c180x30data0.9375
                                                                                                RT_GROUP_ICON0x2435ca00x76dataTamilIndia0.6610169491525424
                                                                                                RT_GROUP_ICON0x2435ca00x76dataTamilSri Lanka0.6610169491525424
                                                                                                RT_VERSION0x2437c480x234data0.5283687943262412
                                                                                                DLLImport
                                                                                                KERNEL32.dllCreateNamedPipeW, GetConsoleAliasesA, EnumTimeFormatsA, GetConsoleCP, GlobalAlloc, GetSystemDirectoryW, SetFileShortNameW, LoadLibraryW, CreateEventA, GetConsoleAliasW, HeapValidate, GetModuleFileNameW, ReplaceFileA, LCMapStringA, GetLastError, SetLastError, GetProcAddress, FindVolumeMountPointClose, PeekConsoleInputW, IsBadHugeWritePtr, CreateJobSet, GlobalFree, LoadLibraryA, InterlockedExchangeAdd, CreateFileMappingA, GetTickCount, GetNumberFormatW, AddAtomW, QueryDosDeviceW, HeapWalk, FoldStringA, SetEnvironmentVariableA, GetOEMCP, GetModuleHandleA, GetProcessShutdownParameters, RequestWakeupLatency, EnumDateFormatsW, FatalAppExitA, GetDiskFreeSpaceExA, GetCurrentProcessId, GetProcessHeap, SetEndOfFile, GetStringTypeW, LCMapStringW, MultiByteToWideChar, WriteConsoleW, CreateJobObjectW, CommConfigDialogA, GetConsoleAliasesLengthW, CreateFileA, SetConsoleCtrlHandler, EnumResourceNamesW, HeapSize, FlushFileBuffers, CreateFileW, SetStdHandle, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, TerminateProcess, GetCurrentProcess, HeapAlloc, HeapFree, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, RtlUnwind, SetFilePointer, HeapCreate, CloseHandle, RaiseException, GetModuleHandleW, ExitProcess, WriteFile, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetSystemTimeAsFileTime, Sleep, GetConsoleMode, GetCPInfo, GetACP, IsValidCodePage, ReadFile
                                                                                                USER32.dllGetSysColorBrush, GetComboBoxInfo, SetClipboardViewer, GetDC, ChangeMenuA, GetMenuState, DrawStateA, CharUpperBuffA, GetCaretPos
                                                                                                GDI32.dllGetCharWidthI, CreateDCA, CreateDCW, GetCharWidthA, GetCharWidthW
                                                                                                SHELL32.dllFindExecutableA
                                                                                                ole32.dllStringFromIID, CoSuspendClassObjects
                                                                                                WINHTTP.dllWinHttpCheckPlatform
                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                TamilIndia
                                                                                                TamilSri Lanka
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Aug 7, 2024 08:48:56.847681999 CEST4970525192.168.2.552.101.8.49
                                                                                                Aug 7, 2024 08:48:57.852147102 CEST4970525192.168.2.552.101.8.49
                                                                                                Aug 7, 2024 08:48:59.851365089 CEST4970525192.168.2.552.101.8.49
                                                                                                Aug 7, 2024 08:48:59.911468983 CEST49706443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:48:59.911509037 CEST44349706213.226.112.95192.168.2.5
                                                                                                Aug 7, 2024 08:48:59.911581993 CEST49706443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:49:03.851581097 CEST4970525192.168.2.552.101.8.49
                                                                                                Aug 7, 2024 08:49:11.851372004 CEST4970525192.168.2.552.101.8.49
                                                                                                Aug 7, 2024 08:49:17.032156944 CEST4971325192.168.2.567.195.228.109
                                                                                                Aug 7, 2024 08:49:18.039005041 CEST4971325192.168.2.567.195.228.109
                                                                                                Aug 7, 2024 08:49:20.054594994 CEST4971325192.168.2.567.195.228.109
                                                                                                Aug 7, 2024 08:49:24.054573059 CEST4971325192.168.2.567.195.228.109
                                                                                                Aug 7, 2024 08:49:32.054501057 CEST4971325192.168.2.567.195.228.109
                                                                                                Aug 7, 2024 08:49:37.041805983 CEST4971425192.168.2.5142.251.173.26
                                                                                                Aug 7, 2024 08:49:38.054531097 CEST4971425192.168.2.5142.251.173.26
                                                                                                Aug 7, 2024 08:49:39.898469925 CEST49706443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:49:39.898571014 CEST44349706213.226.112.95192.168.2.5
                                                                                                Aug 7, 2024 08:49:39.898674011 CEST49706443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:49:40.009717941 CEST49715443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:49:40.009777069 CEST44349715213.226.112.95192.168.2.5
                                                                                                Aug 7, 2024 08:49:40.009872913 CEST49715443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:49:40.054568052 CEST4971425192.168.2.5142.251.173.26
                                                                                                Aug 7, 2024 08:49:44.070182085 CEST4971425192.168.2.5142.251.173.26
                                                                                                Aug 7, 2024 08:49:52.085886002 CEST4971425192.168.2.5142.251.173.26
                                                                                                Aug 7, 2024 08:49:57.070931911 CEST4971725192.168.2.5217.69.139.150
                                                                                                Aug 7, 2024 08:49:58.070369959 CEST4971725192.168.2.5217.69.139.150
                                                                                                Aug 7, 2024 08:50:00.070158005 CEST4971725192.168.2.5217.69.139.150
                                                                                                Aug 7, 2024 08:50:04.085748911 CEST4971725192.168.2.5217.69.139.150
                                                                                                Aug 7, 2024 08:50:12.085758924 CEST4971725192.168.2.5217.69.139.150
                                                                                                Aug 7, 2024 08:50:20.007740021 CEST49715443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:50:20.007842064 CEST44349715213.226.112.95192.168.2.5
                                                                                                Aug 7, 2024 08:50:20.007939100 CEST49715443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:50:20.118040085 CEST49718443192.168.2.5213.226.112.95
                                                                                                Aug 7, 2024 08:50:20.118117094 CEST44349718213.226.112.95192.168.2.5
                                                                                                Aug 7, 2024 08:50:20.118232012 CEST49718443192.168.2.5213.226.112.95
                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Aug 7, 2024 08:48:56.791007042 CEST6032253192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:48:56.846602917 CEST53603221.1.1.1192.168.2.5
                                                                                                Aug 7, 2024 08:48:59.758497953 CEST5627253192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:48:59.910664082 CEST53562721.1.1.1192.168.2.5
                                                                                                Aug 7, 2024 08:49:16.852161884 CEST5776653192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:49:17.022777081 CEST53577661.1.1.1192.168.2.5
                                                                                                Aug 7, 2024 08:49:17.024105072 CEST5401453192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST53540141.1.1.1192.168.2.5
                                                                                                Aug 7, 2024 08:49:37.023935080 CEST5264653192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:49:37.032103062 CEST53526461.1.1.1192.168.2.5
                                                                                                Aug 7, 2024 08:49:37.033046961 CEST5733653192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:49:37.041183949 CEST53573361.1.1.1192.168.2.5
                                                                                                Aug 7, 2024 08:49:57.055203915 CEST5844853192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:49:57.062386990 CEST53584481.1.1.1192.168.2.5
                                                                                                Aug 7, 2024 08:49:57.063031912 CEST6445853192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:49:57.070398092 CEST53644581.1.1.1192.168.2.5
                                                                                                Aug 7, 2024 08:50:55.967662096 CEST6547853192.168.2.51.1.1.1
                                                                                                Aug 7, 2024 08:50:56.215331078 CEST53654781.1.1.1192.168.2.5
                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Aug 7, 2024 08:48:56.791007042 CEST192.168.2.51.1.1.10xc097Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:48:59.758497953 CEST192.168.2.51.1.1.10x30f4Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:16.852161884 CEST192.168.2.51.1.1.10xe943Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.024105072 CEST192.168.2.51.1.1.10x2d3Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:37.023935080 CEST192.168.2.51.1.1.10x8bb2Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:37.033046961 CEST192.168.2.51.1.1.10x6f37Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:57.055203915 CEST192.168.2.51.1.1.10xdc45Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:57.063031912 CEST192.168.2.51.1.1.10xca2eStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:50:55.967662096 CEST192.168.2.51.1.1.10x7948Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Aug 7, 2024 08:48:56.846602917 CEST1.1.1.1192.168.2.50xc097No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:48:56.846602917 CEST1.1.1.1192.168.2.50xc097No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:48:56.846602917 CEST1.1.1.1192.168.2.50xc097No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:48:56.846602917 CEST1.1.1.1192.168.2.50xc097No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:48:59.910664082 CEST1.1.1.1192.168.2.50x30f4No error (0)vanaheim.cn213.226.112.95A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.022777081 CEST1.1.1.1192.168.2.50xe943No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.022777081 CEST1.1.1.1192.168.2.50xe943No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.022777081 CEST1.1.1.1192.168.2.50xe943No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST1.1.1.1192.168.2.50x2d3No error (0)mta7.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST1.1.1.1192.168.2.50x2d3No error (0)mta7.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST1.1.1.1192.168.2.50x2d3No error (0)mta7.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST1.1.1.1192.168.2.50x2d3No error (0)mta7.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST1.1.1.1192.168.2.50x2d3No error (0)mta7.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST1.1.1.1192.168.2.50x2d3No error (0)mta7.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST1.1.1.1192.168.2.50x2d3No error (0)mta7.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:17.031532049 CEST1.1.1.1192.168.2.50x2d3No error (0)mta7.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:37.032103062 CEST1.1.1.1192.168.2.50x8bb2No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:37.041183949 CEST1.1.1.1192.168.2.50x6f37No error (0)smtp.google.com142.251.173.26A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:37.041183949 CEST1.1.1.1192.168.2.50x6f37No error (0)smtp.google.com74.125.206.26A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:37.041183949 CEST1.1.1.1192.168.2.50x6f37No error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:37.041183949 CEST1.1.1.1192.168.2.50x6f37No error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:37.041183949 CEST1.1.1.1192.168.2.50x6f37No error (0)smtp.google.com64.233.167.27A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:57.062386990 CEST1.1.1.1192.168.2.50xdc45No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:57.070398092 CEST1.1.1.1192.168.2.50xca2eNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:49:57.070398092 CEST1.1.1.1192.168.2.50xca2eNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:50:56.215331078 CEST1.1.1.1192.168.2.50x7948No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:50:56.215331078 CEST1.1.1.1192.168.2.50x7948No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:50:56.215331078 CEST1.1.1.1192.168.2.50x7948No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                                Aug 7, 2024 08:50:56.215331078 CEST1.1.1.1192.168.2.50x7948No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false

                                                                                                Click to jump to process

                                                                                                Click to jump to process

                                                                                                Click to dive into process behavior distribution

                                                                                                Click to jump to process

                                                                                                Target ID:0
                                                                                                Start time:02:48:48
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Users\user\Desktop\Eduhazqw4u.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Users\user\Desktop\Eduhazqw4u.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:326'144 bytes
                                                                                                MD5 hash:FC8AD7D6D34699BB9BEEABC22729013C
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2035103007.0000000002A10000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2074784475.0000000002AA2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Target ID:2
                                                                                                Start time:02:48:50
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zuvmebno\
                                                                                                Imagebase:0x790000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:3
                                                                                                Start time:02:48:50
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:4
                                                                                                Start time:02:48:51
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\irxigvn.exe" C:\Windows\SysWOW64\zuvmebno\
                                                                                                Imagebase:0x790000
                                                                                                File size:236'544 bytes
                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:5
                                                                                                Start time:02:48:51
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:6
                                                                                                Start time:02:48:51
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\sc.exe" create zuvmebno binPath= "C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d\"C:\Users\user\Desktop\Eduhazqw4u.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                                Imagebase:0x7e0000
                                                                                                File size:61'440 bytes
                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                Target ID:7
                                                                                                Start time:02:48:51
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:8
                                                                                                Start time:02:48:52
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\sc.exe" description zuvmebno "wifi internet conection"
                                                                                                Imagebase:0x7e0000
                                                                                                File size:61'440 bytes
                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                Target ID:9
                                                                                                Start time:02:48:52
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:10
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\sc.exe" start zuvmebno
                                                                                                Imagebase:0x7e0000
                                                                                                File size:61'440 bytes
                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                Target ID:11
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:12
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\zuvmebno\irxigvn.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\zuvmebno\irxigvn.exe /d"C:\Users\user\Desktop\Eduhazqw4u.exe"
                                                                                                Imagebase:0x400000
                                                                                                File size:11'221'504 bytes
                                                                                                MD5 hash:8A86AE967FDA0C3619EE55E3473A57DB
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2090526061.000000000297E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2090729100.0000000003080000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2084954417.0000000003040000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                Target ID:13
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                                Imagebase:0x1080000
                                                                                                File size:82'432 bytes
                                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:14
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                Target ID:15
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                Imagebase:0x7ff7e52b0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Target ID:16
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5788 -ip 5788
                                                                                                Imagebase:0x790000
                                                                                                File size:483'680 bytes
                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:17
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 636
                                                                                                Imagebase:0x790000
                                                                                                File size:483'680 bytes
                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:18
                                                                                                Start time:02:48:53
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5788 -ip 5788
                                                                                                Imagebase:0x790000
                                                                                                File size:483'680 bytes
                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:19
                                                                                                Start time:02:48:54
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 1204
                                                                                                Imagebase:0x790000
                                                                                                File size:483'680 bytes
                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:20
                                                                                                Start time:02:48:55
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:svchost.exe
                                                                                                Imagebase:0x540000
                                                                                                File size:46'504 bytes
                                                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                Has exited:false

                                                                                                Target ID:21
                                                                                                Start time:02:48:55
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2724 -ip 2724
                                                                                                Imagebase:0x790000
                                                                                                File size:483'680 bytes
                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:22
                                                                                                Start time:02:48:55
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 556
                                                                                                Imagebase:0x790000
                                                                                                File size:483'680 bytes
                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:23
                                                                                                Start time:02:48:55
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2724 -ip 2724
                                                                                                Imagebase:0x790000
                                                                                                File size:483'680 bytes
                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:24
                                                                                                Start time:02:48:55
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 552
                                                                                                Imagebase:0x790000
                                                                                                File size:483'680 bytes
                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                Target ID:27
                                                                                                Start time:02:49:35
                                                                                                Start date:07/08/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                Imagebase:0x7ff7e52b0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:false
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:3.6%
                                                                                                  Dynamic/Decrypted Code Coverage:30.8%
                                                                                                  Signature Coverage:25.4%
                                                                                                  Total number of Nodes:1558
                                                                                                  Total number of Limit Nodes:18
                                                                                                  execution_graph 14807 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14925 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14807->14925 14809 409a95 14810 409aa3 GetModuleHandleA GetModuleFileNameA 14809->14810 14816 40a3c7 14809->14816 14824 409ac4 14810->14824 14811 40a41c CreateThread WSAStartup 15094 40e52e 14811->15094 15972 40405e CreateEventA 14811->15972 14813 409afd GetCommandLineA 14822 409b22 14813->14822 14814 40a406 DeleteFileA 14814->14816 14817 40a40d 14814->14817 14815 40a445 15113 40eaaf 14815->15113 14816->14811 14816->14814 14816->14817 14819 40a3ed GetLastError 14816->14819 14817->14811 14819->14817 14821 40a3f8 Sleep 14819->14821 14820 40a44d 15117 401d96 14820->15117 14821->14814 14827 409c0c 14822->14827 14834 409b47 14822->14834 14824->14813 14825 40a457 15165 4080c9 14825->15165 14926 4096aa 14827->14926 14839 409b96 lstrlenA 14834->14839 14841 409b58 14834->14841 14835 40a1d2 14842 40a1e3 GetCommandLineA 14835->14842 14836 409c39 14837 40a167 GetModuleHandleA GetModuleFileNameA 14836->14837 14932 404280 CreateEventA 14836->14932 14840 409c05 ExitProcess 14837->14840 14844 40a189 14837->14844 14839->14841 14841->14840 14848 40675c 21 API calls 14841->14848 14868 40a205 14842->14868 14844->14840 14851 40a1b2 GetDriveTypeA 14844->14851 14852 409be3 14848->14852 14851->14840 14853 40a1c5 14851->14853 14852->14840 15031 406a60 CreateFileA 14852->15031 15075 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14853->15075 14859 40a491 14860 40a49f GetTickCount 14859->14860 14862 40a4be Sleep 14859->14862 14867 40a4b7 GetTickCount 14859->14867 15211 40c913 14859->15211 14860->14859 14860->14862 14862->14859 14864 409ca0 GetTempPathA 14865 409e3e 14864->14865 14866 409cba 14864->14866 14871 409e6b GetEnvironmentVariableA 14865->14871 14875 409e04 14865->14875 14987 4099d2 lstrcpyA 14866->14987 14867->14862 14872 40a285 lstrlenA 14868->14872 14884 40a239 14868->14884 14871->14875 14876 409e7d 14871->14876 14872->14884 15070 40ec2e 14875->15070 14877 4099d2 16 API calls 14876->14877 14878 409e9d 14877->14878 14878->14875 14883 409eb0 lstrcpyA lstrlenA 14878->14883 14881 409d5f 15050 406cc9 14881->15050 14882 40a3c2 15087 4098f2 14882->15087 14887 409ef4 14883->14887 15083 406ec3 14884->15083 14891 406dc2 6 API calls 14887->14891 14893 409f03 14887->14893 14888 40a39d StartServiceCtrlDispatcherA 14888->14882 14890 40a35f 14890->14882 14890->14890 14896 40a37b 14890->14896 14891->14893 14892 409cf6 14994 409326 14892->14994 14894 409f32 RegOpenKeyExA 14893->14894 14895 409f48 RegSetValueExA RegCloseKey 14894->14895 14899 409f70 14894->14899 14895->14899 14896->14888 14905 409f9d GetModuleHandleA GetModuleFileNameA 14899->14905 14900 409e0c DeleteFileA 14900->14865 14901 409dde GetFileAttributesExA 14901->14900 14903 409df7 14901->14903 14903->14875 14904 409dff 14903->14904 15060 4096ff 14904->15060 14907 409fc2 14905->14907 14908 40a093 14905->14908 14907->14908 14913 409ff1 GetDriveTypeA 14907->14913 14909 40a103 CreateProcessA 14908->14909 14912 40a0a4 wsprintfA 14908->14912 14910 40a13a 14909->14910 14911 40a12a DeleteFileA 14909->14911 14910->14875 14918 4096ff 3 API calls 14910->14918 14911->14910 15066 402544 14912->15066 14913->14908 14915 40a00d 14913->14915 14920 40a02d lstrcatA 14915->14920 14918->14875 14921 40a046 14920->14921 14922 40a052 lstrcatA 14921->14922 14923 40a064 lstrcatA 14921->14923 14922->14923 14923->14908 14924 40a081 lstrcatA 14923->14924 14924->14908 14925->14809 14927 4096b9 14926->14927 15314 4073ff 14927->15314 14929 4096e2 14931 4096f7 14929->14931 15334 40704c 14929->15334 14931->14835 14931->14836 14933 4042a5 14932->14933 14939 40429d 14932->14939 15359 403ecd 14933->15359 14935 4042b0 15363 404000 14935->15363 14938 4043c1 CloseHandle 14938->14939 14939->14837 14959 40675c 14939->14959 14940 4042ce 15369 403f18 WriteFile 14940->15369 14945 4043ba CloseHandle 14945->14938 14946 404318 14947 403f18 4 API calls 14946->14947 14948 404331 14947->14948 14949 403f18 4 API calls 14948->14949 14950 40434a 14949->14950 15377 40ebcc GetProcessHeap RtlAllocateHeap 14950->15377 14953 403f18 4 API calls 14954 404389 14953->14954 14955 40ec2e codecvt 4 API calls 14954->14955 14956 40438f 14955->14956 14957 403f8c 4 API calls 14956->14957 14958 40439f CloseHandle CloseHandle 14957->14958 14958->14939 14960 406784 CreateFileA 14959->14960 14961 40677a SetFileAttributesA 14959->14961 14962 4067a4 CreateFileA 14960->14962 14963 4067b5 14960->14963 14961->14960 14962->14963 14964 4067c5 14963->14964 14965 4067ba SetFileAttributesA 14963->14965 14966 406977 14964->14966 14967 4067cf GetFileSize 14964->14967 14965->14964 14966->14837 14966->14864 14966->14865 14968 4067e5 14967->14968 14969 406965 14967->14969 14968->14969 14970 4067ed ReadFile 14968->14970 14971 40696e FindCloseChangeNotification 14969->14971 14970->14969 14972 406811 SetFilePointer 14970->14972 14971->14966 14972->14969 14973 40682a ReadFile 14972->14973 14973->14969 14974 406848 SetFilePointer 14973->14974 14974->14969 14975 406867 14974->14975 14976 4068d5 14975->14976 14977 406878 ReadFile 14975->14977 14976->14971 14979 40ebcc 4 API calls 14976->14979 14978 4068d0 14977->14978 14981 406891 14977->14981 14978->14976 14980 4068f8 14979->14980 14980->14969 14982 406900 SetFilePointer 14980->14982 14981->14977 14981->14978 14983 40695a 14982->14983 14984 40690d ReadFile 14982->14984 14986 40ec2e codecvt 4 API calls 14983->14986 14984->14983 14985 406922 14984->14985 14985->14971 14986->14969 14988 4099eb 14987->14988 14989 409a2f lstrcatA 14988->14989 14990 40ee2a 14989->14990 14991 409a4b lstrcatA 14990->14991 14992 406a60 13 API calls 14991->14992 14993 409a60 14992->14993 14993->14865 14993->14892 15044 406dc2 14993->15044 15383 401910 14994->15383 14997 40934a GetModuleHandleA GetModuleFileNameA 14999 40937f 14997->14999 15000 4093a4 14999->15000 15001 4093d9 14999->15001 15002 4093c3 wsprintfA 15000->15002 15003 409401 wsprintfA 15001->15003 15005 409415 15002->15005 15003->15005 15004 4094a0 15385 406edd 15004->15385 15005->15004 15008 406cc9 5 API calls 15005->15008 15007 4094ac 15009 40962f 15007->15009 15010 4094e8 RegOpenKeyExA 15007->15010 15014 409439 15008->15014 15016 409646 15009->15016 15413 401820 15009->15413 15012 409502 15010->15012 15013 4094fb 15010->15013 15019 40951f RegQueryValueExA 15012->15019 15013->15009 15018 40958a 15013->15018 15398 40ef1e lstrlenA 15014->15398 15025 4095d6 15016->15025 15393 4091eb 15016->15393 15018->15016 15023 409593 15018->15023 15020 409530 15019->15020 15021 409539 15019->15021 15024 40956e RegCloseKey 15020->15024 15026 409556 RegQueryValueExA 15021->15026 15022 409462 15027 40947e wsprintfA 15022->15027 15023->15025 15400 40f0e4 15023->15400 15024->15013 15025->14900 15025->14901 15026->15020 15026->15024 15027->15004 15029 4095bb 15029->15025 15407 4018e0 15029->15407 15032 406b8c GetLastError 15031->15032 15033 406a8f GetDiskFreeSpaceA 15031->15033 15034 406b86 15032->15034 15035 406ac5 15033->15035 15043 406ad7 15033->15043 15034->14840 15461 40eb0e 15035->15461 15039 406b56 FindCloseChangeNotification 15039->15034 15042 406b65 GetLastError CloseHandle 15039->15042 15040 406b36 GetLastError CloseHandle 15041 406b7f DeleteFileA 15040->15041 15041->15034 15042->15041 15455 406987 15043->15455 15045 406e24 15044->15045 15046 406dd7 15044->15046 15045->14881 15047 406cc9 5 API calls 15046->15047 15048 406ddc 15047->15048 15048->15045 15048->15048 15049 406e02 GetVolumeInformationA 15048->15049 15049->15045 15051 406cdc GetModuleHandleA GetProcAddress 15050->15051 15052 406dbe lstrcpyA lstrcatA lstrcatA 15050->15052 15053 406d12 GetSystemDirectoryA 15051->15053 15054 406cfd 15051->15054 15052->14892 15055 406d27 GetWindowsDirectoryA 15053->15055 15056 406d1e 15053->15056 15054->15053 15058 406d8b 15054->15058 15057 406d42 15055->15057 15056->15055 15056->15058 15059 40ef1e lstrlenA 15057->15059 15058->15052 15058->15058 15059->15058 15061 402544 15060->15061 15062 40972d RegOpenKeyExA 15061->15062 15063 409740 15062->15063 15064 409765 15062->15064 15065 40974f RegDeleteValueA RegCloseKey 15063->15065 15064->14875 15065->15064 15067 402554 lstrcatA 15066->15067 15068 40ee2a 15067->15068 15069 40a0ec lstrcatA 15068->15069 15069->14909 15071 40ec37 15070->15071 15072 40a15d 15070->15072 15469 40eba0 15071->15469 15072->14837 15072->14840 15076 402544 15075->15076 15077 40919e wsprintfA 15076->15077 15078 4091bb 15077->15078 15472 409064 GetTempPathA 15078->15472 15081 4091d5 ShellExecuteA 15082 4091e7 15081->15082 15082->14840 15084 406ecc 15083->15084 15086 406ed5 15083->15086 15085 406e36 2 API calls 15084->15085 15085->15086 15086->14890 15088 4098f6 15087->15088 15089 404280 30 API calls 15088->15089 15090 409904 Sleep 15088->15090 15091 409915 15088->15091 15089->15088 15090->15088 15090->15091 15093 409947 15091->15093 15479 40977c 15091->15479 15093->14816 15501 40dd05 GetTickCount 15094->15501 15096 40e538 15508 40dbcf 15096->15508 15098 40e544 15099 40e555 GetFileSize 15098->15099 15104 40e5b8 15098->15104 15100 40e5b1 CloseHandle 15099->15100 15101 40e566 15099->15101 15100->15104 15518 40db2e 15101->15518 15527 40e3ca RegOpenKeyExA 15104->15527 15105 40e576 ReadFile 15105->15100 15107 40e58d 15105->15107 15522 40e332 15107->15522 15108 40e5f2 15111 40e3ca 19 API calls 15108->15111 15112 40e629 15108->15112 15111->15112 15112->14815 15114 40eabe 15113->15114 15115 40eaba 15113->15115 15114->15115 15116 40dd05 6 API calls 15114->15116 15115->14820 15116->15115 15118 40ee2a 15117->15118 15119 401db4 GetVersionExA 15118->15119 15120 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15119->15120 15122 401e24 15120->15122 15123 401e16 GetCurrentProcess 15120->15123 15580 40e819 15122->15580 15123->15122 15125 401e3d 15126 40e819 11 API calls 15125->15126 15127 401e4e 15126->15127 15128 401e77 15127->15128 15587 40df70 15127->15587 15596 40ea84 15128->15596 15131 401e6c 15133 40df70 12 API calls 15131->15133 15133->15128 15134 40e819 11 API calls 15135 401e93 15134->15135 15600 40199c inet_addr LoadLibraryA 15135->15600 15138 40e819 11 API calls 15139 401eb9 15138->15139 15140 401ed8 15139->15140 15141 40f04e 4 API calls 15139->15141 15142 40e819 11 API calls 15140->15142 15143 401ec9 15141->15143 15144 401eee 15142->15144 15145 40ea84 30 API calls 15143->15145 15146 401f0a 15144->15146 15613 401b71 15144->15613 15145->15140 15147 40e819 11 API calls 15146->15147 15149 401f23 15147->15149 15151 401f3f 15149->15151 15617 401bdf 15149->15617 15150 401efd 15152 40ea84 30 API calls 15150->15152 15154 40e819 11 API calls 15151->15154 15152->15146 15156 401f5e 15154->15156 15158 401f77 15156->15158 15160 40ea84 30 API calls 15156->15160 15157 40ea84 30 API calls 15157->15151 15624 4030b5 15158->15624 15160->15158 15162 406ec3 2 API calls 15164 401f8e GetTickCount 15162->15164 15164->14825 15166 406ec3 2 API calls 15165->15166 15167 4080eb 15166->15167 15168 4080f9 15167->15168 15169 4080ef 15167->15169 15171 40704c 16 API calls 15168->15171 15672 407ee6 15169->15672 15173 408110 15171->15173 15172 408269 CreateThread 15190 405e6c 15172->15190 16001 40877e 15172->16001 15175 408156 RegOpenKeyExA 15173->15175 15176 4080f4 15173->15176 15174 40675c 21 API calls 15180 408244 15174->15180 15175->15176 15177 40816d RegQueryValueExA 15175->15177 15176->15172 15176->15174 15178 4081f7 15177->15178 15179 40818d 15177->15179 15181 40820d RegCloseKey 15178->15181 15183 40ec2e codecvt 4 API calls 15178->15183 15179->15178 15184 40ebcc 4 API calls 15179->15184 15180->15172 15182 40ec2e codecvt 4 API calls 15180->15182 15181->15176 15182->15172 15189 4081dd 15183->15189 15185 4081a0 15184->15185 15185->15181 15186 4081aa RegQueryValueExA 15185->15186 15186->15178 15187 4081c4 15186->15187 15188 40ebcc 4 API calls 15187->15188 15188->15189 15189->15181 15740 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15190->15740 15192 405e71 15741 40e654 15192->15741 15194 405ec1 15195 403132 15194->15195 15196 40df70 12 API calls 15195->15196 15197 40313b 15196->15197 15198 40c125 15197->15198 15752 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15198->15752 15200 40c12d 15201 40e654 13 API calls 15200->15201 15202 40c2bd 15201->15202 15203 40e654 13 API calls 15202->15203 15204 40c2c9 15203->15204 15205 40e654 13 API calls 15204->15205 15206 40a47a 15205->15206 15207 408db1 15206->15207 15208 408dbc 15207->15208 15209 40e654 13 API calls 15208->15209 15210 408dec Sleep 15209->15210 15210->14859 15212 40c92f 15211->15212 15213 40c93c 15212->15213 15753 40c517 15212->15753 15215 40ca2b 15213->15215 15216 40e819 11 API calls 15213->15216 15215->14859 15217 40c96a 15216->15217 15218 40e819 11 API calls 15217->15218 15219 40c97d 15218->15219 15220 40e819 11 API calls 15219->15220 15221 40c990 15220->15221 15222 40c9aa 15221->15222 15223 40ebcc 4 API calls 15221->15223 15222->15215 15770 402684 15222->15770 15223->15222 15228 40ca26 15777 40c8aa 15228->15777 15231 40ca44 15232 40ca4b closesocket 15231->15232 15233 40ca83 15231->15233 15232->15228 15234 40ea84 30 API calls 15233->15234 15235 40caac 15234->15235 15236 40f04e 4 API calls 15235->15236 15237 40cab2 15236->15237 15238 40ea84 30 API calls 15237->15238 15239 40caca 15238->15239 15240 40ea84 30 API calls 15239->15240 15241 40cad9 15240->15241 15785 40c65c 15241->15785 15244 40cb60 closesocket 15244->15215 15246 40dad2 closesocket 15247 40e318 23 API calls 15246->15247 15247->15215 15248 40df4c 20 API calls 15295 40cb70 15248->15295 15253 40e654 13 API calls 15253->15295 15255 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15255->15295 15257 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15257->15295 15261 40ea84 30 API calls 15261->15295 15262 40d569 closesocket Sleep 15832 40e318 15262->15832 15263 40d815 wsprintfA 15263->15295 15264 40cc1c GetTempPathA 15264->15295 15265 407ead 6 API calls 15265->15295 15266 40c517 23 API calls 15266->15295 15268 40e8a1 30 API calls 15268->15295 15269 40d582 ExitProcess 15270 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15270->15295 15271 40cfe3 GetSystemDirectoryA 15271->15295 15272 40cfad GetEnvironmentVariableA 15272->15295 15273 40675c 21 API calls 15273->15295 15274 40d027 GetSystemDirectoryA 15274->15295 15275 40d105 lstrcatA 15275->15295 15276 40ef1e lstrlenA 15276->15295 15277 40cc9f CreateFileA 15278 40ccc6 WriteFile 15277->15278 15277->15295 15282 40cdcc CloseHandle 15278->15282 15283 40cced CloseHandle 15278->15283 15279 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15279->15295 15280 40d15b CreateFileA 15281 40d182 WriteFile CloseHandle 15280->15281 15280->15295 15281->15295 15282->15295 15288 40cd2f 15283->15288 15284 40cd16 wsprintfA 15284->15288 15285 40d149 SetFileAttributesA 15285->15280 15286 40d36e GetEnvironmentVariableA 15286->15295 15287 40d1bf SetFileAttributesA 15287->15295 15288->15284 15814 407fcf 15288->15814 15289 40d22d GetEnvironmentVariableA 15289->15295 15290 40d3af lstrcatA 15292 40d3f2 CreateFileA 15290->15292 15290->15295 15292->15295 15296 40d415 WriteFile CloseHandle 15292->15296 15294 407fcf 64 API calls 15294->15295 15295->15246 15295->15248 15295->15253 15295->15255 15295->15257 15295->15261 15295->15262 15295->15263 15295->15264 15295->15265 15295->15266 15295->15268 15295->15270 15295->15271 15295->15272 15295->15273 15295->15274 15295->15275 15295->15276 15295->15277 15295->15279 15295->15280 15295->15285 15295->15286 15295->15287 15295->15289 15295->15290 15295->15292 15295->15294 15300 40d4b1 CreateProcessA 15295->15300 15301 40d3e0 SetFileAttributesA 15295->15301 15302 40d26e lstrcatA 15295->15302 15306 40d2b1 CreateFileA 15295->15306 15307 407ee6 64 API calls 15295->15307 15308 40d452 SetFileAttributesA 15295->15308 15311 40d29f SetFileAttributesA 15295->15311 15313 40d31d SetFileAttributesA 15295->15313 15793 40c75d 15295->15793 15805 407e2f 15295->15805 15827 407ead 15295->15827 15837 4031d0 15295->15837 15854 403c09 15295->15854 15864 403a00 15295->15864 15868 40e7b4 15295->15868 15871 40c06c 15295->15871 15877 406f5f GetUserNameA 15295->15877 15888 40e854 15295->15888 15898 407dd6 15295->15898 15296->15295 15297 40cd81 WaitForSingleObject CloseHandle CloseHandle 15298 40f04e 4 API calls 15297->15298 15303 40cda5 15298->15303 15299 407ee6 64 API calls 15304 40cdbd DeleteFileA 15299->15304 15300->15295 15305 40d4e8 CloseHandle CloseHandle 15300->15305 15301->15292 15302->15295 15302->15306 15303->15299 15304->15295 15305->15295 15306->15295 15309 40d2d8 WriteFile CloseHandle 15306->15309 15307->15295 15308->15295 15309->15295 15311->15306 15313->15295 15315 40741b 15314->15315 15316 406dc2 6 API calls 15315->15316 15317 40743f 15316->15317 15318 407469 RegOpenKeyExA 15317->15318 15320 4077f9 15318->15320 15330 407487 ___ascii_stricmp 15318->15330 15319 407703 RegEnumKeyA 15321 407714 RegCloseKey 15319->15321 15319->15330 15320->14929 15321->15320 15322 40f1a5 lstrlenA 15322->15330 15323 4074d2 RegOpenKeyExA 15323->15330 15324 40772c 15326 407742 RegCloseKey 15324->15326 15327 40774b 15324->15327 15325 407521 RegQueryValueExA 15325->15330 15326->15327 15329 4077ec RegCloseKey 15327->15329 15328 4076e4 RegCloseKey 15328->15330 15329->15320 15330->15319 15330->15322 15330->15323 15330->15324 15330->15325 15330->15328 15331 407769 15330->15331 15333 40777e GetFileAttributesExA 15330->15333 15332 4077e3 RegCloseKey 15331->15332 15332->15329 15333->15331 15335 407073 15334->15335 15336 4070b9 RegOpenKeyExA 15335->15336 15337 4070d0 15336->15337 15351 4071b8 15336->15351 15338 406dc2 6 API calls 15337->15338 15341 4070d5 15338->15341 15339 40719b RegEnumValueA 15340 4071af RegCloseKey 15339->15340 15339->15341 15340->15351 15341->15339 15343 4071d0 15341->15343 15357 40f1a5 lstrlenA 15341->15357 15344 407205 RegCloseKey 15343->15344 15345 407227 15343->15345 15344->15351 15346 4072b8 ___ascii_stricmp 15345->15346 15347 40728e RegCloseKey 15345->15347 15348 4072cd RegCloseKey 15346->15348 15349 4072dd 15346->15349 15347->15351 15348->15351 15350 407311 RegCloseKey 15349->15350 15353 407335 15349->15353 15350->15351 15351->14931 15352 4073d5 RegCloseKey 15354 4073e4 15352->15354 15353->15352 15355 40737e GetFileAttributesExA 15353->15355 15356 407397 15353->15356 15355->15356 15356->15352 15358 40f1c3 15357->15358 15358->15341 15360 403edc 15359->15360 15362 403ee2 15359->15362 15361 406dc2 6 API calls 15360->15361 15361->15362 15362->14935 15364 40400b CreateFileA 15363->15364 15365 40402c GetLastError 15364->15365 15366 404052 15364->15366 15365->15366 15367 404037 15365->15367 15366->14938 15366->14939 15366->14940 15367->15366 15368 404041 Sleep 15367->15368 15368->15364 15368->15366 15370 403f7c 15369->15370 15371 403f4e GetLastError 15369->15371 15373 403f8c ReadFile 15370->15373 15371->15370 15372 403f5b WaitForSingleObject GetOverlappedResult 15371->15372 15372->15370 15374 403ff0 15373->15374 15375 403fc2 GetLastError 15373->15375 15374->14945 15374->14946 15375->15374 15376 403fcf WaitForSingleObject GetOverlappedResult 15375->15376 15376->15374 15380 40eb74 15377->15380 15381 40eb7b GetProcessHeap HeapSize 15380->15381 15382 404350 15380->15382 15381->15382 15382->14953 15384 401924 GetVersionExA 15383->15384 15384->14997 15386 406eef AllocateAndInitializeSid 15385->15386 15392 406f55 15385->15392 15387 406f1c CheckTokenMembership 15386->15387 15388 406f44 15386->15388 15389 406f3b FreeSid 15387->15389 15390 406f2e 15387->15390 15388->15392 15419 406e36 GetUserNameW 15388->15419 15389->15388 15390->15389 15392->15007 15394 409308 15393->15394 15396 40920e 15393->15396 15394->15025 15395 4092f1 Sleep 15395->15396 15396->15394 15396->15395 15397 4092bf ShellExecuteA 15396->15397 15397->15394 15397->15396 15399 40ef32 15398->15399 15399->15022 15401 40f0f1 15400->15401 15402 40f0ed 15400->15402 15403 40f119 15401->15403 15404 40f0fa lstrlenA SysAllocStringByteLen 15401->15404 15402->15029 15406 40f11c MultiByteToWideChar 15403->15406 15405 40f117 15404->15405 15404->15406 15405->15029 15406->15405 15408 401820 17 API calls 15407->15408 15409 4018f2 15408->15409 15410 4018f9 15409->15410 15422 401280 15409->15422 15410->15025 15412 401908 15412->15025 15434 401000 15413->15434 15415 401839 15416 401851 GetCurrentProcess 15415->15416 15417 40183d 15415->15417 15418 401864 15416->15418 15417->15016 15418->15016 15420 406e97 15419->15420 15421 406e5f LookupAccountNameW 15419->15421 15420->15392 15421->15420 15423 4012e1 15422->15423 15424 4016f9 GetLastError 15423->15424 15431 4013a8 15423->15431 15425 401699 15424->15425 15425->15412 15426 401570 lstrlenW 15426->15431 15427 4015be GetStartupInfoW 15427->15431 15428 4015ff CreateProcessWithLogonW 15429 4016bf GetLastError 15428->15429 15430 40163f WaitForSingleObject 15428->15430 15429->15425 15430->15431 15432 401659 CloseHandle 15430->15432 15431->15425 15431->15426 15431->15427 15431->15428 15433 401668 CloseHandle 15431->15433 15432->15431 15433->15431 15435 40100d LoadLibraryA 15434->15435 15444 401023 15434->15444 15437 401021 15435->15437 15435->15444 15436 4010b5 GetProcAddress 15438 4010d1 GetProcAddress 15436->15438 15439 40127b 15436->15439 15437->15415 15438->15439 15440 4010f0 GetProcAddress 15438->15440 15439->15415 15440->15439 15441 401110 GetProcAddress 15440->15441 15441->15439 15442 401130 GetProcAddress 15441->15442 15442->15439 15443 40114f GetProcAddress 15442->15443 15443->15439 15445 40116f GetProcAddress 15443->15445 15444->15436 15454 4010ae 15444->15454 15445->15439 15446 40118f GetProcAddress 15445->15446 15446->15439 15447 4011ae GetProcAddress 15446->15447 15447->15439 15448 4011ce GetProcAddress 15447->15448 15448->15439 15449 4011ee GetProcAddress 15448->15449 15449->15439 15450 401209 GetProcAddress 15449->15450 15450->15439 15451 401225 GetProcAddress 15450->15451 15451->15439 15452 401241 GetProcAddress 15451->15452 15452->15439 15453 40125c GetProcAddress 15452->15453 15453->15439 15454->15415 15457 4069b9 WriteFile 15455->15457 15458 406a3c 15457->15458 15460 4069ff 15457->15460 15458->15039 15458->15040 15459 406a10 WriteFile 15459->15458 15459->15460 15460->15458 15460->15459 15462 40eb17 15461->15462 15464 40eb21 15461->15464 15465 40eae4 15462->15465 15464->15043 15466 40eb02 GetProcAddress 15465->15466 15467 40eaed LoadLibraryA 15465->15467 15466->15464 15467->15466 15468 40eb01 15467->15468 15468->15464 15470 40eba7 GetProcessHeap HeapSize 15469->15470 15471 40ebbf GetProcessHeap HeapFree 15469->15471 15470->15471 15471->15072 15473 40908d 15472->15473 15474 4090e2 wsprintfA 15473->15474 15475 40ee2a 15474->15475 15476 4090fd CreateFileA 15475->15476 15477 40911a lstrlenA WriteFile CloseHandle 15476->15477 15478 40913f 15476->15478 15477->15478 15478->15081 15478->15082 15480 40ee2a 15479->15480 15481 409794 CreateProcessA 15480->15481 15482 4097c2 15481->15482 15483 4097bb 15481->15483 15484 4097d4 GetThreadContext 15482->15484 15483->15093 15485 409801 15484->15485 15486 4097f5 15484->15486 15493 40637c 15485->15493 15487 4097f6 TerminateProcess 15486->15487 15487->15483 15489 409816 15489->15487 15490 40981e WriteProcessMemory 15489->15490 15490->15486 15491 40983b SetThreadContext 15490->15491 15491->15486 15492 409858 ResumeThread 15491->15492 15492->15483 15494 406386 15493->15494 15495 40638a GetModuleHandleA VirtualAlloc 15493->15495 15494->15489 15496 4063f5 15495->15496 15497 4063b6 15495->15497 15496->15489 15498 4063be VirtualAllocEx 15497->15498 15498->15496 15499 4063d6 15498->15499 15500 4063df WriteProcessMemory 15499->15500 15500->15496 15502 40dd41 InterlockedExchange 15501->15502 15503 40dd20 GetCurrentThreadId 15502->15503 15507 40dd4a 15502->15507 15504 40dd53 GetCurrentThreadId 15503->15504 15505 40dd2e GetTickCount 15503->15505 15504->15096 15506 40dd39 Sleep 15505->15506 15505->15507 15506->15502 15507->15504 15509 40dbf0 15508->15509 15541 40db67 GetEnvironmentVariableA 15509->15541 15511 40dc19 15512 40dcda 15511->15512 15513 40db67 3 API calls 15511->15513 15512->15098 15514 40dc5c 15513->15514 15514->15512 15515 40db67 3 API calls 15514->15515 15516 40dc9b 15515->15516 15516->15512 15517 40db67 3 API calls 15516->15517 15517->15512 15519 40db55 15518->15519 15520 40db3a 15518->15520 15519->15100 15519->15105 15545 40ebed 15520->15545 15554 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15522->15554 15524 40e3be 15524->15100 15525 40e342 15525->15524 15557 40de24 15525->15557 15528 40e528 15527->15528 15529 40e3f4 15527->15529 15528->15108 15530 40e434 RegQueryValueExA 15529->15530 15531 40e458 15530->15531 15532 40e51d RegCloseKey 15530->15532 15533 40e46e RegQueryValueExA 15531->15533 15532->15528 15533->15531 15534 40e488 15533->15534 15534->15532 15535 40db2e 8 API calls 15534->15535 15536 40e499 15535->15536 15536->15532 15537 40e4b9 RegQueryValueExA 15536->15537 15538 40e4e8 15536->15538 15537->15536 15537->15538 15538->15532 15539 40e332 14 API calls 15538->15539 15540 40e513 15539->15540 15540->15532 15542 40dbca 15541->15542 15544 40db89 lstrcpyA CreateFileA 15541->15544 15542->15511 15544->15511 15546 40ec01 15545->15546 15547 40ebf6 15545->15547 15549 40eba0 codecvt 2 API calls 15546->15549 15548 40ebcc 4 API calls 15547->15548 15550 40ebfe 15548->15550 15551 40ec0a GetProcessHeap HeapReAlloc 15549->15551 15550->15519 15552 40eb74 2 API calls 15551->15552 15553 40ec28 15552->15553 15553->15519 15568 40eb41 15554->15568 15558 40de3a 15557->15558 15563 40de4e 15558->15563 15572 40dd84 15558->15572 15561 40de9e 15562 40ebed 8 API calls 15561->15562 15561->15563 15566 40def6 15562->15566 15563->15525 15564 40de76 15576 40ddcf 15564->15576 15566->15563 15567 40ddcf lstrcmpA 15566->15567 15567->15563 15569 40eb54 15568->15569 15570 40eb4a 15568->15570 15569->15525 15571 40eae4 2 API calls 15570->15571 15571->15569 15573 40dd96 15572->15573 15574 40ddc5 15572->15574 15573->15574 15575 40ddad lstrcmpiA 15573->15575 15574->15561 15574->15564 15575->15573 15575->15574 15577 40dddd 15576->15577 15579 40de20 15576->15579 15578 40ddfa lstrcmpA 15577->15578 15577->15579 15578->15577 15579->15563 15581 40dd05 6 API calls 15580->15581 15582 40e821 15581->15582 15583 40dd84 lstrcmpiA 15582->15583 15584 40e82c 15583->15584 15585 40e844 15584->15585 15628 402480 15584->15628 15585->15125 15588 40dd05 6 API calls 15587->15588 15589 40df7c 15588->15589 15590 40dd84 lstrcmpiA 15589->15590 15592 40df89 15590->15592 15591 40dfc4 15591->15131 15592->15591 15593 40ddcf lstrcmpA 15592->15593 15594 40ec2e codecvt 4 API calls 15592->15594 15595 40dd84 lstrcmpiA 15592->15595 15593->15592 15594->15592 15595->15592 15597 40ea98 15596->15597 15637 40e8a1 15597->15637 15599 401e84 15599->15134 15601 4019d5 GetProcAddress GetProcAddress GetProcAddress 15600->15601 15604 4019ce 15600->15604 15602 401ab3 FreeLibrary 15601->15602 15603 401a04 15601->15603 15602->15604 15603->15602 15605 401a14 GetProcessHeap 15603->15605 15604->15138 15605->15604 15607 401a2e HeapAlloc 15605->15607 15607->15604 15608 401a42 15607->15608 15609 401a52 HeapReAlloc 15608->15609 15611 401a62 15608->15611 15609->15611 15610 401aa1 FreeLibrary 15610->15604 15611->15610 15612 401a96 HeapFree 15611->15612 15612->15610 15665 401ac3 LoadLibraryA 15613->15665 15616 401bcf 15616->15150 15618 401ac3 12 API calls 15617->15618 15619 401c09 15618->15619 15620 401c41 15619->15620 15621 401c0d GetComputerNameA 15619->15621 15620->15157 15622 401c45 GetVolumeInformationA 15621->15622 15623 401c1f 15621->15623 15622->15620 15623->15620 15623->15622 15625 40ee2a 15624->15625 15626 4030d0 gethostname gethostbyname 15625->15626 15627 401f82 15626->15627 15627->15162 15627->15164 15631 402419 lstrlenA 15628->15631 15630 402491 15630->15585 15632 402474 15631->15632 15633 40243d lstrlenA 15631->15633 15632->15630 15634 402464 lstrlenA 15633->15634 15635 40244e lstrcmpiA 15633->15635 15634->15632 15634->15633 15635->15634 15636 40245c 15635->15636 15636->15632 15636->15634 15638 40dd05 6 API calls 15637->15638 15639 40e8b4 15638->15639 15640 40dd84 lstrcmpiA 15639->15640 15641 40e8c0 15640->15641 15642 40e8c8 lstrcpynA 15641->15642 15651 40e90a 15641->15651 15644 40e8f5 15642->15644 15643 402419 4 API calls 15645 40e926 lstrlenA lstrlenA 15643->15645 15658 40df4c 15644->15658 15646 40e96a 15645->15646 15647 40e94c lstrlenA 15645->15647 15652 40ebcc 4 API calls 15646->15652 15653 40ea27 15646->15653 15647->15646 15649 40e901 15650 40dd84 lstrcmpiA 15649->15650 15650->15651 15651->15643 15651->15653 15654 40e98f 15652->15654 15653->15599 15654->15653 15655 40df4c 20 API calls 15654->15655 15656 40ea1e 15655->15656 15657 40ec2e codecvt 4 API calls 15656->15657 15657->15653 15659 40dd05 6 API calls 15658->15659 15660 40df51 15659->15660 15661 40f04e 4 API calls 15660->15661 15662 40df58 15661->15662 15663 40de24 10 API calls 15662->15663 15664 40df63 15663->15664 15664->15649 15666 401ae2 GetProcAddress 15665->15666 15669 401b68 GetComputerNameA GetVolumeInformationA 15665->15669 15667 401af5 15666->15667 15666->15669 15668 40ebed 8 API calls 15667->15668 15670 401b29 15667->15670 15668->15667 15669->15616 15670->15669 15671 40ec2e codecvt 4 API calls 15670->15671 15671->15669 15673 406ec3 2 API calls 15672->15673 15674 407ef4 15673->15674 15675 4073ff 17 API calls 15674->15675 15684 407fc9 15674->15684 15676 407f16 15675->15676 15676->15684 15685 407809 GetUserNameA 15676->15685 15678 407f63 15679 40ef1e lstrlenA 15678->15679 15678->15684 15680 407fa6 15679->15680 15681 40ef1e lstrlenA 15680->15681 15682 407fb7 15681->15682 15709 407a95 RegOpenKeyExA 15682->15709 15684->15176 15686 40783d LookupAccountNameA 15685->15686 15687 407a8d 15685->15687 15686->15687 15688 407874 GetLengthSid GetFileSecurityA 15686->15688 15687->15678 15688->15687 15689 4078a8 GetSecurityDescriptorOwner 15688->15689 15690 4078c5 EqualSid 15689->15690 15691 40791d GetSecurityDescriptorDacl 15689->15691 15690->15691 15692 4078dc LocalAlloc 15690->15692 15691->15687 15707 407941 15691->15707 15692->15691 15693 4078ef InitializeSecurityDescriptor 15692->15693 15694 407916 LocalFree 15693->15694 15695 4078fb SetSecurityDescriptorOwner 15693->15695 15694->15691 15695->15694 15697 40790b SetFileSecurityA 15695->15697 15696 40795b GetAce 15696->15707 15697->15694 15698 407980 EqualSid 15698->15707 15699 407a3d 15699->15687 15702 407a43 LocalAlloc 15699->15702 15700 4079be EqualSid 15700->15707 15701 40799d DeleteAce 15701->15707 15702->15687 15703 407a56 InitializeSecurityDescriptor 15702->15703 15704 407a62 SetSecurityDescriptorDacl 15703->15704 15705 407a86 LocalFree 15703->15705 15704->15705 15706 407a73 SetFileSecurityA 15704->15706 15705->15687 15706->15705 15708 407a83 15706->15708 15707->15687 15707->15696 15707->15698 15707->15699 15707->15700 15707->15701 15708->15705 15710 407ac4 15709->15710 15711 407acb GetUserNameA 15709->15711 15710->15684 15712 407da7 RegCloseKey 15711->15712 15713 407aed LookupAccountNameA 15711->15713 15712->15710 15713->15712 15714 407b24 RegGetKeySecurity 15713->15714 15714->15712 15715 407b49 GetSecurityDescriptorOwner 15714->15715 15716 407b63 EqualSid 15715->15716 15717 407bb8 GetSecurityDescriptorDacl 15715->15717 15716->15717 15719 407b74 LocalAlloc 15716->15719 15718 407da6 15717->15718 15726 407bdc 15717->15726 15718->15712 15719->15717 15720 407b8a InitializeSecurityDescriptor 15719->15720 15721 407bb1 LocalFree 15720->15721 15722 407b96 SetSecurityDescriptorOwner 15720->15722 15721->15717 15722->15721 15724 407ba6 RegSetKeySecurity 15722->15724 15723 407bf8 GetAce 15723->15726 15724->15721 15725 407c1d EqualSid 15725->15726 15726->15718 15726->15723 15726->15725 15727 407c5f EqualSid 15726->15727 15728 407cd9 15726->15728 15729 407c3a DeleteAce 15726->15729 15727->15726 15728->15718 15730 407d5a LocalAlloc 15728->15730 15732 407cf2 RegOpenKeyExA 15728->15732 15729->15726 15730->15718 15731 407d70 InitializeSecurityDescriptor 15730->15731 15733 407d7c SetSecurityDescriptorDacl 15731->15733 15734 407d9f LocalFree 15731->15734 15732->15730 15737 407d0f 15732->15737 15733->15734 15735 407d8c RegSetKeySecurity 15733->15735 15734->15718 15735->15734 15736 407d9c 15735->15736 15736->15734 15738 407d43 RegSetValueExA 15737->15738 15738->15730 15739 407d54 15738->15739 15739->15730 15740->15192 15742 40dd05 6 API calls 15741->15742 15745 40e65f 15742->15745 15743 40e6a5 15744 40ebcc 4 API calls 15743->15744 15748 40e6f5 15743->15748 15747 40e6b0 15744->15747 15745->15743 15746 40e68c lstrcmpA 15745->15746 15746->15745 15747->15748 15750 40e6b7 15747->15750 15751 40e6e0 lstrcpynA 15747->15751 15749 40e71d lstrcmpA 15748->15749 15748->15750 15749->15748 15750->15194 15751->15748 15752->15200 15754 40c525 15753->15754 15755 40c532 15753->15755 15754->15755 15757 40ec2e codecvt 4 API calls 15754->15757 15756 40c548 15755->15756 15905 40e7ff 15755->15905 15759 40e7ff lstrcmpiA 15756->15759 15765 40c54f 15756->15765 15757->15755 15760 40c615 15759->15760 15761 40ebcc 4 API calls 15760->15761 15760->15765 15761->15765 15762 40c5d1 15764 40ebcc 4 API calls 15762->15764 15764->15765 15765->15213 15766 40e819 11 API calls 15767 40c5b7 15766->15767 15768 40f04e 4 API calls 15767->15768 15769 40c5bf 15768->15769 15769->15756 15769->15762 15771 402692 inet_addr 15770->15771 15773 40268e 15770->15773 15772 40269e gethostbyname 15771->15772 15771->15773 15772->15773 15774 40f428 15773->15774 15908 40f315 15774->15908 15779 40c8d2 15777->15779 15778 40c907 15778->15215 15779->15778 15780 40c517 23 API calls 15779->15780 15780->15778 15781 40f43e 15782 40f473 recv 15781->15782 15783 40f47c 15782->15783 15784 40f458 15782->15784 15783->15231 15784->15782 15784->15783 15786 40c670 15785->15786 15787 40c67d 15785->15787 15788 40ebcc 4 API calls 15786->15788 15789 40ebcc 4 API calls 15787->15789 15790 40c699 15787->15790 15788->15787 15789->15790 15791 40c6f3 15790->15791 15792 40c73c send 15790->15792 15791->15244 15791->15295 15792->15791 15794 40c770 15793->15794 15795 40c77d 15793->15795 15796 40ebcc 4 API calls 15794->15796 15797 40c799 15795->15797 15798 40ebcc 4 API calls 15795->15798 15796->15795 15799 40c7b5 15797->15799 15800 40ebcc 4 API calls 15797->15800 15798->15797 15801 40f43e recv 15799->15801 15800->15799 15802 40c7cb 15801->15802 15803 40f43e recv 15802->15803 15804 40c7d3 15802->15804 15803->15804 15804->15295 15921 407db7 15805->15921 15808 407e70 15810 407e96 15808->15810 15812 40f04e 4 API calls 15808->15812 15809 40f04e 4 API calls 15811 407e4c 15809->15811 15810->15295 15811->15808 15813 40f04e 4 API calls 15811->15813 15812->15810 15813->15808 15815 406ec3 2 API calls 15814->15815 15816 407fdd 15815->15816 15817 4073ff 17 API calls 15816->15817 15826 4080c2 CreateProcessA 15816->15826 15818 407fff 15817->15818 15818->15818 15819 407809 21 API calls 15818->15819 15818->15826 15820 40804d 15819->15820 15821 40ef1e lstrlenA 15820->15821 15820->15826 15822 40809e 15821->15822 15823 40ef1e lstrlenA 15822->15823 15824 4080af 15823->15824 15825 407a95 24 API calls 15824->15825 15825->15826 15826->15297 15826->15303 15828 407db7 2 API calls 15827->15828 15829 407eb8 15828->15829 15830 40f04e 4 API calls 15829->15830 15831 407ece DeleteFileA 15830->15831 15831->15295 15833 40dd05 6 API calls 15832->15833 15834 40e31d 15833->15834 15925 40e177 15834->15925 15836 40e326 15836->15269 15838 4031f3 15837->15838 15840 4031ec 15837->15840 15839 40ebcc 4 API calls 15838->15839 15853 4031fc 15839->15853 15840->15295 15841 403459 15844 40f04e 4 API calls 15841->15844 15842 40349d 15843 40ec2e codecvt 4 API calls 15842->15843 15843->15840 15845 40345f 15844->15845 15847 4030fa 4 API calls 15845->15847 15846 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15846->15853 15847->15840 15848 40344d 15849 40ec2e codecvt 4 API calls 15848->15849 15850 40344b 15849->15850 15850->15841 15850->15842 15852 403141 lstrcmpiA 15852->15853 15853->15840 15853->15846 15853->15848 15853->15850 15853->15852 15951 4030fa GetTickCount 15853->15951 15855 4030fa 4 API calls 15854->15855 15856 403c1a 15855->15856 15860 403ce6 15856->15860 15956 403a72 15856->15956 15859 403a72 9 API calls 15863 403c5e 15859->15863 15860->15295 15861 403a72 9 API calls 15861->15863 15862 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15862->15863 15863->15860 15863->15861 15863->15862 15865 403a10 15864->15865 15866 4030fa 4 API calls 15865->15866 15867 403a1a 15866->15867 15867->15295 15869 40dd05 6 API calls 15868->15869 15870 40e7be 15869->15870 15870->15295 15872 40c105 15871->15872 15873 40c07e wsprintfA 15871->15873 15872->15295 15965 40bfce GetTickCount wsprintfA 15873->15965 15875 40c0ef 15966 40bfce GetTickCount wsprintfA 15875->15966 15878 407047 15877->15878 15879 406f88 LookupAccountNameA 15877->15879 15878->15295 15881 407025 15879->15881 15882 406fcb 15879->15882 15883 406edd 5 API calls 15881->15883 15884 406fdb ConvertSidToStringSidA 15882->15884 15885 40702a wsprintfA 15883->15885 15884->15881 15886 406ff1 15884->15886 15885->15878 15887 407013 LocalFree 15886->15887 15887->15881 15889 40dd05 6 API calls 15888->15889 15890 40e85c 15889->15890 15891 40dd84 lstrcmpiA 15890->15891 15892 40e867 15891->15892 15893 40e885 lstrcpyA 15892->15893 15967 4024a5 15892->15967 15970 40dd69 15893->15970 15899 407db7 2 API calls 15898->15899 15900 407de1 15899->15900 15901 407e16 15900->15901 15902 40f04e 4 API calls 15900->15902 15901->15295 15903 407df2 15902->15903 15903->15901 15904 40f04e 4 API calls 15903->15904 15904->15901 15906 40dd84 lstrcmpiA 15905->15906 15907 40c58e 15906->15907 15907->15756 15907->15762 15907->15766 15909 40f33b 15908->15909 15917 40ca1d 15908->15917 15910 40f347 htons socket 15909->15910 15911 40f382 ioctlsocket 15910->15911 15912 40f374 closesocket 15910->15912 15913 40f3aa connect select 15911->15913 15914 40f39d 15911->15914 15912->15917 15916 40f3f2 __WSAFDIsSet 15913->15916 15913->15917 15915 40f39f closesocket 15914->15915 15915->15917 15916->15915 15918 40f403 ioctlsocket 15916->15918 15917->15228 15917->15781 15920 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15918->15920 15920->15917 15922 407dc8 InterlockedExchange 15921->15922 15923 407dc0 Sleep 15922->15923 15924 407dd4 15922->15924 15923->15922 15924->15808 15924->15809 15926 40e184 15925->15926 15927 40e2e4 15926->15927 15928 40e223 15926->15928 15941 40dfe2 15926->15941 15927->15836 15928->15927 15930 40dfe2 8 API calls 15928->15930 15934 40e23c 15930->15934 15931 40e1be 15931->15928 15932 40dbcf 3 API calls 15931->15932 15935 40e1d6 15932->15935 15933 40e21a CloseHandle 15933->15928 15934->15927 15945 40e095 RegCreateKeyExA 15934->15945 15935->15928 15935->15933 15936 40e1f9 WriteFile 15935->15936 15936->15933 15938 40e213 15936->15938 15938->15933 15939 40e2a3 15939->15927 15940 40e095 4 API calls 15939->15940 15940->15927 15942 40dffc 15941->15942 15944 40e024 15941->15944 15943 40db2e 8 API calls 15942->15943 15942->15944 15943->15944 15944->15931 15946 40e172 15945->15946 15949 40e0c0 15945->15949 15946->15939 15947 40e13d 15948 40e14e RegDeleteValueA RegCloseKey 15947->15948 15948->15946 15949->15947 15950 40e115 RegSetValueExA 15949->15950 15950->15947 15950->15949 15952 403122 InterlockedExchange 15951->15952 15953 40312e 15952->15953 15954 40310f GetTickCount 15952->15954 15953->15853 15954->15953 15955 40311a Sleep 15954->15955 15955->15952 15957 40f04e 4 API calls 15956->15957 15964 403a83 15957->15964 15958 403ac1 15958->15859 15958->15860 15959 403be6 15961 40ec2e codecvt 4 API calls 15959->15961 15960 403bc0 15960->15959 15962 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15960->15962 15961->15958 15962->15960 15963 403b66 lstrlenA 15963->15958 15963->15964 15964->15958 15964->15960 15964->15963 15965->15875 15966->15872 15968 402419 4 API calls 15967->15968 15969 4024b6 15968->15969 15969->15893 15971 40dd79 lstrlenA 15970->15971 15971->15295 15973 404084 15972->15973 15974 40407d 15972->15974 15975 403ecd 6 API calls 15973->15975 15976 40408f 15975->15976 15977 404000 3 API calls 15976->15977 15979 404095 15977->15979 15978 404130 15980 403ecd 6 API calls 15978->15980 15979->15978 15984 403f18 4 API calls 15979->15984 15981 404159 CreateNamedPipeA 15980->15981 15982 404167 Sleep 15981->15982 15983 404188 ConnectNamedPipe 15981->15983 15982->15978 15985 404176 CloseHandle 15982->15985 15987 404195 GetLastError 15983->15987 15992 4041ab 15983->15992 15986 4040da 15984->15986 15985->15983 15988 403f8c 4 API calls 15986->15988 15989 40425e DisconnectNamedPipe 15987->15989 15987->15992 15990 4040ec 15988->15990 15989->15983 15991 404127 CloseHandle 15990->15991 15993 404101 15990->15993 15991->15978 15992->15983 15992->15989 15995 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15992->15995 15997 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15992->15997 15998 40426a CloseHandle CloseHandle 15992->15998 15994 403f18 4 API calls 15993->15994 15996 40411c ExitProcess 15994->15996 15995->15992 15997->15992 15999 40e318 23 API calls 15998->15999 16000 40427b 15999->16000 16000->16000 16002 408791 16001->16002 16003 40879f 16001->16003 16005 40f04e 4 API calls 16002->16005 16004 4087bc 16003->16004 16006 40f04e 4 API calls 16003->16006 16007 40e819 11 API calls 16004->16007 16005->16003 16006->16004 16008 4087d7 16007->16008 16021 408803 16008->16021 16023 4026b2 gethostbyaddr 16008->16023 16011 4087eb 16013 40e8a1 30 API calls 16011->16013 16011->16021 16013->16021 16016 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16016->16021 16017 40e819 11 API calls 16017->16021 16018 4088a0 Sleep 16018->16021 16020 4026b2 2 API calls 16020->16021 16021->16016 16021->16017 16021->16018 16021->16020 16022 40e8a1 30 API calls 16021->16022 16028 408cee 16021->16028 16036 40c4d6 16021->16036 16039 40c4e2 16021->16039 16042 402011 16021->16042 16077 408328 16021->16077 16022->16021 16024 4026fb 16023->16024 16025 4026cd 16023->16025 16024->16011 16026 4026e1 inet_ntoa 16025->16026 16027 4026de 16025->16027 16026->16027 16027->16011 16029 408d02 GetTickCount 16028->16029 16030 408dae 16028->16030 16029->16030 16034 408d19 16029->16034 16030->16021 16031 408da1 GetTickCount 16031->16030 16034->16031 16035 408d89 16034->16035 16129 40a677 16034->16129 16132 40a688 16034->16132 16035->16031 16140 40c2dc 16036->16140 16040 40c2dc 141 API calls 16039->16040 16041 40c4ec 16040->16041 16041->16021 16043 402020 16042->16043 16044 40202e 16042->16044 16045 40f04e 4 API calls 16043->16045 16046 40204b 16044->16046 16047 40f04e 4 API calls 16044->16047 16045->16044 16048 40206e GetTickCount 16046->16048 16049 40f04e 4 API calls 16046->16049 16047->16046 16050 4020db GetTickCount 16048->16050 16058 402090 16048->16058 16052 402068 16049->16052 16051 402132 GetTickCount GetTickCount 16050->16051 16062 4020e7 16050->16062 16054 40f04e 4 API calls 16051->16054 16052->16048 16053 4020d4 GetTickCount 16053->16050 16057 402159 16054->16057 16055 40212b GetTickCount 16055->16051 16056 402684 2 API calls 16056->16058 16061 40e854 13 API calls 16057->16061 16076 4021b4 16057->16076 16058->16053 16058->16056 16065 4020ce 16058->16065 16467 401978 16058->16467 16060 40f04e 4 API calls 16064 4021d1 16060->16064 16066 40218e 16061->16066 16062->16055 16067 401978 15 API calls 16062->16067 16068 402125 16062->16068 16472 402ef8 16062->16472 16070 40ea84 30 API calls 16064->16070 16075 4021f2 16064->16075 16065->16053 16069 40e819 11 API calls 16066->16069 16067->16062 16068->16055 16073 40219c 16069->16073 16071 4021ec 16070->16071 16072 40f04e 4 API calls 16071->16072 16072->16075 16073->16076 16480 401c5f 16073->16480 16075->16021 16076->16060 16078 407dd6 6 API calls 16077->16078 16079 40833c 16078->16079 16080 408340 16079->16080 16081 406ec3 2 API calls 16079->16081 16080->16021 16082 40834f 16081->16082 16083 40835c 16082->16083 16087 40846b 16082->16087 16084 4073ff 17 API calls 16083->16084 16085 408373 16084->16085 16085->16080 16108 4083ea RegOpenKeyExA 16085->16108 16114 408450 16085->16114 16086 40675c 21 API calls 16089 4085df 16086->16089 16090 4084a7 RegOpenKeyExA 16087->16090 16087->16114 16088 408626 GetTempPathA 16116 408638 16088->16116 16089->16088 16095 408762 16089->16095 16089->16116 16092 4084c0 RegQueryValueExA 16090->16092 16093 40852f 16090->16093 16094 408521 RegCloseKey 16092->16094 16099 4084dd 16092->16099 16098 408564 RegOpenKeyExA 16093->16098 16106 4085a5 16093->16106 16094->16093 16095->16080 16102 40ec2e codecvt 4 API calls 16095->16102 16096 4086ad 16096->16095 16097 407e2f 6 API calls 16096->16097 16107 4086bb 16097->16107 16100 408573 RegSetValueExA RegCloseKey 16098->16100 16098->16106 16099->16094 16103 40ebcc 4 API calls 16099->16103 16100->16106 16101 40875b DeleteFileA 16101->16095 16102->16080 16105 4084f0 16103->16105 16105->16094 16109 4084f8 RegQueryValueExA 16105->16109 16111 40ec2e codecvt 4 API calls 16106->16111 16106->16114 16107->16101 16115 4086e0 lstrcpyA lstrlenA 16107->16115 16112 4083fd RegQueryValueExA 16108->16112 16108->16114 16109->16094 16110 408515 16109->16110 16113 40ec2e codecvt 4 API calls 16110->16113 16111->16114 16117 40842d RegSetValueExA 16112->16117 16118 40841e 16112->16118 16119 40851d 16113->16119 16114->16086 16114->16089 16120 407fcf 64 API calls 16115->16120 16552 406ba7 IsBadCodePtr 16116->16552 16121 408447 RegCloseKey 16117->16121 16118->16117 16118->16121 16119->16094 16122 408719 CreateProcessA 16120->16122 16121->16114 16123 40873d CloseHandle CloseHandle 16122->16123 16124 40874f 16122->16124 16123->16095 16125 407ee6 64 API calls 16124->16125 16126 408754 16125->16126 16127 407ead 6 API calls 16126->16127 16128 40875a 16127->16128 16128->16101 16135 40a63d 16129->16135 16131 40a685 16131->16034 16133 40a63d GetTickCount 16132->16133 16134 40a696 16133->16134 16134->16034 16136 40a645 16135->16136 16137 40a64d 16135->16137 16136->16131 16138 40a66e 16137->16138 16139 40a65e GetTickCount 16137->16139 16138->16131 16139->16138 16156 40a4c7 GetTickCount 16140->16156 16143 40c300 GetTickCount 16145 40c337 16143->16145 16144 40c326 16144->16145 16146 40c32b GetTickCount 16144->16146 16150 40c363 GetTickCount 16145->16150 16155 40c45e 16145->16155 16146->16145 16147 40c4d2 16147->16021 16148 40c4ab InterlockedIncrement CreateThread 16148->16147 16149 40c4cb CloseHandle 16148->16149 16161 40b535 16148->16161 16149->16147 16151 40c373 16150->16151 16150->16155 16152 40c378 GetTickCount 16151->16152 16153 40c37f 16151->16153 16152->16153 16154 40c43b GetTickCount 16153->16154 16154->16155 16155->16147 16155->16148 16157 40a4f7 InterlockedExchange 16156->16157 16158 40a500 16157->16158 16159 40a4e4 GetTickCount 16157->16159 16158->16143 16158->16144 16158->16155 16159->16158 16160 40a4ef Sleep 16159->16160 16160->16157 16162 40b566 16161->16162 16163 40ebcc 4 API calls 16162->16163 16164 40b587 16163->16164 16165 40ebcc 4 API calls 16164->16165 16196 40b590 16165->16196 16166 40bdcd InterlockedDecrement 16167 40bde2 16166->16167 16169 40ec2e codecvt 4 API calls 16167->16169 16170 40bdea 16169->16170 16171 40ec2e codecvt 4 API calls 16170->16171 16173 40bdf2 16171->16173 16172 40bdb7 Sleep 16172->16196 16175 40be05 16173->16175 16176 40ec2e codecvt 4 API calls 16173->16176 16174 40bdcc 16174->16166 16176->16175 16177 40ebed 8 API calls 16177->16196 16180 40b6b6 lstrlenA 16180->16196 16181 4030b5 2 API calls 16181->16196 16182 40e819 11 API calls 16182->16196 16183 40b6ed lstrcpyA 16236 405ce1 16183->16236 16186 40b731 lstrlenA 16186->16196 16187 40b71f lstrcmpA 16187->16186 16187->16196 16188 40b772 GetTickCount 16188->16196 16189 40bd49 InterlockedIncrement 16330 40a628 16189->16330 16192 40bc5b InterlockedIncrement 16192->16196 16193 40b7ce InterlockedIncrement 16246 40acd7 16193->16246 16196->16166 16196->16172 16196->16174 16196->16177 16196->16180 16196->16181 16196->16182 16196->16183 16196->16186 16196->16187 16196->16188 16196->16189 16196->16192 16196->16193 16197 40b912 GetTickCount 16196->16197 16198 40b826 InterlockedIncrement 16196->16198 16199 40b932 GetTickCount 16196->16199 16200 40bcdc closesocket 16196->16200 16202 405ce1 22 API calls 16196->16202 16203 4038f0 6 API calls 16196->16203 16205 40bba6 InterlockedIncrement 16196->16205 16208 40bc4c closesocket 16196->16208 16211 40ba71 wsprintfA 16196->16211 16212 405ded 12 API calls 16196->16212 16214 40ab81 lstrcpynA InterlockedIncrement 16196->16214 16215 40a7c1 22 API calls 16196->16215 16216 40ef1e lstrlenA 16196->16216 16217 40a688 GetTickCount 16196->16217 16218 403e10 16196->16218 16221 403e4f 16196->16221 16224 40384f 16196->16224 16244 40a7a3 inet_ntoa 16196->16244 16251 40abee 16196->16251 16263 401feb GetTickCount 16196->16263 16284 403cfb 16196->16284 16287 40b3c5 16196->16287 16318 40ab81 16196->16318 16197->16196 16198->16188 16199->16196 16201 40bc6d InterlockedIncrement 16199->16201 16200->16196 16201->16196 16202->16196 16203->16196 16205->16196 16208->16196 16264 40a7c1 16211->16264 16212->16196 16214->16196 16215->16196 16216->16196 16217->16196 16219 4030fa 4 API calls 16218->16219 16220 403e1d 16219->16220 16220->16196 16222 4030fa 4 API calls 16221->16222 16223 403e5c 16222->16223 16223->16196 16225 4030fa 4 API calls 16224->16225 16226 403863 16225->16226 16227 4038b9 16226->16227 16228 403889 16226->16228 16235 4038b2 16226->16235 16339 4035f9 16227->16339 16333 403718 16228->16333 16233 4035f9 6 API calls 16233->16235 16234 403718 6 API calls 16234->16235 16235->16196 16237 405cf4 16236->16237 16238 405cec 16236->16238 16240 404bd1 4 API calls 16237->16240 16345 404bd1 GetTickCount 16238->16345 16241 405d02 16240->16241 16350 405472 16241->16350 16245 40a7b9 16244->16245 16245->16196 16247 40f315 14 API calls 16246->16247 16248 40aceb 16247->16248 16249 40acff 16248->16249 16250 40f315 14 API calls 16248->16250 16249->16196 16250->16249 16252 40abfb 16251->16252 16255 40ac65 16252->16255 16413 402f22 16252->16413 16254 40f315 14 API calls 16254->16255 16255->16254 16256 40ac6f 16255->16256 16262 40ac8a 16255->16262 16258 40ab81 2 API calls 16256->16258 16257 40ac23 16257->16255 16259 402684 2 API calls 16257->16259 16260 40ac81 16258->16260 16259->16257 16421 4038f0 16260->16421 16262->16196 16263->16196 16265 40a87d lstrlenA send 16264->16265 16266 40a7df 16264->16266 16267 40a899 16265->16267 16268 40a8bf 16265->16268 16266->16265 16273 40a7fa wsprintfA 16266->16273 16274 40a80a 16266->16274 16276 40a8f2 16266->16276 16271 40a8a5 wsprintfA 16267->16271 16277 40a89e 16267->16277 16269 40a8c4 send 16268->16269 16268->16276 16272 40a8d8 wsprintfA 16269->16272 16269->16276 16270 40a978 recv 16270->16276 16278 40a982 16270->16278 16271->16277 16272->16277 16273->16274 16274->16265 16275 40a9b0 wsprintfA 16275->16277 16276->16270 16276->16275 16276->16278 16277->16196 16278->16277 16279 4030b5 2 API calls 16278->16279 16280 40ab05 16279->16280 16281 40e819 11 API calls 16280->16281 16282 40ab17 16281->16282 16283 40a7a3 inet_ntoa 16282->16283 16283->16277 16285 4030fa 4 API calls 16284->16285 16286 403d0b 16285->16286 16286->16196 16288 405ce1 22 API calls 16287->16288 16289 40b3e6 16288->16289 16290 405ce1 22 API calls 16289->16290 16292 40b404 16290->16292 16291 40b440 16294 40ef7c 3 API calls 16291->16294 16292->16291 16293 40ef7c 3 API calls 16292->16293 16295 40b42b 16293->16295 16296 40b458 wsprintfA 16294->16296 16297 40ef7c 3 API calls 16295->16297 16298 40ef7c 3 API calls 16296->16298 16297->16291 16299 40b480 16298->16299 16300 40ef7c 3 API calls 16299->16300 16301 40b493 16300->16301 16302 40ef7c 3 API calls 16301->16302 16303 40b4bb 16302->16303 16435 40ad89 GetLocalTime SystemTimeToFileTime 16303->16435 16307 40b4cc 16308 40ef7c 3 API calls 16307->16308 16309 40b4dd 16308->16309 16310 40b211 7 API calls 16309->16310 16311 40b4ec 16310->16311 16312 40ef7c 3 API calls 16311->16312 16313 40b4fd 16312->16313 16314 40b211 7 API calls 16313->16314 16315 40b509 16314->16315 16316 40ef7c 3 API calls 16315->16316 16317 40b51a 16316->16317 16317->16196 16319 40abe9 GetTickCount 16318->16319 16321 40ab8c 16318->16321 16323 40a51d 16319->16323 16320 40aba8 lstrcpynA 16320->16321 16321->16319 16321->16320 16322 40abe1 InterlockedIncrement 16321->16322 16322->16321 16324 40a4c7 4 API calls 16323->16324 16325 40a52c 16324->16325 16326 40a542 GetTickCount 16325->16326 16327 40a539 GetTickCount 16325->16327 16326->16327 16329 40a56c 16327->16329 16329->16196 16331 40a4c7 4 API calls 16330->16331 16332 40a633 16331->16332 16332->16196 16334 40f04e 4 API calls 16333->16334 16336 40372a 16334->16336 16335 403847 16335->16234 16335->16235 16336->16335 16337 4037b3 GetCurrentThreadId 16336->16337 16337->16336 16338 4037c8 GetCurrentThreadId 16337->16338 16338->16336 16340 40f04e 4 API calls 16339->16340 16344 40360c 16340->16344 16341 4036f1 16341->16233 16341->16235 16342 4036da GetCurrentThreadId 16342->16341 16343 4036e5 GetCurrentThreadId 16342->16343 16343->16341 16344->16341 16344->16342 16346 404bff InterlockedExchange 16345->16346 16347 404c08 16346->16347 16348 404bec GetTickCount 16346->16348 16347->16237 16348->16347 16349 404bf7 Sleep 16348->16349 16349->16346 16369 404763 16350->16369 16352 405b58 16379 404699 16352->16379 16355 404763 lstrlenA 16356 405b6e 16355->16356 16400 404f9f 16356->16400 16358 405b79 16358->16196 16359 40548a 16359->16352 16362 404ae6 8 API calls 16359->16362 16364 40558d lstrcpynA 16359->16364 16365 405a9f lstrcpyA 16359->16365 16366 405935 lstrcpynA 16359->16366 16367 405472 13 API calls 16359->16367 16368 4058e7 lstrcpyA 16359->16368 16373 404ae6 16359->16373 16377 40ef7c lstrlenA lstrlenA lstrlenA 16359->16377 16361 405549 lstrlenA 16361->16359 16362->16359 16364->16359 16365->16359 16366->16359 16367->16359 16368->16359 16371 40477a 16369->16371 16370 404859 16370->16359 16371->16370 16372 40480d lstrlenA 16371->16372 16372->16371 16374 404af3 16373->16374 16376 404b03 16373->16376 16375 40ebed 8 API calls 16374->16375 16375->16376 16376->16361 16378 40efb4 16377->16378 16378->16359 16405 4045b3 16379->16405 16382 4045b3 7 API calls 16383 4046c6 16382->16383 16384 4045b3 7 API calls 16383->16384 16385 4046d8 16384->16385 16386 4045b3 7 API calls 16385->16386 16387 4046ea 16386->16387 16388 4045b3 7 API calls 16387->16388 16389 4046ff 16388->16389 16390 4045b3 7 API calls 16389->16390 16391 404711 16390->16391 16392 4045b3 7 API calls 16391->16392 16393 404723 16392->16393 16394 40ef7c 3 API calls 16393->16394 16395 404735 16394->16395 16396 40ef7c 3 API calls 16395->16396 16397 40474a 16396->16397 16398 40ef7c 3 API calls 16397->16398 16399 40475c 16398->16399 16399->16355 16401 404fac 16400->16401 16404 404fb0 16400->16404 16401->16358 16402 404ffd 16402->16358 16403 404fd5 IsBadCodePtr 16403->16404 16404->16402 16404->16403 16406 4045c1 16405->16406 16407 4045c8 16405->16407 16408 40ebcc 4 API calls 16406->16408 16409 40ebcc 4 API calls 16407->16409 16411 4045e1 16407->16411 16408->16407 16409->16411 16410 404691 16410->16382 16411->16410 16412 40ef7c 3 API calls 16411->16412 16412->16411 16428 402d21 GetModuleHandleA 16413->16428 16416 402fcf GetProcessHeap HeapFree 16420 402f44 16416->16420 16417 402f85 16417->16416 16417->16417 16418 402f4f 16419 402f6b GetProcessHeap HeapFree 16418->16419 16419->16420 16420->16257 16422 403900 16421->16422 16423 403980 16421->16423 16424 4030fa 4 API calls 16422->16424 16423->16262 16427 40390a 16424->16427 16425 40391b GetCurrentThreadId 16425->16427 16426 403939 GetCurrentThreadId 16426->16427 16427->16423 16427->16425 16427->16426 16429 402d46 LoadLibraryA 16428->16429 16430 402d5b GetProcAddress 16428->16430 16429->16430 16432 402d54 16429->16432 16430->16432 16434 402d6b 16430->16434 16431 402d97 GetProcessHeap HeapAlloc 16431->16432 16431->16434 16432->16417 16432->16418 16432->16420 16433 402db5 lstrcpynA 16433->16434 16434->16431 16434->16432 16434->16433 16436 40adbf 16435->16436 16460 40ad08 gethostname 16436->16460 16439 4030b5 2 API calls 16440 40add3 16439->16440 16441 40a7a3 inet_ntoa 16440->16441 16449 40ade4 16440->16449 16441->16449 16442 40ae85 wsprintfA 16443 40ef7c 3 API calls 16442->16443 16445 40aebb 16443->16445 16444 40ae36 wsprintfA wsprintfA 16446 40ef7c 3 API calls 16444->16446 16447 40ef7c 3 API calls 16445->16447 16446->16449 16448 40aed2 16447->16448 16450 40b211 16448->16450 16449->16442 16449->16444 16451 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16450->16451 16452 40b2af GetLocalTime 16450->16452 16453 40b2d2 16451->16453 16452->16453 16454 40b2d9 SystemTimeToFileTime 16453->16454 16455 40b31c GetTimeZoneInformation 16453->16455 16456 40b2ec 16454->16456 16457 40b33a wsprintfA 16455->16457 16458 40b312 FileTimeToSystemTime 16456->16458 16457->16307 16458->16455 16461 40ad71 16460->16461 16466 40ad26 lstrlenA 16460->16466 16463 40ad85 16461->16463 16464 40ad79 lstrcpyA 16461->16464 16463->16439 16464->16463 16465 40ad68 lstrlenA 16465->16461 16466->16461 16466->16465 16468 40f428 14 API calls 16467->16468 16469 40198a 16468->16469 16470 401990 closesocket 16469->16470 16471 401998 16469->16471 16470->16471 16471->16058 16473 402d21 6 API calls 16472->16473 16474 402f01 16473->16474 16475 402f0f 16474->16475 16488 402df2 GetModuleHandleA 16474->16488 16477 402684 2 API calls 16475->16477 16479 402f1f 16475->16479 16478 402f1d 16477->16478 16478->16062 16479->16062 16481 401c80 16480->16481 16482 401d1c 16481->16482 16483 401cc2 wsprintfA 16481->16483 16486 401d79 16481->16486 16482->16482 16485 401d47 wsprintfA 16482->16485 16484 402684 2 API calls 16483->16484 16484->16481 16487 402684 2 API calls 16485->16487 16486->16076 16487->16486 16489 402e10 LoadLibraryA 16488->16489 16490 402e0b 16488->16490 16491 402e17 16489->16491 16490->16489 16490->16491 16492 402ef1 16491->16492 16493 402e28 GetProcAddress 16491->16493 16492->16475 16493->16492 16494 402e3e GetProcessHeap HeapAlloc 16493->16494 16496 402e62 16494->16496 16495 402ede GetProcessHeap HeapFree 16495->16492 16496->16492 16496->16495 16497 402e7f htons inet_addr 16496->16497 16498 402ea5 gethostbyname 16496->16498 16500 402ceb 16496->16500 16497->16496 16497->16498 16498->16496 16502 402cf2 16500->16502 16503 402d1c 16502->16503 16504 402d0e Sleep 16502->16504 16505 402a62 GetProcessHeap HeapAlloc 16502->16505 16503->16496 16504->16502 16504->16503 16506 402a92 16505->16506 16507 402a99 socket 16505->16507 16506->16502 16508 402cd3 GetProcessHeap HeapFree 16507->16508 16509 402ab4 16507->16509 16508->16506 16509->16508 16521 402abd 16509->16521 16510 402adb htons 16525 4026ff 16510->16525 16512 402b04 select 16512->16521 16513 402ca4 16514 402cb3 GetProcessHeap HeapFree closesocket 16513->16514 16514->16506 16515 402b3f recv 16515->16521 16516 402b66 htons 16516->16513 16516->16521 16517 402b87 htons 16517->16513 16517->16521 16519 402bf3 GetProcessHeap HeapAlloc 16519->16521 16521->16510 16521->16512 16521->16513 16521->16514 16521->16515 16521->16516 16521->16517 16521->16519 16522 402c17 htons 16521->16522 16524 402c4d GetProcessHeap HeapFree 16521->16524 16532 402923 16521->16532 16544 402904 16521->16544 16540 402871 16522->16540 16524->16521 16526 40271d 16525->16526 16527 402717 16525->16527 16529 40272b GetTickCount htons 16526->16529 16528 40ebcc 4 API calls 16527->16528 16528->16526 16530 4027cc htons htons sendto 16529->16530 16531 40278a 16529->16531 16530->16521 16531->16530 16533 402944 16532->16533 16535 40293d 16532->16535 16548 402816 htons 16533->16548 16535->16521 16536 402871 htons 16537 402950 16536->16537 16537->16535 16537->16536 16538 4029bd htons htons htons 16537->16538 16538->16535 16539 4029f6 GetProcessHeap HeapAlloc 16538->16539 16539->16535 16539->16537 16541 4028e3 16540->16541 16543 402889 16540->16543 16541->16521 16542 4028c3 htons 16542->16541 16542->16543 16543->16541 16543->16542 16545 402921 16544->16545 16546 402908 16544->16546 16545->16521 16547 402909 GetProcessHeap HeapFree 16546->16547 16547->16545 16547->16547 16549 40286b 16548->16549 16550 402836 16548->16550 16549->16537 16550->16549 16551 40285c htons 16550->16551 16551->16549 16551->16550 16553 406bbc 16552->16553 16554 406bc0 16552->16554 16553->16096 16555 40ebcc 4 API calls 16554->16555 16566 406bd4 16554->16566 16556 406be4 16555->16556 16557 406c07 CreateFileA 16556->16557 16558 406bfc 16556->16558 16556->16566 16560 406c34 WriteFile 16557->16560 16561 406c2a 16557->16561 16559 40ec2e codecvt 4 API calls 16558->16559 16559->16566 16562 406c49 CloseHandle DeleteFileA 16560->16562 16563 406c5a CloseHandle 16560->16563 16564 40ec2e codecvt 4 API calls 16561->16564 16562->16561 16565 40ec2e codecvt 4 API calls 16563->16565 16564->16566 16565->16566 16566->16096 16567 2aa6781 16568 2aa6790 16567->16568 16571 2aa6f21 16568->16571 16573 2aa6f3c 16571->16573 16572 2aa6f45 CreateToolhelp32Snapshot 16572->16573 16574 2aa6f61 Module32First 16572->16574 16573->16572 16573->16574 16575 2aa6f70 16574->16575 16576 2aa6799 16574->16576 16578 2aa6be0 16575->16578 16579 2aa6c0b 16578->16579 16580 2aa6c1c VirtualAlloc 16579->16580 16581 2aa6c54 16579->16581 16580->16581 14779 29f0005 14784 29f092b GetPEB 14779->14784 14781 29f0030 14786 29f003c 14781->14786 14785 29f0972 14784->14785 14785->14781 14787 29f0049 14786->14787 14801 29f0e0f SetErrorMode SetErrorMode 14787->14801 14792 29f0265 14793 29f02ce VirtualProtect 14792->14793 14795 29f030b 14793->14795 14794 29f0439 VirtualFree 14799 29f05f4 LoadLibraryA 14794->14799 14800 29f04be 14794->14800 14795->14794 14796 29f04e3 LoadLibraryA 14796->14800 14798 29f08c7 14799->14798 14800->14796 14800->14799 14802 29f0223 14801->14802 14803 29f0d90 14802->14803 14804 29f0dad 14803->14804 14805 29f0dbb GetPEB 14804->14805 14806 29f0238 VirtualAlloc 14804->14806 14805->14806 14806->14792
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                    • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                    • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                    • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                  • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                  • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                  • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                  • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                  • wsprintfA.USER32 ref: 0040A0B6
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                  • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                    • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                  • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                  • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                  • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                  • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                                  • API String ID: 2089075347-2824936573
                                                                                                  • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                  • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                  • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                                  • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 532 409502-40952e call 402544 RegQueryValueExA 520->532 533 4094fb-409500 520->533 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 544 40964c-409662 526->544 545 40966d-409679 526->545 530 409683 call 4091eb 527->530 541 409688-409690 530->541 547 409530-409537 532->547 548 409539-409565 call 402544 RegQueryValueExA 532->548 537 40957a-40957f 533->537 542 409581-409584 537->542 543 40958a-40958d 537->543 550 409692 541->550 551 409698-4096a0 541->551 542->523 542->543 543->527 552 409593-40959a 543->552 553 409664-40966b 544->553 554 40962b-40962d 544->554 545->530 555 40956e-409577 RegCloseKey 547->555 548->555 565 409567 548->565 550->551 558 4096a2-4096a9 551->558 559 40961a-40961f 552->559 560 40959c-4095a1 552->560 553->554 554->558 555->537 563 409625 559->563 560->559 564 4095a3-4095c0 call 40f0e4 560->564 563->554 570 4095c2-4095db call 4018e0 564->570 571 40960c-409618 564->571 565->555 570->558 574 4095e1-4095f9 570->574 571->563 574->558 575 4095ff-409607 574->575 575->558
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                  • wsprintfA.USER32 ref: 004093CE
                                                                                                  • wsprintfA.USER32 ref: 0040940C
                                                                                                  • wsprintfA.USER32 ref: 0040948D
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                  • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID: PromptOnSecureDesktop$runas
                                                                                                  • API String ID: 3696105349-2220793183
                                                                                                  • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                  • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                  • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                  • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 617 406ba3-406ba6 615->617 618 406ac5-406adc call 40eb0e 616->618 619 406b1d-406b34 call 406987 616->619 618->619 626 406ade 618->626 624 406b56-406b63 FindCloseChangeNotification 619->624 625 406b36-406b54 GetLastError CloseHandle 619->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->617 630->631 632 406afd-406aff 630->632 631->619 632->619 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->619 636->637 637->619
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                  • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                  • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1251348514-2980165447
                                                                                                  • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                  • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                  • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                  • String ID:
                                                                                                  • API String ID: 1209300637-0
                                                                                                  • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                  • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                  • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                  • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 811 2aa6f21-2aa6f3a 812 2aa6f3c-2aa6f3e 811->812 813 2aa6f40 812->813 814 2aa6f45-2aa6f51 CreateToolhelp32Snapshot 812->814 813->814 815 2aa6f53-2aa6f59 814->815 816 2aa6f61-2aa6f6e Module32First 814->816 815->816 821 2aa6f5b-2aa6f5f 815->821 817 2aa6f70-2aa6f71 call 2aa6be0 816->817 818 2aa6f77-2aa6f7f 816->818 822 2aa6f76 817->822 821->812 821->816 822->818
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02AA6F49
                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 02AA6F69
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074784475.0000000002AA2000.00000040.00000020.00020000.00000000.sdmp, Offset: 02AA2000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_2aa2000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 3833638111-0
                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction ID: 314a86ab9db6cdbdf221e37c8cc0ded405471fedaaba5b1d3596c1f5831a39c1
                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction Fuzzy Hash: 89F096365007106FDB203BF9A8DDB6EB6ECAF49B24F140569E652D24C0DF70E8454E61

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                    • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                    • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AllocateSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2559512979-0
                                                                                                  • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                  • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                                  • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                                  • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 310 4076e4-4076e7 RegCloseKey 306->310 307->308 312 4077ec-4077f7 RegCloseKey 308->312 309->309 311 407546-40754b 309->311 310->291 311->297 313 407551-40756b call 40ee95 311->313 312->287 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 331 4075dc 330->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->312 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 381 4077e0-4077e2 379->381 382 4077de 379->382 380->379 381->359 382->381
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                  • API String ID: 3433985886-3108538426
                                                                                                  • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                  • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                  • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                  • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 404 40719b-4071a9 RegEnumValueA 397->404 403 4071cb-4071cf 398->403 405 4070fb-4070fd 404->405 406 4071af-4071b2 RegCloseKey 404->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->404 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->403 435->434 436->437 448 407258 436->448 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 448->437 458 4072dd-4072f4 call 40ed23 451->458 459 4072cd-4072d8 RegCloseKey 451->459 454 4072aa-4072b3 452->454 455 40729c-4072a9 call 40ef00 452->455 454->403 455->454 463 407301 458->463 464 4072f6-4072ff 458->464 459->403 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 471 40732d-407330 468->471 472 40731f-40732c call 40ef00 468->472 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 471->454 472->471 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 491 4073cb-4073cd 489->491 492 4073be-4073ca call 40ef00 489->492 490->489 491->476 492->491
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                                  • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                                  • RegCloseKey.KERNELBASE(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                  • String ID: $"$PromptOnSecureDesktop
                                                                                                  • API String ID: 4293430545-98143240
                                                                                                  • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                  • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                  • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                  • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 587 4067ed-40680b ReadFile 585->587 588 40696e-406971 FindCloseChangeNotification 586->588 587->586 589 406811-406824 SetFilePointer 587->589 588->583 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->588 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 607 406900-40690b SetFilePointer 598->607 599->598 603 4068bd-4068c3 600->603 601->603 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 608 4068d0 606->608 609 40695a-406969 call 40ec2e 607->609 610 40690d-406920 ReadFile 607->610 608->593 609->588 610->609 611 406922-406958 610->611 611->588
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                                  • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                                  • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                                  • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                                  • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                                  • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 1400801100-0
                                                                                                  • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                  • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                  • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                  • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 640 29f003c-29f0047 641 29f004c-29f0263 call 29f0a3f call 29f0e0f call 29f0d90 VirtualAlloc 640->641 642 29f0049 640->642 657 29f028b-29f0292 641->657 658 29f0265-29f0289 call 29f0a69 641->658 642->641 660 29f02a1-29f02b0 657->660 662 29f02ce-29f03c2 VirtualProtect call 29f0cce call 29f0ce7 658->662 660->662 663 29f02b2-29f02cc 660->663 669 29f03d1-29f03e0 662->669 663->660 670 29f0439-29f04b8 VirtualFree 669->670 671 29f03e2-29f0437 call 29f0ce7 669->671 673 29f04be-29f04cd 670->673 674 29f05f4-29f05fe 670->674 671->669 676 29f04d3-29f04dd 673->676 677 29f077f-29f0789 674->677 678 29f0604-29f060d 674->678 676->674 682 29f04e3-29f0505 LoadLibraryA 676->682 680 29f078b-29f07a3 677->680 681 29f07a6-29f07b0 677->681 678->677 683 29f0613-29f0637 678->683 680->681 684 29f086e-29f08be LoadLibraryA 681->684 685 29f07b6-29f07cb 681->685 686 29f0517-29f0520 682->686 687 29f0507-29f0515 682->687 688 29f063e-29f0648 683->688 692 29f08c7-29f08f9 684->692 689 29f07d2-29f07d5 685->689 690 29f0526-29f0547 686->690 687->690 688->677 691 29f064e-29f065a 688->691 693 29f07d7-29f07e0 689->693 694 29f0824-29f0833 689->694 695 29f054d-29f0550 690->695 691->677 696 29f0660-29f066a 691->696 697 29f08fb-29f0901 692->697 698 29f0902-29f091d 692->698 699 29f07e4-29f0822 693->699 700 29f07e2 693->700 704 29f0839-29f083c 694->704 701 29f0556-29f056b 695->701 702 29f05e0-29f05ef 695->702 703 29f067a-29f0689 696->703 697->698 699->689 700->694 705 29f056f-29f057a 701->705 706 29f056d 701->706 702->676 707 29f068f-29f06b2 703->707 708 29f0750-29f077a 703->708 704->684 709 29f083e-29f0847 704->709 711 29f057c-29f0599 705->711 712 29f059b-29f05bb 705->712 706->702 713 29f06ef-29f06fc 707->713 714 29f06b4-29f06ed 707->714 708->688 715 29f084b-29f086c 709->715 716 29f0849 709->716 723 29f05bd-29f05db 711->723 712->723 717 29f06fe-29f0748 713->717 718 29f074b 713->718 714->713 715->704 716->684 717->718 718->703 723->695
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 029F024D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID: cess$kernel32.dll
                                                                                                  • API String ID: 4275171209-1230238691
                                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                  • Instruction ID: 7385f4efe739d10703a90f68cd5c2d3714d0ac76b2489d608f50874fa29c6be6
                                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                  • Instruction Fuzzy Hash: 59526A74A01229DFDBA4CF58C984BACBBB5BF09304F1480D9E54DAB356DB30AA85DF14

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                  • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                    • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                    • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                    • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                    • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                    • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 4131120076-2980165447
                                                                                                  • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                  • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                                  • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                                  • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                                  • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                                  • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 408151869-2980165447
                                                                                                  • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                  • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                  • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                  • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 752 4069e4-4069fd WriteFile 750->752 751->750 753 4069c0-4069d0 751->753 754 406a4d-406a51 752->754 755 4069ff-406a02 752->755 756 4069d2 753->756 757 4069d5-4069de 753->757 759 406a53-406a56 754->759 760 406a59 754->760 755->754 758 406a04-406a08 755->758 756->757 757->752 761 406a0a-406a0d 758->761 762 406a3c-406a3e 758->762 759->760 763 406a5b-406a5f 760->763 764 406a10-406a2e WriteFile 761->764 762->763 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->763 766->765 767 406a35-406a3a 766->767 767->762 767->764
                                                                                                  APIs
                                                                                                  • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                  • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID: ,k@
                                                                                                  • API String ID: 3934441357-1053005162
                                                                                                  • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                  • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                  • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                  • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 773 40930b-40930f 770->773 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 783 40922e-409230 775->783 777 409250-409270 call 40ee08 776->777 778 40924b 776->778 784 409272-40927f 777->784 785 4092dd-4092e1 777->785 778->777 786 409233-409238 783->786 787 409281-409285 784->787 788 40929b-40929e 784->788 789 4092e3-4092e5 785->789 790 4092e7-4092e8 785->790 786->786 791 40923a-40923c 786->791 787->787 792 409287 787->792 794 4092a0 788->794 795 40928e-409293 788->795 789->790 793 4092ea-4092ef 789->793 790->785 791->776 792->788 798 4092f1-4092f6 Sleep 793->798 799 4092fc-409302 793->799 800 4092a8-4092ab 794->800 796 409295-409298 795->796 797 409289-40928c 795->797 796->800 803 40929a 796->803 797->795 797->803 798->799 799->770 799->771 801 4092a2-4092a5 800->801 802 4092ad-4092b0 800->802 804 4092b2 801->804 806 4092a7 801->806 802->804 805 4092bd 802->805 803->788 807 4092b5-4092b9 804->807 808 4092bf-4092db ShellExecuteA 805->808 806->800 807->807 809 4092bb 807->809 808->785 810 409310-409324 808->810 809->808 810->773
                                                                                                  APIs
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                                  • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShellSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 4194306370-0
                                                                                                  • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                  • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                                  • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                                  • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 824 29f0e0f-29f0e24 SetErrorMode * 2 825 29f0e2b-29f0e2c 824->825 826 29f0e26 824->826 826->825
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000400,?,?,029F0223,?,?), ref: 029F0E19
                                                                                                  • SetErrorMode.KERNELBASE(00000000,?,?,029F0223,?,?), ref: 029F0E1E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                  • Instruction ID: a467f6273769c92d8b01ce62e2cae402d75d240a56324e2e8601fd811e37c9ee
                                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                  • Instruction Fuzzy Hash: 77D01231545128B7D7402A94DC09BCD7B1CDF05B66F008011FB0DD9081C770954047E5

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                                                  APIs
                                                                                                    • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                    • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                    • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                    • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                  • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 1823874839-0
                                                                                                  • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                  • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                  • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                  • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02AA6C31
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074784475.0000000002AA2000.00000040.00000020.00020000.00000000.sdmp, Offset: 02AA2000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_2aa2000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction ID: 4ce1de41dce1a6bfdc291d7e425e8b485e332cd611efe9b2ede68d276f2d4837
                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction Fuzzy Hash: 6D113C79A40208EFDB01DF98CA85E98BBF5EF08751F0980A4F9489B361D771EA50DF90
                                                                                                  APIs
                                                                                                  • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                                  • closesocket.WS2_32(?), ref: 0040CB63
                                                                                                  • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                                  • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                                  • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                                  • wsprintfA.USER32 ref: 0040CD21
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                                  • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                                  • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                                  • closesocket.WS2_32(?), ref: 0040D56C
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                                  • ExitProcess.KERNEL32 ref: 0040D583
                                                                                                  • wsprintfA.USER32 ref: 0040D81F
                                                                                                    • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                                  • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                  • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                  • API String ID: 562065436-3791576231
                                                                                                  • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                  • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                                  • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                                  • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                  • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                  • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                                  • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                                  • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                                  • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                                  • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                                  • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                                  • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                                  • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                                  • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                                  • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                                  • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                  • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                  • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                  • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                  • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                  • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                  • wsprintfA.USER32 ref: 0040B3B7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                  • API String ID: 766114626-2976066047
                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                                  • API String ID: 1628651668-3716895483
                                                                                                  • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                  • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                  • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                  • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                  • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                    • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                  • API String ID: 4207808166-1381319158
                                                                                                  • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                  • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                  • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                  • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                  • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                  • select.WS2_32 ref: 00402B28
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                  • htons.WS2_32(?), ref: 00402B71
                                                                                                  • htons.WS2_32(?), ref: 00402B8C
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 1639031587-0
                                                                                                  • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                  • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                  • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                  • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                  • ExitProcess.KERNEL32 ref: 00404121
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEventExitProcess
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2404124870-2980165447
                                                                                                  • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                  • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                  • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                  • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                  APIs
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                  • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2438460464-0
                                                                                                  • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                  • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                  • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                  • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                  APIs
                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                  • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                  • String ID: *p@
                                                                                                  • API String ID: 3429775523-2474123842
                                                                                                  • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                  • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                  • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                  • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                  • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                  • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                  • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 029F65F6
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 029F6610
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 029F6631
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 029F6652
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                  • Instruction ID: ffbadfbf2404f00ec1f5dcdc5aa161952645d66697c6a3838d73faac82801aa7
                                                                                                  • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                  • Instruction Fuzzy Hash: F2114271600218BFDB915F65DC49F9B3FACEB457A9F104024FA14A7250D7B1DD008BA4
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                                  • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                    • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                    • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 3754425949-0
                                                                                                  • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                  • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                                  • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                                  • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: .$GetProcAddress.$l
                                                                                                  • API String ID: 0-2784972518
                                                                                                  • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                  • Instruction ID: 507389e256098e01875536d2565b8e8eb87f1004723b4ea85ad250ac2a8894ca
                                                                                                  • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                  • Instruction Fuzzy Hash: 0E316AB6900609DFEB50CF99C880AAEBBF9FF48324F54404AD941A7315D771EA85CFA4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                  • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                                  • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                                  • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074784475.0000000002AA2000.00000040.00000020.00020000.00000000.sdmp, Offset: 02AA2000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_2aa2000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                  • Instruction ID: 54f5bf86d1b844dfb0e9778b761a3c7b3bb32399b77dd38c4c8f4b48f625f81a
                                                                                                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                  • Instruction Fuzzy Hash: F7115E727401009FDB54DF55DC90EA673AEEF9D620B198065E908CB311EB75E801CFA0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                  • Instruction ID: b4450858c963501631966eb4d62034aa860fdb9e38fb421fec0a5c480dbd103d
                                                                                                  • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                  • Instruction Fuzzy Hash: 1E01A7776116048FDFA1CF24C904BAA33EDFF85216F4544A5DA069B246E774A9418B90
                                                                                                  APIs
                                                                                                  • ExitProcess.KERNEL32 ref: 029F9E6D
                                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 029F9FE1
                                                                                                  • lstrcat.KERNEL32(?,?), ref: 029F9FF2
                                                                                                  • lstrcat.KERNEL32(?,0041070C), ref: 029FA004
                                                                                                  • GetFileAttributesExA.KERNEL32(?,?,?), ref: 029FA054
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 029FA09F
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 029FA0D6
                                                                                                  • lstrcpy.KERNEL32 ref: 029FA12F
                                                                                                  • lstrlen.KERNEL32(00000022), ref: 029FA13C
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 029F9F13
                                                                                                    • Part of subcall function 029F7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 029F7081
                                                                                                    • Part of subcall function 029F6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\upqhzwij,029F7043), ref: 029F6F4E
                                                                                                    • Part of subcall function 029F6F30: GetProcAddress.KERNEL32(00000000), ref: 029F6F55
                                                                                                    • Part of subcall function 029F6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029F6F7B
                                                                                                    • Part of subcall function 029F6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029F6F92
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 029FA1A2
                                                                                                  • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029FA1C5
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 029FA214
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 029FA21B
                                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 029FA265
                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 029FA29F
                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 029FA2C5
                                                                                                  • lstrcat.KERNEL32(?,00000022), ref: 029FA2D9
                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 029FA2F4
                                                                                                  • wsprintfA.USER32 ref: 029FA31D
                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 029FA345
                                                                                                  • lstrcat.KERNEL32(?,?), ref: 029FA364
                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 029FA387
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 029FA398
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029FA1D1
                                                                                                    • Part of subcall function 029F9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029F999D
                                                                                                    • Part of subcall function 029F9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 029F99BD
                                                                                                    • Part of subcall function 029F9966: RegCloseKey.ADVAPI32(?), ref: 029F99C6
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 029FA3DB
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 029FA3E2
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 029FA41D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                  • String ID: "$"$"$D$P$\
                                                                                                  • API String ID: 1653845638-2605685093
                                                                                                  • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                  • Instruction ID: 30ec17ef979990d297abe5a2dd4a5da857acc133cec71ba18d9285650dbdb539
                                                                                                  • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                  • Instruction Fuzzy Hash: 2DF153B1D40259AFDFA1DBA0DC48FEF7BBCAB09304F0444A5E709E2141E7B59A848F65
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                  • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                  • API String ID: 2976863881-1403908072
                                                                                                  • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                  • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                  • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                  • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 029F7D21
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 029F7D46
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029F7D7D
                                                                                                  • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 029F7DA2
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029F7DC0
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 029F7DD1
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 029F7DE5
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029F7DF3
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029F7E03
                                                                                                  • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 029F7E12
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 029F7E19
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029F7E35
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                  • API String ID: 2976863881-1403908072
                                                                                                  • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                  • Instruction ID: 51e4e256085045e22f1dd281d4514ba18a2eec51dd606cb14b12102de795c128
                                                                                                  • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                  • Instruction Fuzzy Hash: 61A14B71900219AFDB918FA4DD88FEEBBBDFB48304F04816AF605E6150E7758A85CB64
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                  • API String ID: 2400214276-165278494
                                                                                                  • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                  • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                  • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                  • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0040A7FB
                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                  • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                  • wsprintfA.USER32 ref: 0040A8AF
                                                                                                  • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                  • wsprintfA.USER32 ref: 0040A8E2
                                                                                                  • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                  • wsprintfA.USER32 ref: 0040A9B9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                  • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                  • API String ID: 3650048968-2394369944
                                                                                                  • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                  • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                  • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                  • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 029F7A96
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029F7ACD
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 029F7ADF
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 029F7B01
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029F7B1F
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 029F7B39
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 029F7B4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029F7B58
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029F7B68
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 029F7B77
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 029F7B7E
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029F7B9A
                                                                                                  • GetAce.ADVAPI32(?,?,?), ref: 029F7BCA
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 029F7BF1
                                                                                                  • DeleteAce.ADVAPI32(?,?), ref: 029F7C0A
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 029F7C2C
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 029F7CB1
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029F7CBF
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 029F7CD0
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 029F7CE0
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 029F7CEE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction ID: 7bc36b98317d38b4289cd6e5c48b2b8bf5cbd3838d2fa1b333525266fd16a185
                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction Fuzzy Hash: E1815D71900219AFDB91CFE4DD84FEEBBBCAF09304F04816AE605E6250D7759641CB64
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                  • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                  • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                  • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: PromptOnSecureDesktop$localcfg
                                                                                                  • API String ID: 237177642-1678164370
                                                                                                  • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                  • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                  • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                                  • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                  • API String ID: 835516345-270533642
                                                                                                  • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                  • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                  • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                  • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 029F865A
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 029F867B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 029F86A8
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 029F86B1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                  • API String ID: 237177642-3108538426
                                                                                                  • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                  • Instruction ID: c119e29eb1e3ee00e29ecba4b4fb9fbd5ba4b22d1c5fc8c41de7def909280bf9
                                                                                                  • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                  • Instruction Fuzzy Hash: CFC1A0B2900249BEEBD1ABA4DD84EEF7BBDFB49304F144066F704E6050E7714A948F65
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 029F1601
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 029F17D8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $<$@$D
                                                                                                  • API String ID: 1628651668-1974347203
                                                                                                  • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                  • Instruction ID: 0baf7d2c2f6d28b587a1fb348e1bdf6cdb189bd844e0644489395080502baa41
                                                                                                  • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                  • Instruction Fuzzy Hash: 56F180B1508341DFD760CF64D888BABB7E9FB88304F10892DFA9997290D774D944CB96
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029F76D9
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 029F7757
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 029F778F
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 029F78B4
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 029F794E
                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029F796D
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 029F797E
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 029F79AC
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 029F7A56
                                                                                                    • Part of subcall function 029FF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,029F772A,?), ref: 029FF414
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 029F79F6
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 029F7A4D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "$PromptOnSecureDesktop
                                                                                                  • API String ID: 3433985886-3108538426
                                                                                                  • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                  • Instruction ID: 8987677b51e236b1ff872eabe04bef4a2d52e3f3776002e69415d6b177a56027
                                                                                                  • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                  • Instruction Fuzzy Hash: 98C17272900209AFDBE19FA4DC44FEEBBBDEF49314F1440A5E644E6190EB71DA94CB60
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 029F2CED
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 029F2D07
                                                                                                  • htons.WS2_32(00000000), ref: 029F2D42
                                                                                                  • select.WS2_32 ref: 029F2D8F
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 029F2DB1
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029F2E62
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 127016686-0
                                                                                                  • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                  • Instruction ID: 775639c34d58a79aad72d1ee67f0f4734416cdb2c56fbe651280397ee4477fef
                                                                                                  • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                  • Instruction Fuzzy Hash: 2261D171904305ABC3A09F64DC08B6BBBECEF88755F154829FE8497250E7B5D880CBA6
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                    • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                    • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                    • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                    • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                  • wsprintfA.USER32 ref: 0040AEA5
                                                                                                    • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                  • wsprintfA.USER32 ref: 0040AE4F
                                                                                                  • wsprintfA.USER32 ref: 0040AE5E
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                  • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                  • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                  • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                  • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                  • htons.WS2_32(00000035), ref: 00402E88
                                                                                                  • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                  • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                  • API String ID: 929413710-2099955842
                                                                                                  • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                  • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                  • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                  • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?), ref: 029F95A7
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029F95D5
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 029F95DC
                                                                                                  • wsprintfA.USER32 ref: 029F9635
                                                                                                  • wsprintfA.USER32 ref: 029F9673
                                                                                                  • wsprintfA.USER32 ref: 029F96F4
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 029F9758
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029F978D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029F97D8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3696105349-2980165447
                                                                                                  • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                  • Instruction ID: 75ab224afe3401260afa94a32e345783be3339fea146215777d96f1e5ced7f02
                                                                                                  • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                  • Instruction Fuzzy Hash: 51A16BB2900208EFEBA1DFA0CC85FDA3BADEB44745F104026FB15A6161E7B5D584CFA5
                                                                                                  APIs
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpi
                                                                                                  • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                                  • API String ID: 1586166983-142018493
                                                                                                  • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                  • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                  • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                  • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0040B467
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                  • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                  • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                  • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                  • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 029F202D
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 029F204F
                                                                                                  • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 029F206A
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 029F2071
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 029F2082
                                                                                                  • GetTickCount.KERNEL32 ref: 029F2230
                                                                                                    • Part of subcall function 029F1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 029F1E7C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                  • API String ID: 4207808166-1391650218
                                                                                                  • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                  • Instruction ID: 9eed311750abd494e1fda5d4a4f6662e76e92415f2cf12473d290cb40879622a
                                                                                                  • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                  • Instruction Fuzzy Hash: 9751D4B0900348AFE3F0AF758C85F67BAECEB84704F04491DFB9682152D7B9A554CB69
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00402078
                                                                                                  • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                  • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                  • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                  • GetTickCount.KERNEL32 ref: 00402132
                                                                                                  • GetTickCount.KERNEL32 ref: 00402142
                                                                                                    • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                    • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                    • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                    • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                    • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                  • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                  • API String ID: 3976553417-1522128867
                                                                                                  • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                  • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                  • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                  • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                  APIs
                                                                                                  • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                  • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                  • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                  • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                  • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                    • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                  • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                  • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1553760989-1857712256
                                                                                                  • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                  • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                  • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                  • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 029F3068
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 029F3078
                                                                                                  • GetProcAddress.KERNEL32(00000000,00410408), ref: 029F3095
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 029F30B6
                                                                                                  • htons.WS2_32(00000035), ref: 029F30EF
                                                                                                  • inet_addr.WS2_32(?), ref: 029F30FA
                                                                                                  • gethostbyname.WS2_32(?), ref: 029F310D
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 029F314D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: iphlpapi.dll
                                                                                                  • API String ID: 2869546040-3565520932
                                                                                                  • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                  • Instruction ID: 6abaaf10c9a9b65eb4cbb80d5277fc8740b2fae6e1e5963566a8a2139ebf9b42
                                                                                                  • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                  • Instruction Fuzzy Hash: 0031D631B00246ABDBD19BB8DC48BAE77BCEF05364F1441A5EA18E3290DB78D541CB5C
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                  • API String ID: 3560063639-3847274415
                                                                                                  • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                  • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                  • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                  • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                                  • API String ID: 1082366364-2834986871
                                                                                                  • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                  • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                  • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                  • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                                  • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                                  • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D$PromptOnSecureDesktop
                                                                                                  • API String ID: 2981417381-1403908072
                                                                                                  • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                  • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                  • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                  • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                                  APIs
                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 029F67C3
                                                                                                  • htonl.WS2_32(?), ref: 029F67DF
                                                                                                  • htonl.WS2_32(?), ref: 029F67EE
                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 029F68F1
                                                                                                  • ExitProcess.KERNEL32 ref: 029F69BC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                  • String ID: except_info$localcfg
                                                                                                  • API String ID: 1150517154-3605449297
                                                                                                  • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                  • Instruction ID: d89a174c5edc1ea6b642665234151aafd31cfb0314a0f2410e8e838a9f46478a
                                                                                                  • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                  • Instruction Fuzzy Hash: 82615E71A40208AFDBA09FB4DC45FEA77E9FB48300F14806AFA6DD2161EB7599908F54
                                                                                                  APIs
                                                                                                  • htons.WS2_32(029FCC84), ref: 029FF5B4
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 029FF5CE
                                                                                                  • closesocket.WS2_32(00000000), ref: 029FF5DC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                  • Instruction ID: 90a5787024747a32aa2167fad1d3a14dfb566b5aa99366e1ba9b3d48753a2a1d
                                                                                                  • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                  • Instruction Fuzzy Hash: 04316E7290011CABDB90DFA5DC88DEE7BBCEF88314F104566FA15D3190E7709A81CBA4
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                  • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                  • wsprintfA.USER32 ref: 00407036
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                  • String ID: /%d$|
                                                                                                  • API String ID: 676856371-4124749705
                                                                                                  • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                  • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                  • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                  • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(?), ref: 029F2FA1
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 029F2FB1
                                                                                                  • GetProcAddress.KERNEL32(00000000,004103F0), ref: 029F2FC8
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029F3000
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 029F3007
                                                                                                  • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 029F3032
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                  • String ID: dnsapi.dll
                                                                                                  • API String ID: 1242400761-3175542204
                                                                                                  • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                  • Instruction ID: 10b6e174cfc7156c207abbd630ecff80e988f540bf851c2ad228b8df53e365dd
                                                                                                  • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                  • Instruction Fuzzy Hash: 6021A471D40226BBCBA19F54DC44AEEBBBCEF08B10F154461FA01E7540D7B49A8187D4
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3609698214-2980165447
                                                                                                  • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                  • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                  • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                  • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\upqhzwij,029F7043), ref: 029F6F4E
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 029F6F55
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029F6F7B
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029F6F92
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\upqhzwij
                                                                                                  • API String ID: 1082366364-3181634274
                                                                                                  • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                  • Instruction ID: 32c55161ad46d97265722daf86275eeb59e1627d194043d1f220b5f80231d331
                                                                                                  • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                  • Instruction Fuzzy Hash: B321FD217403403AF7E257319C88FFB2E4C8F92724F1C80A5FA04A69D0DBD984E687AD
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                  • wsprintfA.USER32 ref: 004090E9
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2439722600-2980165447
                                                                                                  • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                  • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                  • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                  • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?), ref: 029F92E2
                                                                                                  • wsprintfA.USER32 ref: 029F9350
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029F9375
                                                                                                  • lstrlen.KERNEL32(?,?,00000000), ref: 029F9389
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 029F9394
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 029F939B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2439722600-2980165447
                                                                                                  • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                  • Instruction ID: 314bb5b9c75af309312dcbfafb3ca82b7a4eed21b4f8cb8998eed52d2a1b40f8
                                                                                                  • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                  • Instruction Fuzzy Hash: 281172B6A401147BE7A06731EC0DFEF3A6EDFC8B10F008065BB09A5090EAB54A418B65
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 029F9A18
                                                                                                  • GetThreadContext.KERNEL32(?,?), ref: 029F9A52
                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 029F9A60
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 029F9A98
                                                                                                  • SetThreadContext.KERNEL32(?,00010002), ref: 029F9AB5
                                                                                                  • ResumeThread.KERNEL32(?), ref: 029F9AC2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                  • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                  • Instruction ID: 9138b28ccff3f1a078658b45de41fd98eb0a358a519dfa73531d88007d59e7d5
                                                                                                  • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                  • Instruction Fuzzy Hash: 37213BB1A01229BBEBA19BA1DC09FEF7BBCEF04754F404061BA19E5150E775CA44CBA4
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(004102D8), ref: 029F1C18
                                                                                                  • LoadLibraryA.KERNEL32(004102C8), ref: 029F1C26
                                                                                                  • GetProcessHeap.KERNEL32 ref: 029F1C84
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 029F1C9D
                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 029F1CC1
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 029F1D02
                                                                                                  • FreeLibrary.KERNEL32(?), ref: 029F1D0B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                  • String ID:
                                                                                                  • API String ID: 2324436984-0
                                                                                                  • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                  • Instruction ID: 145b1c27b561e9427bd5839a587f11136866d814afdc06dbb244c106abc53ba0
                                                                                                  • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                  • Instruction Fuzzy Hash: E0316F32D00249FFCB919FE4DC888FEBBB9EF45705B24447AE609A2110D7B54E80DB94
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                  • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1586453840-2980165447
                                                                                                  • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                  • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                  • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                  • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                                  • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1371578007-2980165447
                                                                                                  • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                  • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                  • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                  • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 029F6CE4
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 029F6D22
                                                                                                  • GetLastError.KERNEL32 ref: 029F6DA7
                                                                                                  • CloseHandle.KERNEL32(?), ref: 029F6DB5
                                                                                                  • GetLastError.KERNEL32 ref: 029F6DD6
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 029F6DE7
                                                                                                  • GetLastError.KERNEL32 ref: 029F6DFD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 3873183294-0
                                                                                                  • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction ID: 4a498b07c350de0559e4466794b80543228aa828c41f6b96a8f47332e645d7ad
                                                                                                  • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction Fuzzy Hash: 0A31CE77900249BFCB819FA49D48ADE7F7DEF88310F148165E361A3260D7708A958B65
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                  • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                  • wsprintfA.USER32 ref: 004091A9
                                                                                                    • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                    • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                    • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                    • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                    • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                    • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3857584221-2980165447
                                                                                                  • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                  • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                  • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                  • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029F93C6
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 029F93CD
                                                                                                  • CharToOemA.USER32(?,?), ref: 029F93DB
                                                                                                  • wsprintfA.USER32 ref: 029F9410
                                                                                                    • Part of subcall function 029F92CB: GetTempPathA.KERNEL32(00000400,?), ref: 029F92E2
                                                                                                    • Part of subcall function 029F92CB: wsprintfA.USER32 ref: 029F9350
                                                                                                    • Part of subcall function 029F92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029F9375
                                                                                                    • Part of subcall function 029F92CB: lstrlen.KERNEL32(?,?,00000000), ref: 029F9389
                                                                                                    • Part of subcall function 029F92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 029F9394
                                                                                                    • Part of subcall function 029F92CB: CloseHandle.KERNEL32(00000000), ref: 029F939B
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 029F9448
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3857584221-2980165447
                                                                                                  • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                  • Instruction ID: d71bce2602122d37df9cb550653621741c335d3e6c17836c2dd7ec7b71578813
                                                                                                  • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                  • Instruction Fuzzy Hash: B9015EF69001187BEB61A7619D89FDF3B7CDB95711F0040A2BB49E2080EAB496C58F75
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen
                                                                                                  • String ID: $localcfg
                                                                                                  • API String ID: 1659193697-2018645984
                                                                                                  • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                  • Instruction ID: 82d1692e2942592c9cea0a9d8798d861dd651ce1dab6e5932f7db5d88bef7343
                                                                                                  • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                  • Instruction Fuzzy Hash: 41714A72A00308AADFE18B54DC85FEE376EAF40349F244466FB0CA60D0DF6289C48B59
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                  • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                  • String ID: flags_upd$localcfg
                                                                                                  • API String ID: 204374128-3505511081
                                                                                                  • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                  • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                  • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                  • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                  APIs
                                                                                                    • Part of subcall function 029FDF6C: GetCurrentThreadId.KERNEL32 ref: 029FDFBA
                                                                                                  • lstrcmp.KERNEL32(00410178,00000000), ref: 029FE8FA
                                                                                                  • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,029F6128), ref: 029FE950
                                                                                                  • lstrcmp.KERNEL32(?,00000008), ref: 029FE989
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                  • String ID: A$ A$ A
                                                                                                  • API String ID: 2920362961-1846390581
                                                                                                  • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                  • Instruction ID: 4f2de31e3f2b84187d2bc8389f41c697598d4564a331e9587898c9e5891de3aa
                                                                                                  • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                  • Instruction Fuzzy Hash: 1D319031A007059BDBF18F24C884BAA7BE9EB45724F00892AEBD587560D370E8C0CBA1
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID:
                                                                                                  • API String ID: 3609698214-0
                                                                                                  • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                  • Instruction ID: f7dc5ad341ee8a86bb340fd838a06aab26442d3b22da0eafeb8de53b4109d181
                                                                                                  • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                  • Instruction Fuzzy Hash: A4214A73204219BFDB909BA0FC48EDF7FADEB49264B108425F612D10A0FB71DA509B74
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                  • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                  • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3819781495-0
                                                                                                  • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                  • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                  • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                  • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 029FC6B4
                                                                                                  • InterlockedIncrement.KERNEL32(029FC74B), ref: 029FC715
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,029FC747), ref: 029FC728
                                                                                                  • CloseHandle.KERNEL32(00000000,?,029FC747,00413588,029F8A77), ref: 029FC733
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1026198776-1857712256
                                                                                                  • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                  • Instruction ID: 7ffe3a0e7d8ed367126ba9868699dae68dcee708497b7c188d18400946b8420a
                                                                                                  • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                  • Instruction Fuzzy Hash: 56513DB1A05B458FD7A4CF69C5D462ABBE9FB88304B50993FE28BC7A90D774E444CB10
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                                    • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 124786226-2980165447
                                                                                                  • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                  • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                  • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                                  • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                  • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                  • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                  • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2667537340-2980165447
                                                                                                  • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                  • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                  • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                  • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,029FE50A,00000000,00000000,00000000,00020106,00000000,029FE50A,00000000,000000E4), ref: 029FE319
                                                                                                  • RegSetValueExA.ADVAPI32(029FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029FE38E
                                                                                                  • RegDeleteValueA.ADVAPI32(029FE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029FE3BF
                                                                                                  • RegCloseKey.ADVAPI32(029FE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,029FE50A), ref: 029FE3C8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 2667537340-2980165447
                                                                                                  • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                  • Instruction ID: 15175bb5e5525f43541b9852a52b39f04efea814ef9b5a30a5f8ce215762c517
                                                                                                  • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                  • Instruction Fuzzy Hash: 6D214F71A0021DABDFA09FA4EC89EDE7F79EF48750F048021FA44A6160E3B18A54DB90
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 029F71E1
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029F7228
                                                                                                  • LocalFree.KERNEL32(?,?,?), ref: 029F7286
                                                                                                  • wsprintfA.USER32 ref: 029F729D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                  • String ID: |
                                                                                                  • API String ID: 2539190677-2343686810
                                                                                                  • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                  • Instruction ID: ebe2bea350e9f61c732d32ec6bba71eb2300630ddcb5b8aaf8fd3f543131ba0d
                                                                                                  • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                  • Instruction Fuzzy Hash: 0F312972A00208BFDB81DFA8DC45BDA7BACEF04314F14C066F959DB240EB75D6488B94
                                                                                                  APIs
                                                                                                  • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                  • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                  • String ID: LocalHost
                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                  • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                  • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                  • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                  • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 029FB51A
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 029FB529
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 029FB548
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 029FB590
                                                                                                  • wsprintfA.USER32 ref: 029FB61E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 4026320513-0
                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction ID: fbadc88fa3a7d1cf5681f4279abb4ef6a503ce95ab16c36a08c8c1137b138c41
                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction Fuzzy Hash: 025100B1D0021DAACF54DFD5D8885EEBBB9BF48304F10856AF605B6150E7B84AC9CF98
                                                                                                  APIs
                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 029F6303
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 029F632A
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 029F63B1
                                                                                                  • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 029F6405
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 3498078134-0
                                                                                                  • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                  • Instruction ID: ee426c7d12bba78cc327cbec108909c843a3b29f37d99deef160a3c9525a51ae
                                                                                                  • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                  • Instruction Fuzzy Hash: 66416A71A00209EFDB94DF58C884BA9B7BCFF04358F188569EA69D7290E7B1E940CB50
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                  • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                  • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                  • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                  • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                  • String ID: A$ A
                                                                                                  • API String ID: 3343386518-686259309
                                                                                                  • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                  • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                  • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                  • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                  • htons.WS2_32(00000001), ref: 00402752
                                                                                                  • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                  • htons.WS2_32(00000001), ref: 004027E3
                                                                                                  • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                    • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                    • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                  • String ID:
                                                                                                  • API String ID: 1128258776-0
                                                                                                  • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                  • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                  • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                  • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                  APIs
                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: setsockopt
                                                                                                  • String ID:
                                                                                                  • API String ID: 3981526788-0
                                                                                                  • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                  • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                  • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                  • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                  • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                  • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                  • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                  • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                  • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                                  • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 3683885500-2980165447
                                                                                                  • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                  • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                                  • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                                  • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                                  APIs
                                                                                                    • Part of subcall function 029FDF6C: GetCurrentThreadId.KERNEL32 ref: 029FDFBA
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,029FA6AC), ref: 029FE7BF
                                                                                                  • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,029FA6AC), ref: 029FE7EA
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,029FA6AC), ref: 029FE819
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1396056608-2980165447
                                                                                                  • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                  • Instruction ID: f421401d1e3dc8372c56b608cec925cbe9f2041ab5a4727d44d38fe0428fe4fb
                                                                                                  • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                                  • Instruction Fuzzy Hash: EE21E5B1A403047AF2E177219C05FEB3E1DDFA5B60F100035BB49A55E2EAA594508BB5
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                  • API String ID: 2574300362-1087626847
                                                                                                  • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                  • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                  • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                  • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029F76D9
                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029F796D
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 029F797E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseEnumOpen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 1332880857-2980165447
                                                                                                  • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                  • Instruction ID: b91f233db68fe750ab391cd2d9f66829b3b1c3b35bdc373bfd6a114598fa34fc
                                                                                                  • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                                  • Instruction Fuzzy Hash: 70119A70A00109AFDB918BA9EC44FEEBB79AF85718F140561F615E6290E7B189508B61
                                                                                                  APIs
                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: hi_id$localcfg
                                                                                                  • API String ID: 2777991786-2393279970
                                                                                                  • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                  • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                  • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                  • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                                  • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                                  • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 849931509-2980165447
                                                                                                  • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                  • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                                  • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                                  • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029F999D
                                                                                                  • RegDeleteValueA.ADVAPI32(?,00000000), ref: 029F99BD
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 029F99C6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseDeleteOpenValue
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 849931509-2980165447
                                                                                                  • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                  • Instruction ID: e80f53c809a1d5138a20634b8d7bed133e20ebeaafdde4436bc87197ea3c0f98
                                                                                                  • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                                  • Instruction Fuzzy Hash: 30F096B2A80208BBF7516B54EC06FDB3A2DDB95B24F104061FB05B50D1F6E59A9087B9
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg$u6A
                                                                                                  • API String ID: 1594361348-1940331995
                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction ID: 85f55712d866f968eafd1a50e16d0482401ff7ea319b443da03d5690b018aa1e
                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction Fuzzy Hash: CAE0C730A142218FCBC08B2CF848BCA3BE8EF0A230F008180F980C32A0C734DCC0AB80
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 029F69E5
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 029F6A26
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000), ref: 029F6A3A
                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 029F6BD8
                                                                                                    • Part of subcall function 029FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029F1DCF,?), ref: 029FEEA8
                                                                                                    • Part of subcall function 029FEE95: HeapFree.KERNEL32(00000000), ref: 029FEEAF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 3384756699-0
                                                                                                  • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                  • Instruction ID: 0ecc099ff3999d4c55f48a59988cf83793c0befecb1a383f0efff56585592028
                                                                                                  • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                  • Instruction Fuzzy Hash: 5171277190421DEFDF91DFA4CD80AEEBBBDFB04315F10456AEA25A6190D7309E92CB60
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf
                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                  • API String ID: 2111968516-120809033
                                                                                                  • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                  • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                  • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                  • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                  • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                  • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029F421F
                                                                                                  • GetLastError.KERNEL32 ref: 029F4229
                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 029F423A
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029F424D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction ID: e39608a383d0e9b3b6e50700f201e73ad23812f61956e3b6f2c4e0e996da2147
                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction Fuzzy Hash: 1001C872511109AFDF41DF90ED84BEF7BACEB08259F108461FA01E6050D770DA548BB6
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029F41AB
                                                                                                  • GetLastError.KERNEL32 ref: 029F41B5
                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 029F41C6
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029F41D9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction ID: 7c114c9610dce70dd3ed5c472448b778a82f063fce5c6e505ffff71c9949f974
                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction Fuzzy Hash: 2601E97651110EABDF41DF90ED84BEF7B6CEB18255F004061FA01E2050D770AA548BB5
                                                                                                  APIs
                                                                                                  • lstrcmp.KERNEL32(?,80000009), ref: 029FE066
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp
                                                                                                  • String ID: A$ A$ A
                                                                                                  • API String ID: 1534048567-1846390581
                                                                                                  • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                  • Instruction ID: 45722bb1a0d79c4eb875ff0856e1fd47600c7d468a16a98971d2640a9ea2f8a2
                                                                                                  • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                  • Instruction Fuzzy Hash: 4FF062312047069BCBA0CF25D884A92B7EDFB05325B58872AE6A4C3870D374A498CB55
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                  • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                  • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                  • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                  • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                  • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                  • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                  • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                  • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                  • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                  • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                  • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                  • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                  • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00403103
                                                                                                  • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                  • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                  • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                  • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                  • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                                  • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                    • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                    • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                    • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                    • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 4151426672-2980165447
                                                                                                  • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                  • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                                  • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                                  • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000001,029F44E2,00000000,00000000,00000000), ref: 029FE470
                                                                                                  • CloseHandle.KERNEL32(00000001,00000003), ref: 029FE484
                                                                                                    • Part of subcall function 029FE2FC: RegCreateKeyExA.ADVAPI32(80000001,029FE50A,00000000,00000000,00000000,00020106,00000000,029FE50A,00000000,000000E4), ref: 029FE319
                                                                                                    • Part of subcall function 029FE2FC: RegSetValueExA.ADVAPI32(029FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029FE38E
                                                                                                    • Part of subcall function 029FE2FC: RegDeleteValueA.ADVAPI32(029FE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029FE3BF
                                                                                                    • Part of subcall function 029FE2FC: RegCloseKey.ADVAPI32(029FE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,029FE50A), ref: 029FE3C8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 4151426672-2980165447
                                                                                                  • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                  • Instruction ID: fffb07636ed1016bee3bccf28f99f72b60ddbef85ab0f82b71413b8b14b1d10d
                                                                                                  • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                                  • Instruction Fuzzy Hash: 9241E4B2D00208BAEBE06F518C45FEB3B6CEB44764F148029FF09940A1E3B59650DFB5
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 029F83C6
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 029F8477
                                                                                                    • Part of subcall function 029F69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 029F69E5
                                                                                                    • Part of subcall function 029F69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 029F6A26
                                                                                                    • Part of subcall function 029F69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 029F6A3A
                                                                                                    • Part of subcall function 029FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029F1DCF,?), ref: 029FEEA8
                                                                                                    • Part of subcall function 029FEE95: HeapFree.KERNEL32(00000000), ref: 029FEEAF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 359188348-2980165447
                                                                                                  • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                  • Instruction ID: dc2f81fd126ff8a5fd6a14970c2af6091b3e7b2dd433b6eb5640241f84e3efc5
                                                                                                  • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                  • Instruction Fuzzy Hash: 5B415FB2900109BFEBD0EBA49E80EFF776DFB44344F1444AAE758D6150F7B05A948B64
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,029FE859,00000000,00020119,029FE859,PromptOnSecureDesktop), ref: 029FE64D
                                                                                                  • RegCloseKey.ADVAPI32(029FE859,?,?,?,?,000000C8,000000E4), ref: 029FE787
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseOpen
                                                                                                  • String ID: PromptOnSecureDesktop
                                                                                                  • API String ID: 47109696-2980165447
                                                                                                  • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                  • Instruction ID: f02576bb1a9337e768ecd5ad34fd3aaf3730f4c322dd596f6ae373d4f7f2062b
                                                                                                  • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                                  • Instruction Fuzzy Hash: 6241F7B2D0021DBFDF91EF94DC84EEEBBBDFB48304F144466EA10A6160E3719A559B60
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 029FAFFF
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 029FB00D
                                                                                                    • Part of subcall function 029FAF6F: gethostname.WS2_32(?,00000080), ref: 029FAF83
                                                                                                    • Part of subcall function 029FAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 029FAFE6
                                                                                                    • Part of subcall function 029F331C: gethostname.WS2_32(?,00000080), ref: 029F333F
                                                                                                    • Part of subcall function 029F331C: gethostbyname.WS2_32(?), ref: 029F3349
                                                                                                    • Part of subcall function 029FAA0A: inet_ntoa.WS2_32(00000000), ref: 029FAA10
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %OUTLOOK_BND_
                                                                                                  • API String ID: 1981676241-3684217054
                                                                                                  • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                  • Instruction ID: a88ba6aa0772ca87166bb450d8a62f1bb6384d1629140038a592b392fc27fa8e
                                                                                                  • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                  • Instruction Fuzzy Hash: AC41417290020CABDBA5EFA0DC45EEE3BADFF48304F144426FA2892151EB75E654CF54
                                                                                                  APIs
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 029F9536
                                                                                                  • Sleep.KERNEL32(000001F4), ref: 029F955D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShellSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 4194306370-3916222277
                                                                                                  • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                  • Instruction ID: 6cd323f0c8ac0e578bb875044764396be570787055b02d00375c5f93b7f9c762
                                                                                                  • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                  • Instruction Fuzzy Hash: A6412771C083996EFBF68B68D89C7A63FAC9B42318F1800A5DA96971A2D7744980C711
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 029FB9D9
                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 029FBA3A
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 029FBA94
                                                                                                  • GetTickCount.KERNEL32 ref: 029FBB79
                                                                                                  • GetTickCount.KERNEL32 ref: 029FBB99
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 029FBE15
                                                                                                  • closesocket.WS2_32(00000000), ref: 029FBEB4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 1869671989-2903620461
                                                                                                  • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                  • Instruction ID: 641a98b6a14093953c63eee0bd2c2b78e40f7dbb86bc3b858778583445683608
                                                                                                  • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                  • Instruction Fuzzy Hash: C3317A71500248DFDFA5DFA4DC94BE9B7A9EB48708F20446AFB2482160EB30DA85CF50
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 536389180-1857712256
                                                                                                  • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                  • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                  • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                  • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTickwsprintf
                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                  • API String ID: 2424974917-1012700906
                                                                                                  • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                  • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                  • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                  • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                  APIs
                                                                                                    • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                    • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 3716169038-2903620461
                                                                                                  • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                  • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                  • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                  • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 029F70BC
                                                                                                  • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 029F70F4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountLookupUser
                                                                                                  • String ID: |
                                                                                                  • API String ID: 2370142434-2343686810
                                                                                                  • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction ID: 75c1518157cbd9fd6a6fa909776af897cd290bfb659b25402a5540fc74d0f832
                                                                                                  • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction Fuzzy Hash: 91111E72A0011CEBDF91CFD4DC84AEEF7BDAB04719F1441A6E601E6194D7709B88CBA0
                                                                                                  APIs
                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2777991786-1857712256
                                                                                                  • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                  • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                  • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                  • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                  APIs
                                                                                                  • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                  • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: IncrementInterlockedlstrcpyn
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 224340156-2903620461
                                                                                                  • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                  • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                  • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                  • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                  APIs
                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                  • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                  • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                  • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                  • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                  • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: ntdll.dll
                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                  • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                  • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                  • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                  • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                  APIs
                                                                                                    • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                    • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2072415855.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000000.00000002.2072415855.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_400000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                  • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                  • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                  • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                                  APIs
                                                                                                    • Part of subcall function 029F2F88: GetModuleHandleA.KERNEL32(?), ref: 029F2FA1
                                                                                                    • Part of subcall function 029F2F88: LoadLibraryA.KERNEL32(?), ref: 029F2FB1
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 029F31DA
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 029F31E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2074381833.00000000029F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_29f0000_Eduhazqw4u.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                  • Instruction ID: 12b0a44afab6500d9f4a0e87cb1c6c712da7f52545d6880f8d345a04986cb267
                                                                                                  • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                  • Instruction Fuzzy Hash: 32519D7190028AEFCB81DF64D888AFAB779FF05304F1445A9ED96C7210E736DA19CB94

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:2.9%
                                                                                                  Dynamic/Decrypted Code Coverage:30.3%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:1572
                                                                                                  Total number of Limit Nodes:13
                                                                                                  execution_graph 14803 409961 RegisterServiceCtrlHandlerA 14804 40997d 14803->14804 14811 4099cb 14803->14811 14813 409892 14804->14813 14806 40999a 14807 4099ba 14806->14807 14808 409892 SetServiceStatus 14806->14808 14810 409892 SetServiceStatus 14807->14810 14807->14811 14809 4099aa 14808->14809 14809->14807 14816 4098f2 14809->14816 14810->14811 14814 4098c2 SetServiceStatus 14813->14814 14814->14806 14817 4098f6 14816->14817 14819 409904 Sleep 14817->14819 14821 409917 14817->14821 14824 404280 CreateEventA 14817->14824 14819->14817 14820 409915 14819->14820 14820->14821 14823 409947 14821->14823 14851 40977c 14821->14851 14823->14807 14825 4042a5 14824->14825 14826 40429d 14824->14826 14865 403ecd 14825->14865 14826->14817 14828 4042b0 14869 404000 14828->14869 14831 4043c1 CloseHandle 14831->14826 14832 4042ce 14875 403f18 WriteFile 14832->14875 14837 4043ba CloseHandle 14837->14831 14838 404318 14839 403f18 4 API calls 14838->14839 14840 404331 14839->14840 14841 403f18 4 API calls 14840->14841 14842 40434a 14841->14842 14883 40ebcc GetProcessHeap HeapAlloc 14842->14883 14845 403f18 4 API calls 14846 404389 14845->14846 14886 40ec2e 14846->14886 14849 403f8c 4 API calls 14850 40439f CloseHandle CloseHandle 14849->14850 14850->14826 14915 40ee2a 14851->14915 14854 4097c2 14856 4097d4 Wow64GetThreadContext 14854->14856 14855 4097bb 14855->14823 14857 409801 14856->14857 14858 4097f5 14856->14858 14917 40637c 14857->14917 14859 4097f6 TerminateProcess 14858->14859 14859->14855 14861 409816 14861->14859 14862 40981e WriteProcessMemory 14861->14862 14862->14858 14863 40983b Wow64SetThreadContext 14862->14863 14863->14858 14864 409858 ResumeThread 14863->14864 14864->14855 14866 403ee2 14865->14866 14867 403edc 14865->14867 14866->14828 14891 406dc2 14867->14891 14870 40400b CreateFileA 14869->14870 14871 40402c GetLastError 14870->14871 14872 404052 14870->14872 14871->14872 14873 404037 14871->14873 14872->14826 14872->14831 14872->14832 14873->14872 14874 404041 Sleep 14873->14874 14874->14870 14874->14872 14876 403f7c 14875->14876 14877 403f4e GetLastError 14875->14877 14879 403f8c ReadFile 14876->14879 14877->14876 14878 403f5b WaitForSingleObject GetOverlappedResult 14877->14878 14878->14876 14880 403ff0 14879->14880 14881 403fc2 GetLastError 14879->14881 14880->14837 14880->14838 14881->14880 14882 403fcf WaitForSingleObject GetOverlappedResult 14881->14882 14882->14880 14909 40eb74 14883->14909 14887 40ec37 14886->14887 14888 40438f 14886->14888 14912 40eba0 14887->14912 14888->14849 14892 406e24 14891->14892 14893 406dd7 14891->14893 14892->14866 14897 406cc9 14893->14897 14895 406ddc 14895->14892 14895->14895 14896 406e02 GetVolumeInformationA 14895->14896 14896->14892 14898 406cdc GetModuleHandleA GetProcAddress 14897->14898 14899 406dbe 14897->14899 14900 406d12 GetSystemDirectoryA 14898->14900 14901 406cfd 14898->14901 14899->14895 14902 406d27 GetWindowsDirectoryA 14900->14902 14903 406d1e 14900->14903 14901->14900 14904 406d8b 14901->14904 14906 406d42 14902->14906 14903->14902 14903->14904 14904->14899 14907 40ef1e lstrlenA 14906->14907 14908 40ef32 14907->14908 14908->14904 14910 40eb7b GetProcessHeap HeapSize 14909->14910 14911 404350 14909->14911 14910->14911 14911->14845 14913 40eba7 GetProcessHeap HeapSize 14912->14913 14914 40ebbf GetProcessHeap HeapFree 14912->14914 14913->14914 14914->14888 14916 409794 CreateProcessA 14915->14916 14916->14854 14916->14855 14918 406386 14917->14918 14919 40638a GetModuleHandleA VirtualAlloc 14917->14919 14918->14861 14920 4063f5 14919->14920 14921 4063b6 14919->14921 14920->14861 14922 4063be VirtualAllocEx 14921->14922 14922->14920 14923 4063d6 14922->14923 14924 4063df WriteProcessMemory 14923->14924 14924->14920 14968 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15085 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14968->15085 14970 409a95 14971 409aa3 GetModuleHandleA GetModuleFileNameA 14970->14971 14976 40a3c7 14970->14976 14983 409ac4 14971->14983 14972 40a41c CreateThread WSAStartup 15196 40e52e 14972->15196 16023 40405e CreateEventA 14972->16023 14973 40a406 DeleteFileA 14973->14976 14977 40a40d 14973->14977 14975 409afd GetCommandLineA 14984 409b22 14975->14984 14976->14972 14976->14973 14976->14977 14979 40a3ed GetLastError 14976->14979 14977->14972 14978 40a445 15215 40eaaf 14978->15215 14979->14977 14981 40a3f8 Sleep 14979->14981 14981->14973 14982 40a44d 15219 401d96 14982->15219 14983->14975 14989 409c0c 14984->14989 14995 409b47 14984->14995 14986 40a457 15267 4080c9 14986->15267 15086 4096aa 14989->15086 14999 409b96 lstrlenA 14995->14999 15001 409b58 14995->15001 14996 40a1d2 15002 40a1e3 GetCommandLineA 14996->15002 14997 409c39 15000 40a167 GetModuleHandleA GetModuleFileNameA 14997->15000 15006 409c4b 14997->15006 14999->15001 15004 409c05 ExitProcess 15000->15004 15005 40a189 15000->15005 15001->15004 15009 409bd2 15001->15009 15030 40a205 15002->15030 15005->15004 15014 40a1b2 GetDriveTypeA 15005->15014 15006->15000 15008 404280 30 API calls 15006->15008 15011 409c5b 15008->15011 15098 40675c 15009->15098 15011->15000 15017 40675c 21 API calls 15011->15017 15014->15004 15016 40a1c5 15014->15016 15188 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15016->15188 15018 409c79 15017->15018 15018->15000 15024 409ca0 GetTempPathA 15018->15024 15025 409e3e 15018->15025 15021 409bff 15021->15004 15022 40a491 15023 40a49f GetTickCount 15022->15023 15026 40a4be Sleep 15022->15026 15029 40a4b7 GetTickCount 15022->15029 15313 40c913 15022->15313 15023->15022 15023->15026 15024->15025 15028 409cba 15024->15028 15036 409e6b GetEnvironmentVariableA 15025->15036 15037 409e04 15025->15037 15026->15022 15136 4099d2 lstrcpyA 15028->15136 15029->15026 15033 40a285 lstrlenA 15030->15033 15046 40a239 15030->15046 15032 40ec2e codecvt 4 API calls 15035 40a15d 15032->15035 15033->15046 15035->15000 15035->15004 15036->15037 15038 409e7d 15036->15038 15037->15032 15039 4099d2 16 API calls 15038->15039 15040 409e9d 15039->15040 15040->15037 15045 409eb0 lstrcpyA lstrlenA 15040->15045 15041 406dc2 6 API calls 15043 409d5f 15041->15043 15048 406cc9 5 API calls 15043->15048 15044 40a3c2 15049 4098f2 41 API calls 15044->15049 15047 409ef4 15045->15047 15094 406ec3 15046->15094 15050 406dc2 6 API calls 15047->15050 15053 409f03 15047->15053 15052 409d72 lstrcpyA lstrcatA lstrcatA 15048->15052 15049->14976 15050->15053 15051 40a39d StartServiceCtrlDispatcherA 15051->15044 15055 409cf6 15052->15055 15054 409f32 RegOpenKeyExA 15053->15054 15057 409f48 RegSetValueExA RegCloseKey 15054->15057 15060 409f70 15054->15060 15143 409326 15055->15143 15056 40a35f 15056->15044 15056->15051 15057->15060 15065 409f9d GetModuleHandleA GetModuleFileNameA 15060->15065 15061 409e0c DeleteFileA 15061->15025 15062 409dde GetFileAttributesExA 15062->15061 15063 409df7 15062->15063 15063->15037 15180 4096ff 15063->15180 15067 409fc2 15065->15067 15068 40a093 15065->15068 15067->15068 15074 409ff1 GetDriveTypeA 15067->15074 15069 40a103 CreateProcessA 15068->15069 15070 40a0a4 wsprintfA 15068->15070 15071 40a13a 15069->15071 15072 40a12a DeleteFileA 15069->15072 15186 402544 15070->15186 15071->15037 15077 4096ff 3 API calls 15071->15077 15072->15071 15074->15068 15076 40a00d 15074->15076 15080 40a02d lstrcatA 15076->15080 15077->15037 15078 40ee2a 15079 40a0ec lstrcatA 15078->15079 15079->15069 15081 40a046 15080->15081 15082 40a052 lstrcatA 15081->15082 15083 40a064 lstrcatA 15081->15083 15082->15083 15083->15068 15084 40a081 lstrcatA 15083->15084 15084->15068 15085->14970 15087 4096b9 15086->15087 15416 4073ff 15087->15416 15089 4096e2 15090 4096e9 15089->15090 15091 4096fa 15089->15091 15436 40704c 15090->15436 15091->14996 15091->14997 15093 4096f7 15093->15091 15095 406ed5 15094->15095 15096 406ecc 15094->15096 15095->15056 15461 406e36 GetUserNameW 15096->15461 15099 406784 CreateFileA 15098->15099 15100 40677a SetFileAttributesA 15098->15100 15101 4067a4 CreateFileA 15099->15101 15102 4067b5 15099->15102 15100->15099 15101->15102 15103 4067c5 15102->15103 15104 4067ba SetFileAttributesA 15102->15104 15105 406977 15103->15105 15106 4067cf GetFileSize 15103->15106 15104->15103 15105->15004 15123 406a60 CreateFileA 15105->15123 15107 4067e5 15106->15107 15122 406922 15106->15122 15109 4067ed ReadFile 15107->15109 15107->15122 15108 40696e CloseHandle 15108->15105 15110 406811 SetFilePointer 15109->15110 15109->15122 15111 40682a ReadFile 15110->15111 15110->15122 15112 406848 SetFilePointer 15111->15112 15111->15122 15113 406867 15112->15113 15112->15122 15114 406878 ReadFile 15113->15114 15117 4068d0 15113->15117 15114->15113 15114->15117 15115 40ebcc 4 API calls 15116 4068f8 15115->15116 15118 406900 SetFilePointer 15116->15118 15116->15122 15117->15108 15117->15115 15119 40695a 15118->15119 15120 40690d ReadFile 15118->15120 15121 40ec2e codecvt 4 API calls 15119->15121 15120->15119 15120->15122 15121->15122 15122->15108 15124 406b8c GetLastError 15123->15124 15125 406a8f GetDiskFreeSpaceA 15123->15125 15126 406b86 15124->15126 15127 406ac5 15125->15127 15133 406ad7 15125->15133 15126->15021 15464 40eb0e 15127->15464 15131 406b56 CloseHandle 15131->15126 15135 406b65 GetLastError CloseHandle 15131->15135 15132 406b36 GetLastError CloseHandle 15134 406b7f DeleteFileA 15132->15134 15468 406987 15133->15468 15134->15126 15135->15134 15137 4099eb 15136->15137 15138 409a2f lstrcatA 15137->15138 15139 40ee2a 15138->15139 15140 409a4b lstrcatA 15139->15140 15141 406a60 13 API calls 15140->15141 15142 409a60 15141->15142 15142->15025 15142->15041 15142->15055 15478 401910 15143->15478 15146 40934a GetModuleHandleA GetModuleFileNameA 15148 40937f 15146->15148 15149 4093a4 15148->15149 15150 4093d9 15148->15150 15151 4093c3 wsprintfA 15149->15151 15152 409401 wsprintfA 15150->15152 15154 409415 15151->15154 15152->15154 15153 4094a0 15480 406edd 15153->15480 15154->15153 15156 406cc9 5 API calls 15154->15156 15163 409439 15156->15163 15157 4094ac 15158 40962f 15157->15158 15159 4094e8 RegOpenKeyExA 15157->15159 15164 409646 15158->15164 15501 401820 15158->15501 15161 409502 15159->15161 15162 4094fb 15159->15162 15166 40951f RegQueryValueExA 15161->15166 15162->15158 15168 40958a 15162->15168 15167 40ef1e lstrlenA 15163->15167 15173 4095d6 15164->15173 15507 4091eb 15164->15507 15169 409530 15166->15169 15170 409539 15166->15170 15171 409462 15167->15171 15168->15164 15172 409593 15168->15172 15174 40956e RegCloseKey 15169->15174 15175 409556 RegQueryValueExA 15170->15175 15176 40947e wsprintfA 15171->15176 15172->15173 15488 40f0e4 15172->15488 15173->15061 15173->15062 15174->15162 15175->15169 15175->15174 15176->15153 15178 4095bb 15178->15173 15495 4018e0 15178->15495 15181 402544 15180->15181 15182 40972d RegOpenKeyExA 15181->15182 15183 409740 15182->15183 15184 409765 15182->15184 15185 40974f RegDeleteValueA RegCloseKey 15183->15185 15184->15037 15185->15184 15187 402554 lstrcatA 15186->15187 15187->15078 15189 402544 15188->15189 15190 40919e wsprintfA 15189->15190 15191 4091bb 15190->15191 15545 409064 GetTempPathA 15191->15545 15194 4091d5 ShellExecuteA 15195 4091e7 15194->15195 15195->15021 15552 40dd05 GetTickCount 15196->15552 15198 40e538 15559 40dbcf 15198->15559 15200 40e544 15201 40e555 GetFileSize 15200->15201 15204 40e5b8 15200->15204 15202 40e5b1 CloseHandle 15201->15202 15203 40e566 15201->15203 15202->15204 15569 40db2e 15203->15569 15578 40e3ca RegOpenKeyExA 15204->15578 15207 40e576 ReadFile 15207->15202 15209 40e58d 15207->15209 15573 40e332 15209->15573 15212 40e5f2 15213 40e3ca 19 API calls 15212->15213 15214 40e629 15212->15214 15213->15214 15214->14978 15216 40eabe 15215->15216 15218 40eaba 15215->15218 15217 40dd05 6 API calls 15216->15217 15216->15218 15217->15218 15218->14982 15220 40ee2a 15219->15220 15221 401db4 GetVersionExA 15220->15221 15222 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15221->15222 15224 401e24 15222->15224 15225 401e16 GetCurrentProcess 15222->15225 15631 40e819 15224->15631 15225->15224 15227 401e3d 15228 40e819 11 API calls 15227->15228 15229 401e4e 15228->15229 15230 401e77 15229->15230 15638 40df70 15229->15638 15647 40ea84 15230->15647 15233 401e6c 15235 40df70 12 API calls 15233->15235 15235->15230 15236 40e819 11 API calls 15237 401e93 15236->15237 15651 40199c inet_addr LoadLibraryA 15237->15651 15240 40e819 11 API calls 15241 401eb9 15240->15241 15242 401ed8 15241->15242 15243 40f04e 4 API calls 15241->15243 15244 40e819 11 API calls 15242->15244 15245 401ec9 15243->15245 15246 401eee 15244->15246 15247 40ea84 30 API calls 15245->15247 15256 401f0a 15246->15256 15664 401b71 15246->15664 15247->15242 15249 40e819 11 API calls 15252 401f23 15249->15252 15250 401efd 15253 40ea84 30 API calls 15250->15253 15251 401f3f 15255 40e819 11 API calls 15251->15255 15252->15251 15668 401bdf 15252->15668 15253->15256 15258 401f5e 15255->15258 15256->15249 15260 401f77 15258->15260 15261 40ea84 30 API calls 15258->15261 15259 40ea84 30 API calls 15259->15251 15675 4030b5 15260->15675 15261->15260 15264 406ec3 2 API calls 15266 401f8e GetTickCount 15264->15266 15266->14986 15268 406ec3 2 API calls 15267->15268 15269 4080eb 15268->15269 15270 4080f9 15269->15270 15271 4080ef 15269->15271 15273 40704c 16 API calls 15270->15273 15723 407ee6 15271->15723 15274 408110 15273->15274 15275 4080f4 15274->15275 15278 408156 RegOpenKeyExA 15274->15278 15276 40675c 21 API calls 15275->15276 15285 408269 CreateThread 15275->15285 15277 408244 15276->15277 15283 40ec2e codecvt 4 API calls 15277->15283 15277->15285 15278->15275 15279 40816d RegQueryValueExA 15278->15279 15280 40818d 15279->15280 15281 4081f7 15279->15281 15280->15281 15286 40ebcc 4 API calls 15280->15286 15282 40820d RegCloseKey 15281->15282 15284 40ec2e codecvt 4 API calls 15281->15284 15282->15275 15283->15285 15291 4081dd 15284->15291 15292 405e6c 15285->15292 16052 40877e 15285->16052 15287 4081a0 15286->15287 15287->15282 15288 4081aa RegQueryValueExA 15287->15288 15288->15281 15289 4081c4 15288->15289 15290 40ebcc 4 API calls 15289->15290 15290->15291 15291->15282 15791 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15292->15791 15294 405e71 15792 40e654 15294->15792 15296 405ec1 15297 403132 15296->15297 15298 40df70 12 API calls 15297->15298 15299 40313b 15298->15299 15300 40c125 15299->15300 15803 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15300->15803 15302 40c12d 15303 40e654 13 API calls 15302->15303 15304 40c2bd 15303->15304 15305 40e654 13 API calls 15304->15305 15306 40c2c9 15305->15306 15307 40e654 13 API calls 15306->15307 15308 40a47a 15307->15308 15309 408db1 15308->15309 15310 408dbc 15309->15310 15311 40e654 13 API calls 15310->15311 15312 408dec Sleep 15311->15312 15312->15022 15314 40c92f 15313->15314 15315 40c93c 15314->15315 15804 40c517 15314->15804 15317 40ca2b 15315->15317 15318 40e819 11 API calls 15315->15318 15317->15022 15319 40c96a 15318->15319 15320 40e819 11 API calls 15319->15320 15321 40c97d 15320->15321 15322 40e819 11 API calls 15321->15322 15323 40c990 15322->15323 15324 40c9aa 15323->15324 15325 40ebcc 4 API calls 15323->15325 15324->15317 15821 402684 15324->15821 15325->15324 15330 40ca26 15828 40c8aa 15330->15828 15333 40ca44 15334 40ca4b closesocket 15333->15334 15335 40ca83 15333->15335 15334->15330 15336 40ea84 30 API calls 15335->15336 15337 40caac 15336->15337 15338 40f04e 4 API calls 15337->15338 15339 40cab2 15338->15339 15340 40ea84 30 API calls 15339->15340 15341 40caca 15340->15341 15342 40ea84 30 API calls 15341->15342 15343 40cad9 15342->15343 15836 40c65c 15343->15836 15346 40cb60 closesocket 15346->15317 15348 40dad2 closesocket 15349 40e318 23 API calls 15348->15349 15349->15317 15350 40df4c 20 API calls 15362 40cb70 15350->15362 15355 40e654 13 API calls 15355->15362 15358 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15358->15362 15362->15348 15362->15350 15362->15355 15362->15358 15363 40d815 wsprintfA 15362->15363 15364 40cc1c GetTempPathA 15362->15364 15365 40ea84 30 API calls 15362->15365 15366 40d569 closesocket Sleep 15362->15366 15367 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15362->15367 15368 40c517 23 API calls 15362->15368 15370 40e8a1 30 API calls 15362->15370 15372 40cfe3 GetSystemDirectoryA 15362->15372 15373 40675c 21 API calls 15362->15373 15374 40d027 GetSystemDirectoryA 15362->15374 15375 40cfad GetEnvironmentVariableA 15362->15375 15376 40d105 lstrcatA 15362->15376 15377 40ef1e lstrlenA 15362->15377 15378 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15362->15378 15379 40cc9f CreateFileA 15362->15379 15380 40d15b CreateFileA 15362->15380 15385 40d149 SetFileAttributesA 15362->15385 15387 40d36e GetEnvironmentVariableA 15362->15387 15388 40d1bf SetFileAttributesA 15362->15388 15389 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15362->15389 15391 407ead 6 API calls 15362->15391 15392 40d22d GetEnvironmentVariableA 15362->15392 15394 40d3af lstrcatA 15362->15394 15396 407fcf 64 API calls 15362->15396 15397 40d3f2 CreateFileA 15362->15397 15403 40d26e lstrcatA 15362->15403 15405 40d4b1 CreateProcessA 15362->15405 15406 40d3e0 SetFileAttributesA 15362->15406 15407 40d2b1 CreateFileA 15362->15407 15409 40d452 SetFileAttributesA 15362->15409 15411 407ee6 64 API calls 15362->15411 15412 40d29f SetFileAttributesA 15362->15412 15415 40d31d SetFileAttributesA 15362->15415 15844 40c75d 15362->15844 15856 407e2f 15362->15856 15878 407ead 15362->15878 15888 4031d0 15362->15888 15905 403c09 15362->15905 15915 403a00 15362->15915 15919 40e7b4 15362->15919 15922 40c06c 15362->15922 15928 406f5f GetUserNameA 15362->15928 15939 40e854 15362->15939 15949 407dd6 15362->15949 15363->15362 15364->15362 15365->15362 15883 40e318 15366->15883 15367->15362 15368->15362 15370->15362 15371 40d582 ExitProcess 15372->15362 15373->15362 15374->15362 15375->15362 15376->15362 15377->15362 15378->15362 15379->15362 15381 40ccc6 WriteFile 15379->15381 15380->15362 15382 40d182 WriteFile CloseHandle 15380->15382 15383 40cdcc CloseHandle 15381->15383 15384 40cced CloseHandle 15381->15384 15382->15362 15383->15362 15390 40cd2f 15384->15390 15385->15380 15386 40cd16 wsprintfA 15386->15390 15387->15362 15388->15362 15389->15362 15390->15386 15865 407fcf 15390->15865 15391->15362 15392->15362 15394->15362 15394->15397 15396->15362 15397->15362 15400 40d415 WriteFile CloseHandle 15397->15400 15398 40cd81 WaitForSingleObject CloseHandle CloseHandle 15401 40f04e 4 API calls 15398->15401 15399 40cda5 15402 407ee6 64 API calls 15399->15402 15400->15362 15401->15399 15404 40cdbd DeleteFileA 15402->15404 15403->15362 15403->15407 15404->15362 15405->15362 15408 40d4e8 CloseHandle CloseHandle 15405->15408 15406->15397 15407->15362 15410 40d2d8 WriteFile CloseHandle 15407->15410 15408->15362 15409->15362 15410->15362 15411->15362 15412->15407 15415->15362 15417 40741b 15416->15417 15418 406dc2 6 API calls 15417->15418 15419 40743f 15418->15419 15420 407469 RegOpenKeyExA 15419->15420 15421 4077f9 15420->15421 15432 407487 ___ascii_stricmp 15420->15432 15421->15089 15422 407703 RegEnumKeyA 15423 407714 RegCloseKey 15422->15423 15422->15432 15423->15421 15424 40f1a5 lstrlenA 15424->15432 15425 4074d2 RegOpenKeyExA 15425->15432 15426 40772c 15428 407742 RegCloseKey 15426->15428 15429 40774b 15426->15429 15427 407521 RegQueryValueExA 15427->15432 15428->15429 15430 4077ec RegCloseKey 15429->15430 15430->15421 15431 4076e4 RegCloseKey 15431->15432 15432->15422 15432->15424 15432->15425 15432->15426 15432->15427 15432->15431 15434 40777e GetFileAttributesExA 15432->15434 15435 407769 15432->15435 15433 4077e3 RegCloseKey 15433->15430 15434->15435 15435->15433 15437 407073 15436->15437 15438 4070b9 RegOpenKeyExA 15437->15438 15439 4070d0 15438->15439 15453 4071b8 15438->15453 15440 406dc2 6 API calls 15439->15440 15443 4070d5 15440->15443 15441 40719b RegEnumValueA 15442 4071af RegCloseKey 15441->15442 15441->15443 15442->15453 15443->15441 15445 4071d0 15443->15445 15459 40f1a5 lstrlenA 15443->15459 15446 407205 RegCloseKey 15445->15446 15447 407227 15445->15447 15446->15453 15448 4072b8 ___ascii_stricmp 15447->15448 15449 40728e RegCloseKey 15447->15449 15450 4072cd RegCloseKey 15448->15450 15451 4072dd 15448->15451 15449->15453 15450->15453 15452 407311 RegCloseKey 15451->15452 15455 407335 15451->15455 15452->15453 15453->15093 15454 4073d5 RegCloseKey 15456 4073e4 15454->15456 15455->15454 15457 40737e GetFileAttributesExA 15455->15457 15458 407397 15455->15458 15457->15458 15458->15454 15460 40f1c3 15459->15460 15460->15443 15462 406e97 15461->15462 15463 406e5f LookupAccountNameW 15461->15463 15462->15095 15463->15462 15465 40eb17 15464->15465 15467 40eb21 15464->15467 15474 40eae4 15465->15474 15467->15133 15470 4069b9 WriteFile 15468->15470 15471 406a3c 15470->15471 15473 4069ff 15470->15473 15471->15131 15471->15132 15472 406a10 WriteFile 15472->15471 15472->15473 15473->15471 15473->15472 15475 40eb02 GetProcAddress 15474->15475 15476 40eaed LoadLibraryA 15474->15476 15475->15467 15476->15475 15477 40eb01 15476->15477 15477->15467 15479 401924 GetVersionExA 15478->15479 15479->15146 15481 406eef AllocateAndInitializeSid 15480->15481 15487 406f55 15480->15487 15482 406f44 15481->15482 15483 406f1c CheckTokenMembership 15481->15483 15486 406e36 2 API calls 15482->15486 15482->15487 15484 406f3b FreeSid 15483->15484 15485 406f2e 15483->15485 15484->15482 15485->15484 15486->15487 15487->15157 15489 40f0f1 15488->15489 15490 40f0ed 15488->15490 15491 40f119 15489->15491 15492 40f0fa lstrlenA SysAllocStringByteLen 15489->15492 15490->15178 15493 40f11c MultiByteToWideChar 15491->15493 15492->15493 15494 40f117 15492->15494 15493->15494 15494->15178 15496 401820 17 API calls 15495->15496 15497 4018f2 15496->15497 15498 4018f9 15497->15498 15512 401280 15497->15512 15498->15173 15500 401908 15500->15173 15524 401000 15501->15524 15503 401839 15504 401851 GetCurrentProcess 15503->15504 15505 40183d 15503->15505 15506 401864 15504->15506 15505->15164 15506->15164 15509 40920e 15507->15509 15511 409308 15507->15511 15508 4092f1 Sleep 15508->15509 15509->15508 15510 4092bf ShellExecuteA 15509->15510 15509->15511 15510->15509 15510->15511 15511->15173 15513 4012e1 15512->15513 15514 4016f9 GetLastError 15513->15514 15515 4013a8 15513->15515 15516 401699 15514->15516 15515->15516 15517 401570 lstrlenW 15515->15517 15518 4015be GetStartupInfoW 15515->15518 15519 4015ff CreateProcessWithLogonW 15515->15519 15523 401668 CloseHandle 15515->15523 15516->15500 15517->15515 15518->15515 15520 4016bf GetLastError 15519->15520 15521 40163f WaitForSingleObject 15519->15521 15520->15516 15521->15515 15522 401659 CloseHandle 15521->15522 15522->15515 15523->15515 15525 40100d LoadLibraryA 15524->15525 15532 401023 15524->15532 15526 401021 15525->15526 15525->15532 15526->15503 15527 4010b5 GetProcAddress 15528 4010d1 GetProcAddress 15527->15528 15529 40127b 15527->15529 15528->15529 15530 4010f0 GetProcAddress 15528->15530 15529->15503 15530->15529 15531 401110 GetProcAddress 15530->15531 15531->15529 15533 401130 GetProcAddress 15531->15533 15532->15527 15544 4010ae 15532->15544 15533->15529 15534 40114f GetProcAddress 15533->15534 15534->15529 15535 40116f GetProcAddress 15534->15535 15535->15529 15536 40118f GetProcAddress 15535->15536 15536->15529 15537 4011ae GetProcAddress 15536->15537 15537->15529 15538 4011ce GetProcAddress 15537->15538 15538->15529 15539 4011ee GetProcAddress 15538->15539 15539->15529 15540 401209 GetProcAddress 15539->15540 15540->15529 15541 401225 GetProcAddress 15540->15541 15541->15529 15542 401241 GetProcAddress 15541->15542 15542->15529 15543 40125c GetProcAddress 15542->15543 15543->15529 15544->15503 15546 40908d 15545->15546 15547 4090e2 wsprintfA 15546->15547 15548 40ee2a 15547->15548 15549 4090fd CreateFileA 15548->15549 15550 40911a lstrlenA WriteFile CloseHandle 15549->15550 15551 40913f 15549->15551 15550->15551 15551->15194 15551->15195 15553 40dd41 InterlockedExchange 15552->15553 15554 40dd20 GetCurrentThreadId 15553->15554 15555 40dd4a 15553->15555 15556 40dd53 GetCurrentThreadId 15554->15556 15557 40dd2e GetTickCount 15554->15557 15555->15556 15556->15198 15557->15555 15558 40dd39 Sleep 15557->15558 15558->15553 15560 40dbf0 15559->15560 15592 40db67 GetEnvironmentVariableA 15560->15592 15562 40dc19 15563 40dcda 15562->15563 15564 40db67 3 API calls 15562->15564 15563->15200 15565 40dc5c 15564->15565 15565->15563 15566 40db67 3 API calls 15565->15566 15567 40dc9b 15566->15567 15567->15563 15568 40db67 3 API calls 15567->15568 15568->15563 15570 40db3a 15569->15570 15572 40db55 15569->15572 15596 40ebed 15570->15596 15572->15202 15572->15207 15605 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15573->15605 15575 40e342 15576 40e3be 15575->15576 15608 40de24 15575->15608 15576->15202 15579 40e528 15578->15579 15580 40e3f4 15578->15580 15579->15212 15581 40e434 RegQueryValueExA 15580->15581 15582 40e458 15581->15582 15583 40e51d RegCloseKey 15581->15583 15584 40e46e RegQueryValueExA 15582->15584 15583->15579 15584->15582 15585 40e488 15584->15585 15585->15583 15586 40db2e 8 API calls 15585->15586 15587 40e499 15586->15587 15587->15583 15588 40e4b9 RegQueryValueExA 15587->15588 15589 40e4e8 15587->15589 15588->15587 15588->15589 15589->15583 15590 40e332 14 API calls 15589->15590 15591 40e513 15590->15591 15591->15583 15593 40db89 lstrcpyA CreateFileA 15592->15593 15594 40dbca 15592->15594 15593->15562 15594->15562 15597 40ec01 15596->15597 15598 40ebf6 15596->15598 15599 40eba0 codecvt 2 API calls 15597->15599 15600 40ebcc 4 API calls 15598->15600 15601 40ec0a GetProcessHeap HeapReAlloc 15599->15601 15602 40ebfe 15600->15602 15603 40eb74 2 API calls 15601->15603 15602->15572 15604 40ec28 15603->15604 15604->15572 15619 40eb41 15605->15619 15609 40de3a 15608->15609 15615 40de4e 15609->15615 15623 40dd84 15609->15623 15612 40ebed 8 API calls 15617 40def6 15612->15617 15613 40de9e 15613->15612 15613->15615 15614 40de76 15627 40ddcf 15614->15627 15615->15575 15617->15615 15618 40ddcf lstrcmpA 15617->15618 15618->15615 15620 40eb54 15619->15620 15621 40eb4a 15619->15621 15620->15575 15622 40eae4 2 API calls 15621->15622 15622->15620 15624 40ddc5 15623->15624 15625 40dd96 15623->15625 15624->15613 15624->15614 15625->15624 15626 40ddad lstrcmpiA 15625->15626 15626->15624 15626->15625 15628 40de20 15627->15628 15629 40dddd 15627->15629 15628->15615 15629->15628 15630 40ddfa lstrcmpA 15629->15630 15630->15629 15632 40dd05 6 API calls 15631->15632 15633 40e821 15632->15633 15634 40dd84 lstrcmpiA 15633->15634 15635 40e82c 15634->15635 15636 40e844 15635->15636 15679 402480 15635->15679 15636->15227 15639 40dd05 6 API calls 15638->15639 15640 40df7c 15639->15640 15641 40dd84 lstrcmpiA 15640->15641 15643 40df89 15641->15643 15642 40ddcf lstrcmpA 15642->15643 15643->15642 15644 40ec2e codecvt 4 API calls 15643->15644 15645 40dd84 lstrcmpiA 15643->15645 15646 40dfc4 15643->15646 15644->15643 15645->15643 15646->15233 15648 40ea98 15647->15648 15688 40e8a1 15648->15688 15650 401e84 15650->15236 15652 4019d5 GetProcAddress GetProcAddress GetProcAddress 15651->15652 15655 4019ce 15651->15655 15653 401ab3 FreeLibrary 15652->15653 15654 401a04 15652->15654 15653->15655 15654->15653 15656 401a14 GetProcessHeap 15654->15656 15655->15240 15656->15655 15658 401a2e HeapAlloc 15656->15658 15658->15655 15659 401a42 15658->15659 15660 401a52 HeapReAlloc 15659->15660 15662 401a62 15659->15662 15660->15662 15661 401aa1 FreeLibrary 15661->15655 15662->15661 15663 401a96 HeapFree 15662->15663 15663->15661 15716 401ac3 LoadLibraryA 15664->15716 15667 401bcf 15667->15250 15669 401ac3 12 API calls 15668->15669 15670 401c09 15669->15670 15671 401c0d GetComputerNameA 15670->15671 15674 401c41 15670->15674 15672 401c45 GetVolumeInformationA 15671->15672 15673 401c1f 15671->15673 15672->15674 15673->15672 15673->15674 15674->15259 15676 40ee2a 15675->15676 15677 4030d0 gethostname gethostbyname 15676->15677 15678 401f82 15677->15678 15678->15264 15678->15266 15682 402419 lstrlenA 15679->15682 15681 402491 15681->15636 15683 40243d lstrlenA 15682->15683 15686 402474 15682->15686 15684 402464 lstrlenA 15683->15684 15685 40244e lstrcmpiA 15683->15685 15684->15683 15684->15686 15685->15684 15687 40245c 15685->15687 15686->15681 15687->15684 15687->15686 15689 40dd05 6 API calls 15688->15689 15690 40e8b4 15689->15690 15691 40dd84 lstrcmpiA 15690->15691 15692 40e8c0 15691->15692 15693 40e90a 15692->15693 15694 40e8c8 lstrcpynA 15692->15694 15696 402419 4 API calls 15693->15696 15704 40ea27 15693->15704 15695 40e8f5 15694->15695 15709 40df4c 15695->15709 15697 40e926 lstrlenA lstrlenA 15696->15697 15699 40e96a 15697->15699 15700 40e94c lstrlenA 15697->15700 15703 40ebcc 4 API calls 15699->15703 15699->15704 15700->15699 15701 40e901 15702 40dd84 lstrcmpiA 15701->15702 15702->15693 15705 40e98f 15703->15705 15704->15650 15705->15704 15706 40df4c 20 API calls 15705->15706 15707 40ea1e 15706->15707 15708 40ec2e codecvt 4 API calls 15707->15708 15708->15704 15710 40dd05 6 API calls 15709->15710 15711 40df51 15710->15711 15712 40f04e 4 API calls 15711->15712 15713 40df58 15712->15713 15714 40de24 10 API calls 15713->15714 15715 40df63 15714->15715 15715->15701 15717 401ae2 GetProcAddress 15716->15717 15722 401b68 GetComputerNameA GetVolumeInformationA 15716->15722 15718 401af5 15717->15718 15717->15722 15719 40ebed 8 API calls 15718->15719 15721 401b29 15718->15721 15719->15718 15720 40ec2e codecvt 4 API calls 15720->15722 15721->15720 15721->15721 15721->15722 15722->15667 15724 406ec3 2 API calls 15723->15724 15725 407ef4 15724->15725 15726 407fc9 15725->15726 15727 4073ff 17 API calls 15725->15727 15726->15275 15728 407f16 15727->15728 15728->15726 15736 407809 GetUserNameA 15728->15736 15730 407f63 15730->15726 15731 40ef1e lstrlenA 15730->15731 15732 407fa6 15731->15732 15733 40ef1e lstrlenA 15732->15733 15734 407fb7 15733->15734 15760 407a95 RegOpenKeyExA 15734->15760 15737 40783d LookupAccountNameA 15736->15737 15738 407a8d 15736->15738 15737->15738 15739 407874 GetLengthSid GetFileSecurityA 15737->15739 15738->15730 15739->15738 15740 4078a8 GetSecurityDescriptorOwner 15739->15740 15741 4078c5 EqualSid 15740->15741 15742 40791d GetSecurityDescriptorDacl 15740->15742 15741->15742 15743 4078dc LocalAlloc 15741->15743 15742->15738 15749 407941 15742->15749 15743->15742 15744 4078ef InitializeSecurityDescriptor 15743->15744 15745 407916 LocalFree 15744->15745 15746 4078fb SetSecurityDescriptorOwner 15744->15746 15745->15742 15746->15745 15748 40790b SetFileSecurityA 15746->15748 15747 40795b GetAce 15747->15749 15748->15745 15749->15738 15749->15747 15750 407980 EqualSid 15749->15750 15751 407a3d 15749->15751 15752 4079be EqualSid 15749->15752 15753 40799d DeleteAce 15749->15753 15750->15749 15751->15738 15754 407a43 LocalAlloc 15751->15754 15752->15749 15753->15749 15754->15738 15755 407a56 InitializeSecurityDescriptor 15754->15755 15756 407a62 SetSecurityDescriptorDacl 15755->15756 15757 407a86 LocalFree 15755->15757 15756->15757 15758 407a73 SetFileSecurityA 15756->15758 15757->15738 15758->15757 15759 407a83 15758->15759 15759->15757 15761 407ac4 15760->15761 15762 407acb GetUserNameA 15760->15762 15761->15726 15763 407da7 RegCloseKey 15762->15763 15764 407aed LookupAccountNameA 15762->15764 15763->15761 15764->15763 15765 407b24 RegGetKeySecurity 15764->15765 15765->15763 15766 407b49 GetSecurityDescriptorOwner 15765->15766 15767 407b63 EqualSid 15766->15767 15768 407bb8 GetSecurityDescriptorDacl 15766->15768 15767->15768 15770 407b74 LocalAlloc 15767->15770 15769 407da6 15768->15769 15780 407bdc 15768->15780 15769->15763 15770->15768 15771 407b8a InitializeSecurityDescriptor 15770->15771 15772 407bb1 LocalFree 15771->15772 15773 407b96 SetSecurityDescriptorOwner 15771->15773 15772->15768 15773->15772 15775 407ba6 RegSetKeySecurity 15773->15775 15774 407bf8 GetAce 15774->15780 15775->15772 15776 407c1d EqualSid 15776->15780 15777 407cd9 15777->15769 15781 407d5a LocalAlloc 15777->15781 15783 407cf2 RegOpenKeyExA 15777->15783 15778 407c5f EqualSid 15778->15780 15779 407c3a DeleteAce 15779->15780 15780->15769 15780->15774 15780->15776 15780->15777 15780->15778 15780->15779 15781->15769 15782 407d70 InitializeSecurityDescriptor 15781->15782 15784 407d7c SetSecurityDescriptorDacl 15782->15784 15785 407d9f LocalFree 15782->15785 15783->15781 15788 407d0f 15783->15788 15784->15785 15786 407d8c RegSetKeySecurity 15784->15786 15785->15769 15786->15785 15787 407d9c 15786->15787 15787->15785 15789 407d43 RegSetValueExA 15788->15789 15789->15781 15790 407d54 15789->15790 15790->15781 15791->15294 15793 40dd05 6 API calls 15792->15793 15796 40e65f 15793->15796 15794 40ebcc 4 API calls 15798 40e6b0 15794->15798 15795 40e6a5 15795->15794 15799 40e6f5 15795->15799 15796->15795 15797 40e68c lstrcmpA 15796->15797 15797->15796 15798->15799 15801 40e6b7 15798->15801 15802 40e6e0 lstrcpynA 15798->15802 15800 40e71d lstrcmpA 15799->15800 15799->15801 15800->15799 15801->15296 15802->15799 15803->15302 15805 40c525 15804->15805 15806 40c532 15804->15806 15805->15806 15808 40ec2e codecvt 4 API calls 15805->15808 15807 40c548 15806->15807 15956 40e7ff 15806->15956 15809 40c54f 15807->15809 15811 40e7ff lstrcmpiA 15807->15811 15808->15806 15809->15315 15812 40c615 15811->15812 15812->15809 15813 40ebcc 4 API calls 15812->15813 15813->15809 15814 40c5d1 15816 40ebcc 4 API calls 15814->15816 15816->15809 15817 40e819 11 API calls 15818 40c5b7 15817->15818 15819 40f04e 4 API calls 15818->15819 15820 40c5bf 15819->15820 15820->15807 15820->15814 15822 402692 inet_addr 15821->15822 15823 40268e 15821->15823 15822->15823 15824 40269e gethostbyname 15822->15824 15825 40f428 15823->15825 15824->15823 15959 40f315 15825->15959 15830 40c8d2 15828->15830 15829 40c907 15829->15317 15830->15829 15831 40c517 23 API calls 15830->15831 15831->15829 15832 40f43e 15833 40f473 recv 15832->15833 15834 40f458 15833->15834 15835 40f47c 15833->15835 15834->15833 15834->15835 15835->15333 15837 40c670 15836->15837 15839 40c67d 15836->15839 15838 40ebcc 4 API calls 15837->15838 15838->15839 15840 40ebcc 4 API calls 15839->15840 15842 40c699 15839->15842 15840->15842 15841 40c6f3 15841->15346 15841->15362 15842->15841 15843 40c73c send 15842->15843 15843->15841 15845 40c770 15844->15845 15846 40c77d 15844->15846 15847 40ebcc 4 API calls 15845->15847 15848 40c799 15846->15848 15849 40ebcc 4 API calls 15846->15849 15847->15846 15850 40c7b5 15848->15850 15852 40ebcc 4 API calls 15848->15852 15849->15848 15851 40f43e recv 15850->15851 15853 40c7cb 15851->15853 15852->15850 15854 40f43e recv 15853->15854 15855 40c7d3 15853->15855 15854->15855 15855->15362 15972 407db7 15856->15972 15859 40f04e 4 API calls 15862 407e4c 15859->15862 15860 407e96 15860->15362 15861 407e70 15861->15860 15863 40f04e 4 API calls 15861->15863 15862->15861 15864 40f04e 4 API calls 15862->15864 15863->15860 15864->15861 15866 406ec3 2 API calls 15865->15866 15867 407fdd 15866->15867 15868 4073ff 17 API calls 15867->15868 15877 4080c2 CreateProcessA 15867->15877 15869 407fff 15868->15869 15870 407809 21 API calls 15869->15870 15869->15877 15871 40804d 15870->15871 15872 40ef1e lstrlenA 15871->15872 15871->15877 15873 40809e 15872->15873 15874 40ef1e lstrlenA 15873->15874 15875 4080af 15874->15875 15876 407a95 24 API calls 15875->15876 15876->15877 15877->15398 15877->15399 15879 407db7 2 API calls 15878->15879 15880 407eb8 15879->15880 15881 40f04e 4 API calls 15880->15881 15882 407ece DeleteFileA 15881->15882 15882->15362 15884 40dd05 6 API calls 15883->15884 15885 40e31d 15884->15885 15976 40e177 15885->15976 15887 40e326 15887->15371 15889 4031f3 15888->15889 15899 4031ec 15888->15899 15890 40ebcc 4 API calls 15889->15890 15904 4031fc 15890->15904 15891 40344b 15892 403459 15891->15892 15893 40349d 15891->15893 15894 40f04e 4 API calls 15892->15894 15895 40ec2e codecvt 4 API calls 15893->15895 15896 40345f 15894->15896 15895->15899 15897 4030fa 4 API calls 15896->15897 15897->15899 15898 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15898->15904 15899->15362 15900 40344d 15901 40ec2e codecvt 4 API calls 15900->15901 15901->15891 15903 403141 lstrcmpiA 15903->15904 15904->15891 15904->15898 15904->15899 15904->15900 15904->15903 16002 4030fa GetTickCount 15904->16002 15906 4030fa 4 API calls 15905->15906 15907 403c1a 15906->15907 15908 403ce6 15907->15908 16007 403a72 15907->16007 15908->15362 15911 403a72 9 API calls 15913 403c5e 15911->15913 15912 403a72 9 API calls 15912->15913 15913->15908 15913->15912 15914 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15913->15914 15914->15913 15916 403a10 15915->15916 15917 4030fa 4 API calls 15916->15917 15918 403a1a 15917->15918 15918->15362 15920 40dd05 6 API calls 15919->15920 15921 40e7be 15920->15921 15921->15362 15923 40c07e wsprintfA 15922->15923 15927 40c105 15922->15927 16016 40bfce GetTickCount wsprintfA 15923->16016 15925 40c0ef 16017 40bfce GetTickCount wsprintfA 15925->16017 15927->15362 15929 407047 15928->15929 15930 406f88 LookupAccountNameA 15928->15930 15929->15362 15932 407025 15930->15932 15933 406fcb 15930->15933 15934 406edd 5 API calls 15932->15934 15936 406fdb ConvertSidToStringSidA 15933->15936 15935 40702a wsprintfA 15934->15935 15935->15929 15936->15932 15937 406ff1 15936->15937 15938 407013 LocalFree 15937->15938 15938->15932 15940 40dd05 6 API calls 15939->15940 15941 40e85c 15940->15941 15942 40dd84 lstrcmpiA 15941->15942 15943 40e867 15942->15943 15944 40e885 lstrcpyA 15943->15944 16018 4024a5 15943->16018 16021 40dd69 15944->16021 15950 407db7 2 API calls 15949->15950 15951 407de1 15950->15951 15952 407e16 15951->15952 15953 40f04e 4 API calls 15951->15953 15952->15362 15954 407df2 15953->15954 15954->15952 15955 40f04e 4 API calls 15954->15955 15955->15952 15957 40dd84 lstrcmpiA 15956->15957 15958 40c58e 15957->15958 15958->15807 15958->15814 15958->15817 15960 40ca1d 15959->15960 15961 40f33b 15959->15961 15960->15330 15960->15832 15962 40f347 htons socket 15961->15962 15963 40f382 ioctlsocket 15962->15963 15964 40f374 closesocket 15962->15964 15965 40f3aa connect select 15963->15965 15966 40f39d 15963->15966 15964->15960 15965->15960 15968 40f3f2 __WSAFDIsSet 15965->15968 15967 40f39f closesocket 15966->15967 15967->15960 15968->15967 15969 40f403 ioctlsocket 15968->15969 15971 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15969->15971 15971->15960 15973 407dc8 InterlockedExchange 15972->15973 15974 407dc0 Sleep 15973->15974 15975 407dd4 15973->15975 15974->15973 15975->15859 15975->15861 15977 40e184 15976->15977 15978 40e2e4 15977->15978 15979 40e223 15977->15979 15992 40dfe2 15977->15992 15978->15887 15979->15978 15982 40dfe2 8 API calls 15979->15982 15981 40e1be 15981->15979 15983 40dbcf 3 API calls 15981->15983 15985 40e23c 15982->15985 15986 40e1d6 15983->15986 15984 40e21a CloseHandle 15984->15979 15985->15978 15996 40e095 RegCreateKeyExA 15985->15996 15986->15979 15986->15984 15987 40e1f9 WriteFile 15986->15987 15987->15984 15989 40e213 15987->15989 15989->15984 15990 40e2a3 15990->15978 15991 40e095 4 API calls 15990->15991 15991->15978 15993 40dffc 15992->15993 15995 40e024 15992->15995 15994 40db2e 8 API calls 15993->15994 15993->15995 15994->15995 15995->15981 15997 40e172 15996->15997 15999 40e0c0 15996->15999 15997->15990 15998 40e13d 16000 40e14e RegDeleteValueA RegCloseKey 15998->16000 15999->15998 16001 40e115 RegSetValueExA 15999->16001 16000->15997 16001->15998 16001->15999 16003 403122 InterlockedExchange 16002->16003 16004 40312e 16003->16004 16005 40310f GetTickCount 16003->16005 16004->15904 16005->16004 16006 40311a Sleep 16005->16006 16006->16003 16008 40f04e 4 API calls 16007->16008 16015 403a83 16008->16015 16009 403ac1 16009->15908 16009->15911 16010 403be6 16011 40ec2e codecvt 4 API calls 16010->16011 16011->16009 16012 403bc0 16012->16010 16014 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16012->16014 16013 403b66 lstrlenA 16013->16009 16013->16015 16014->16012 16015->16009 16015->16012 16015->16013 16016->15925 16017->15927 16019 402419 4 API calls 16018->16019 16020 4024b6 16019->16020 16020->15944 16022 40dd79 lstrlenA 16021->16022 16022->15362 16024 404084 16023->16024 16025 40407d 16023->16025 16026 403ecd 6 API calls 16024->16026 16027 40408f 16026->16027 16028 404000 3 API calls 16027->16028 16030 404095 16028->16030 16029 404130 16031 403ecd 6 API calls 16029->16031 16030->16029 16035 403f18 4 API calls 16030->16035 16032 404159 CreateNamedPipeA 16031->16032 16033 404167 Sleep 16032->16033 16034 404188 ConnectNamedPipe 16032->16034 16033->16029 16036 404176 CloseHandle 16033->16036 16038 404195 GetLastError 16034->16038 16047 4041ab 16034->16047 16037 4040da 16035->16037 16036->16034 16039 403f8c 4 API calls 16037->16039 16040 40425e DisconnectNamedPipe 16038->16040 16038->16047 16041 4040ec 16039->16041 16040->16034 16042 404127 CloseHandle 16041->16042 16043 404101 16041->16043 16042->16029 16044 403f18 4 API calls 16043->16044 16045 40411c ExitProcess 16044->16045 16046 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16046->16047 16047->16034 16047->16040 16047->16046 16048 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16047->16048 16049 40426a CloseHandle CloseHandle 16047->16049 16048->16047 16050 40e318 23 API calls 16049->16050 16051 40427b 16050->16051 16051->16051 16053 408791 16052->16053 16054 40879f 16052->16054 16055 40f04e 4 API calls 16053->16055 16056 4087bc 16054->16056 16057 40f04e 4 API calls 16054->16057 16055->16054 16058 40e819 11 API calls 16056->16058 16057->16056 16059 4087d7 16058->16059 16072 408803 16059->16072 16074 4026b2 gethostbyaddr 16059->16074 16062 4087eb 16064 40e8a1 30 API calls 16062->16064 16062->16072 16064->16072 16067 40e819 11 API calls 16067->16072 16068 4088a0 Sleep 16068->16072 16069 4026b2 2 API calls 16069->16072 16070 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16070->16072 16072->16067 16072->16068 16072->16069 16072->16070 16073 40e8a1 30 API calls 16072->16073 16079 408cee 16072->16079 16087 40c4d6 16072->16087 16090 40c4e2 16072->16090 16093 402011 16072->16093 16128 408328 16072->16128 16073->16072 16075 4026fb 16074->16075 16076 4026cd 16074->16076 16075->16062 16077 4026e1 inet_ntoa 16076->16077 16078 4026de 16076->16078 16077->16078 16078->16062 16080 408d02 GetTickCount 16079->16080 16081 408dae 16079->16081 16080->16081 16084 408d19 16080->16084 16081->16072 16082 408da1 GetTickCount 16082->16081 16084->16082 16086 408d89 16084->16086 16180 40a677 16084->16180 16183 40a688 16084->16183 16086->16082 16191 40c2dc 16087->16191 16091 40c2dc 141 API calls 16090->16091 16092 40c4ec 16091->16092 16092->16072 16094 402020 16093->16094 16095 40202e 16093->16095 16096 40f04e 4 API calls 16094->16096 16097 40204b 16095->16097 16098 40f04e 4 API calls 16095->16098 16096->16095 16099 40206e GetTickCount 16097->16099 16100 40f04e 4 API calls 16097->16100 16098->16097 16101 402090 16099->16101 16102 4020db GetTickCount 16099->16102 16105 402068 16100->16105 16103 4020d4 GetTickCount 16101->16103 16108 402684 2 API calls 16101->16108 16116 4020ce 16101->16116 16518 401978 16101->16518 16104 402132 GetTickCount GetTickCount 16102->16104 16113 4020e7 16102->16113 16103->16102 16106 40f04e 4 API calls 16104->16106 16105->16099 16109 402159 16106->16109 16107 40212b GetTickCount 16107->16104 16108->16101 16112 40e854 13 API calls 16109->16112 16124 4021b4 16109->16124 16111 40f04e 4 API calls 16115 4021d1 16111->16115 16117 40218e 16112->16117 16113->16107 16118 401978 15 API calls 16113->16118 16119 402125 16113->16119 16523 402ef8 16113->16523 16120 4021f2 16115->16120 16122 40ea84 30 API calls 16115->16122 16116->16103 16121 40e819 11 API calls 16117->16121 16118->16113 16119->16107 16120->16072 16123 40219c 16121->16123 16125 4021ec 16122->16125 16123->16124 16531 401c5f 16123->16531 16124->16111 16126 40f04e 4 API calls 16125->16126 16126->16120 16129 407dd6 6 API calls 16128->16129 16130 40833c 16129->16130 16131 406ec3 2 API calls 16130->16131 16154 408340 16130->16154 16132 40834f 16131->16132 16133 40835c 16132->16133 16137 40846b 16132->16137 16134 4073ff 17 API calls 16133->16134 16156 408373 16134->16156 16135 4085df 16138 408626 GetTempPathA 16135->16138 16146 408762 16135->16146 16155 408638 16135->16155 16136 40675c 21 API calls 16136->16135 16139 4084a7 RegOpenKeyExA 16137->16139 16151 408450 16137->16151 16138->16155 16141 4084c0 RegQueryValueExA 16139->16141 16142 40852f 16139->16142 16144 408521 RegCloseKey 16141->16144 16145 4084dd 16141->16145 16147 408564 RegOpenKeyExA 16142->16147 16162 4085a5 16142->16162 16143 4086ad 16143->16146 16148 407e2f 6 API calls 16143->16148 16144->16142 16145->16144 16152 40ebcc 4 API calls 16145->16152 16150 40ec2e codecvt 4 API calls 16146->16150 16146->16154 16149 408573 RegSetValueExA RegCloseKey 16147->16149 16147->16162 16159 4086bb 16148->16159 16149->16162 16150->16154 16151->16135 16151->16136 16158 4084f0 16152->16158 16153 40875b DeleteFileA 16153->16146 16154->16072 16603 406ba7 IsBadCodePtr 16155->16603 16156->16151 16156->16154 16160 4083ea RegOpenKeyExA 16156->16160 16158->16144 16161 4084f8 RegQueryValueExA 16158->16161 16159->16153 16166 4086e0 lstrcpyA lstrlenA 16159->16166 16160->16151 16163 4083fd RegQueryValueExA 16160->16163 16161->16144 16164 408515 16161->16164 16162->16151 16165 40ec2e codecvt 4 API calls 16162->16165 16167 40842d RegSetValueExA 16163->16167 16168 40841e 16163->16168 16169 40ec2e codecvt 4 API calls 16164->16169 16165->16151 16170 407fcf 64 API calls 16166->16170 16171 408447 RegCloseKey 16167->16171 16168->16167 16168->16171 16172 40851d 16169->16172 16173 408719 CreateProcessA 16170->16173 16171->16151 16172->16144 16174 40873d CloseHandle CloseHandle 16173->16174 16175 40874f 16173->16175 16174->16146 16176 407ee6 64 API calls 16175->16176 16177 408754 16176->16177 16178 407ead 6 API calls 16177->16178 16179 40875a 16178->16179 16179->16153 16186 40a63d 16180->16186 16182 40a685 16182->16084 16184 40a63d GetTickCount 16183->16184 16185 40a696 16184->16185 16185->16084 16187 40a645 16186->16187 16188 40a64d 16186->16188 16187->16182 16189 40a66e 16188->16189 16190 40a65e GetTickCount 16188->16190 16189->16182 16190->16189 16207 40a4c7 GetTickCount 16191->16207 16194 40c300 GetTickCount 16196 40c337 16194->16196 16195 40c326 16195->16196 16197 40c32b GetTickCount 16195->16197 16201 40c363 GetTickCount 16196->16201 16206 40c45e 16196->16206 16197->16196 16198 40c4d2 16198->16072 16199 40c4ab InterlockedIncrement CreateThread 16199->16198 16200 40c4cb CloseHandle 16199->16200 16212 40b535 16199->16212 16200->16198 16202 40c373 16201->16202 16201->16206 16203 40c378 GetTickCount 16202->16203 16204 40c37f 16202->16204 16203->16204 16205 40c43b GetTickCount 16204->16205 16205->16206 16206->16198 16206->16199 16208 40a4f7 InterlockedExchange 16207->16208 16209 40a500 16208->16209 16210 40a4e4 GetTickCount 16208->16210 16209->16194 16209->16195 16209->16206 16210->16209 16211 40a4ef Sleep 16210->16211 16211->16208 16213 40b566 16212->16213 16214 40ebcc 4 API calls 16213->16214 16215 40b587 16214->16215 16216 40ebcc 4 API calls 16215->16216 16243 40b590 16216->16243 16217 40bdcd InterlockedDecrement 16218 40bde2 16217->16218 16220 40ec2e codecvt 4 API calls 16218->16220 16221 40bdea 16220->16221 16222 40ec2e codecvt 4 API calls 16221->16222 16224 40bdf2 16222->16224 16223 40bdb7 Sleep 16223->16243 16225 40be05 16224->16225 16227 40ec2e codecvt 4 API calls 16224->16227 16226 40bdcc 16226->16217 16227->16225 16228 40ebed 8 API calls 16228->16243 16231 40b6b6 lstrlenA 16231->16243 16232 4030b5 2 API calls 16232->16243 16233 40b6ed lstrcpyA 16287 405ce1 16233->16287 16234 40e819 11 API calls 16234->16243 16237 40b731 lstrlenA 16237->16243 16238 40b71f lstrcmpA 16238->16237 16238->16243 16239 40b772 GetTickCount 16239->16243 16240 40bd49 InterlockedIncrement 16381 40a628 16240->16381 16243->16217 16243->16223 16243->16226 16243->16228 16243->16231 16243->16232 16243->16233 16243->16234 16243->16237 16243->16238 16243->16239 16243->16240 16244 4038f0 6 API calls 16243->16244 16245 40bc5b InterlockedIncrement 16243->16245 16246 40b7ce InterlockedIncrement 16243->16246 16249 40b912 GetTickCount 16243->16249 16250 40b826 InterlockedIncrement 16243->16250 16251 40b932 GetTickCount 16243->16251 16252 40bcdc closesocket 16243->16252 16254 405ce1 22 API calls 16243->16254 16258 40bba6 InterlockedIncrement 16243->16258 16260 40bc4c closesocket 16243->16260 16261 405ded 12 API calls 16243->16261 16263 40ba71 wsprintfA 16243->16263 16265 40a7c1 22 API calls 16243->16265 16266 40ab81 lstrcpynA InterlockedIncrement 16243->16266 16267 40ef1e lstrlenA 16243->16267 16268 40a688 GetTickCount 16243->16268 16269 403e10 16243->16269 16272 403e4f 16243->16272 16275 40384f 16243->16275 16295 40a7a3 inet_ntoa 16243->16295 16302 40abee 16243->16302 16314 401feb GetTickCount 16243->16314 16335 403cfb 16243->16335 16338 40b3c5 16243->16338 16369 40ab81 16243->16369 16244->16243 16245->16243 16297 40acd7 16246->16297 16249->16243 16250->16239 16251->16243 16253 40bc6d InterlockedIncrement 16251->16253 16252->16243 16253->16243 16254->16243 16258->16243 16260->16243 16261->16243 16315 40a7c1 16263->16315 16265->16243 16266->16243 16267->16243 16268->16243 16270 4030fa 4 API calls 16269->16270 16271 403e1d 16270->16271 16271->16243 16273 4030fa 4 API calls 16272->16273 16274 403e5c 16273->16274 16274->16243 16276 4030fa 4 API calls 16275->16276 16277 403863 16276->16277 16278 4038b9 16277->16278 16279 403889 16277->16279 16286 4038b2 16277->16286 16390 4035f9 16278->16390 16384 403718 16279->16384 16284 4035f9 6 API calls 16284->16286 16285 403718 6 API calls 16285->16286 16286->16243 16288 405cf4 16287->16288 16289 405cec 16287->16289 16291 404bd1 4 API calls 16288->16291 16396 404bd1 GetTickCount 16289->16396 16292 405d02 16291->16292 16401 405472 16292->16401 16296 40a7b9 16295->16296 16296->16243 16298 40f315 14 API calls 16297->16298 16299 40aceb 16298->16299 16300 40acff 16299->16300 16301 40f315 14 API calls 16299->16301 16300->16243 16301->16300 16303 40abfb 16302->16303 16307 40ac65 16303->16307 16464 402f22 16303->16464 16305 40f315 14 API calls 16305->16307 16306 40ac23 16306->16307 16310 402684 2 API calls 16306->16310 16307->16305 16308 40ac6f 16307->16308 16313 40ac8a 16307->16313 16309 40ab81 2 API calls 16308->16309 16311 40ac81 16309->16311 16310->16306 16472 4038f0 16311->16472 16313->16243 16314->16243 16316 40a87d lstrlenA send 16315->16316 16317 40a7df 16315->16317 16318 40a899 16316->16318 16319 40a8bf 16316->16319 16317->16316 16324 40a7fa wsprintfA 16317->16324 16326 40a80a 16317->16326 16327 40a8f2 16317->16327 16321 40a8a5 wsprintfA 16318->16321 16328 40a89e 16318->16328 16322 40a8c4 send 16319->16322 16319->16327 16320 40a978 recv 16320->16327 16329 40a982 16320->16329 16321->16328 16323 40a8d8 wsprintfA 16322->16323 16322->16327 16323->16328 16324->16326 16325 40a9b0 wsprintfA 16325->16328 16326->16316 16327->16320 16327->16325 16327->16329 16328->16243 16329->16328 16330 4030b5 2 API calls 16329->16330 16331 40ab05 16330->16331 16332 40e819 11 API calls 16331->16332 16333 40ab17 16332->16333 16334 40a7a3 inet_ntoa 16333->16334 16334->16328 16336 4030fa 4 API calls 16335->16336 16337 403d0b 16336->16337 16337->16243 16339 405ce1 22 API calls 16338->16339 16340 40b3e6 16339->16340 16341 405ce1 22 API calls 16340->16341 16343 40b404 16341->16343 16342 40b440 16345 40ef7c 3 API calls 16342->16345 16343->16342 16344 40ef7c 3 API calls 16343->16344 16346 40b42b 16344->16346 16347 40b458 wsprintfA 16345->16347 16348 40ef7c 3 API calls 16346->16348 16349 40ef7c 3 API calls 16347->16349 16348->16342 16350 40b480 16349->16350 16351 40ef7c 3 API calls 16350->16351 16352 40b493 16351->16352 16353 40ef7c 3 API calls 16352->16353 16354 40b4bb 16353->16354 16486 40ad89 GetLocalTime SystemTimeToFileTime 16354->16486 16358 40b4cc 16359 40ef7c 3 API calls 16358->16359 16360 40b4dd 16359->16360 16361 40b211 7 API calls 16360->16361 16362 40b4ec 16361->16362 16363 40ef7c 3 API calls 16362->16363 16364 40b4fd 16363->16364 16365 40b211 7 API calls 16364->16365 16366 40b509 16365->16366 16367 40ef7c 3 API calls 16366->16367 16368 40b51a 16367->16368 16368->16243 16370 40abe9 GetTickCount 16369->16370 16372 40ab8c 16369->16372 16374 40a51d 16370->16374 16371 40aba8 lstrcpynA 16371->16372 16372->16370 16372->16371 16373 40abe1 InterlockedIncrement 16372->16373 16373->16372 16375 40a4c7 4 API calls 16374->16375 16376 40a52c 16375->16376 16377 40a542 GetTickCount 16376->16377 16378 40a539 GetTickCount 16376->16378 16377->16378 16380 40a56c 16378->16380 16380->16243 16382 40a4c7 4 API calls 16381->16382 16383 40a633 16382->16383 16383->16243 16385 40f04e 4 API calls 16384->16385 16387 40372a 16385->16387 16386 403847 16386->16285 16386->16286 16387->16386 16388 4037b3 GetCurrentThreadId 16387->16388 16388->16387 16389 4037c8 GetCurrentThreadId 16388->16389 16389->16387 16391 40f04e 4 API calls 16390->16391 16392 40360c 16391->16392 16393 4036da GetCurrentThreadId 16392->16393 16394 4036f1 16392->16394 16393->16394 16395 4036e5 GetCurrentThreadId 16393->16395 16394->16284 16394->16286 16395->16394 16397 404bff InterlockedExchange 16396->16397 16398 404c08 16397->16398 16399 404bec GetTickCount 16397->16399 16398->16288 16399->16398 16400 404bf7 Sleep 16399->16400 16400->16397 16420 404763 16401->16420 16403 405b58 16430 404699 16403->16430 16406 404763 lstrlenA 16407 405b6e 16406->16407 16451 404f9f 16407->16451 16409 405b79 16409->16243 16410 404ae6 8 API calls 16417 40548a 16410->16417 16412 405549 lstrlenA 16412->16417 16414 40558d lstrcpynA 16414->16417 16415 405a9f lstrcpyA 16415->16417 16416 405935 lstrcpynA 16416->16417 16417->16403 16417->16410 16417->16414 16417->16415 16417->16416 16418 405472 13 API calls 16417->16418 16419 4058e7 lstrcpyA 16417->16419 16424 404ae6 16417->16424 16428 40ef7c lstrlenA lstrlenA lstrlenA 16417->16428 16418->16417 16419->16417 16422 40477a 16420->16422 16421 404859 16421->16417 16422->16421 16423 40480d lstrlenA 16422->16423 16423->16422 16425 404af3 16424->16425 16427 404b03 16424->16427 16426 40ebed 8 API calls 16425->16426 16426->16427 16427->16412 16429 40efb4 16428->16429 16429->16417 16456 4045b3 16430->16456 16433 4045b3 7 API calls 16434 4046c6 16433->16434 16435 4045b3 7 API calls 16434->16435 16436 4046d8 16435->16436 16437 4045b3 7 API calls 16436->16437 16438 4046ea 16437->16438 16439 4045b3 7 API calls 16438->16439 16440 4046ff 16439->16440 16441 4045b3 7 API calls 16440->16441 16442 404711 16441->16442 16443 4045b3 7 API calls 16442->16443 16444 404723 16443->16444 16445 40ef7c 3 API calls 16444->16445 16446 404735 16445->16446 16447 40ef7c 3 API calls 16446->16447 16448 40474a 16447->16448 16449 40ef7c 3 API calls 16448->16449 16450 40475c 16449->16450 16450->16406 16452 404fac 16451->16452 16455 404fb0 16451->16455 16452->16409 16453 404ffd 16453->16409 16454 404fd5 IsBadCodePtr 16454->16455 16455->16453 16455->16454 16457 4045c1 16456->16457 16458 4045c8 16456->16458 16459 40ebcc 4 API calls 16457->16459 16460 40ebcc 4 API calls 16458->16460 16462 4045e1 16458->16462 16459->16458 16460->16462 16461 404691 16461->16433 16462->16461 16463 40ef7c 3 API calls 16462->16463 16463->16462 16479 402d21 GetModuleHandleA 16464->16479 16467 402fcf GetProcessHeap HeapFree 16471 402f44 16467->16471 16468 402f85 16468->16467 16468->16468 16469 402f4f 16470 402f6b GetProcessHeap HeapFree 16469->16470 16470->16471 16471->16306 16473 403900 16472->16473 16477 403980 16472->16477 16474 4030fa 4 API calls 16473->16474 16478 40390a 16474->16478 16475 40391b GetCurrentThreadId 16475->16478 16476 403939 GetCurrentThreadId 16476->16478 16477->16313 16478->16475 16478->16476 16478->16477 16480 402d46 LoadLibraryA 16479->16480 16481 402d5b GetProcAddress 16479->16481 16480->16481 16483 402d54 16480->16483 16481->16483 16485 402d6b 16481->16485 16482 402d97 GetProcessHeap HeapAlloc 16482->16483 16482->16485 16483->16468 16483->16469 16483->16471 16484 402db5 lstrcpynA 16484->16485 16485->16482 16485->16483 16485->16484 16487 40adbf 16486->16487 16511 40ad08 gethostname 16487->16511 16490 4030b5 2 API calls 16491 40add3 16490->16491 16492 40a7a3 inet_ntoa 16491->16492 16499 40ade4 16491->16499 16492->16499 16493 40ae85 wsprintfA 16494 40ef7c 3 API calls 16493->16494 16495 40aebb 16494->16495 16498 40ef7c 3 API calls 16495->16498 16496 40ae36 wsprintfA wsprintfA 16497 40ef7c 3 API calls 16496->16497 16497->16499 16500 40aed2 16498->16500 16499->16493 16499->16496 16501 40b211 16500->16501 16502 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16501->16502 16503 40b2af GetLocalTime 16501->16503 16504 40b2d2 16502->16504 16503->16504 16505 40b2d9 SystemTimeToFileTime 16504->16505 16506 40b31c GetTimeZoneInformation 16504->16506 16507 40b2ec 16505->16507 16508 40b33a wsprintfA 16506->16508 16509 40b312 FileTimeToSystemTime 16507->16509 16508->16358 16509->16506 16512 40ad71 16511->16512 16513 40ad26 lstrlenA 16511->16513 16515 40ad85 16512->16515 16516 40ad79 lstrcpyA 16512->16516 16513->16512 16517 40ad68 lstrlenA 16513->16517 16515->16490 16516->16515 16517->16512 16519 40f428 14 API calls 16518->16519 16520 40198a 16519->16520 16521 401990 closesocket 16520->16521 16522 401998 16520->16522 16521->16522 16522->16101 16524 402d21 6 API calls 16523->16524 16525 402f01 16524->16525 16528 402f0f 16525->16528 16539 402df2 GetModuleHandleA 16525->16539 16527 402684 2 API calls 16529 402f1d 16527->16529 16528->16527 16530 402f1f 16528->16530 16529->16113 16530->16113 16532 401c80 16531->16532 16533 401cc2 wsprintfA 16532->16533 16535 401d1c 16532->16535 16537 401d79 16532->16537 16534 402684 2 API calls 16533->16534 16534->16532 16536 401d47 wsprintfA 16535->16536 16538 402684 2 API calls 16536->16538 16537->16124 16538->16537 16540 402e10 LoadLibraryA 16539->16540 16541 402e0b 16539->16541 16542 402e17 16540->16542 16541->16540 16541->16542 16543 402ef1 16542->16543 16544 402e28 GetProcAddress 16542->16544 16543->16528 16544->16543 16545 402e3e GetProcessHeap HeapAlloc 16544->16545 16546 402e62 16545->16546 16546->16543 16547 402ede GetProcessHeap HeapFree 16546->16547 16548 402e7f htons inet_addr 16546->16548 16549 402ea5 gethostbyname 16546->16549 16551 402ceb 16546->16551 16547->16543 16548->16546 16548->16549 16549->16546 16553 402cf2 16551->16553 16554 402d1c 16553->16554 16555 402d0e Sleep 16553->16555 16556 402a62 GetProcessHeap HeapAlloc 16553->16556 16554->16546 16555->16553 16555->16554 16557 402a92 16556->16557 16558 402a99 socket 16556->16558 16557->16553 16559 402cd3 GetProcessHeap HeapFree 16558->16559 16560 402ab4 16558->16560 16559->16557 16560->16559 16574 402abd 16560->16574 16561 402adb htons 16576 4026ff 16561->16576 16563 402b04 select 16563->16574 16564 402ca4 16565 402cb3 GetProcessHeap HeapFree closesocket 16564->16565 16565->16557 16566 402b3f recv 16566->16574 16567 402b66 htons 16567->16564 16567->16574 16568 402b87 htons 16568->16564 16568->16574 16570 402bf3 GetProcessHeap HeapAlloc 16570->16574 16572 402c17 htons 16591 402871 16572->16591 16574->16561 16574->16563 16574->16564 16574->16565 16574->16566 16574->16567 16574->16568 16574->16570 16574->16572 16575 402c4d GetProcessHeap HeapFree 16574->16575 16583 402923 16574->16583 16595 402904 16574->16595 16575->16574 16577 40271d 16576->16577 16578 402717 16576->16578 16580 40272b GetTickCount htons 16577->16580 16579 40ebcc 4 API calls 16578->16579 16579->16577 16581 4027cc htons htons sendto 16580->16581 16582 40278a 16580->16582 16581->16574 16582->16581 16584 402944 16583->16584 16586 40293d 16583->16586 16599 402816 htons 16584->16599 16586->16574 16587 402871 htons 16590 402950 16587->16590 16588 4029bd htons htons htons 16588->16586 16589 4029f6 GetProcessHeap HeapAlloc 16588->16589 16589->16586 16589->16590 16590->16586 16590->16587 16590->16588 16592 4028e3 16591->16592 16594 402889 16591->16594 16592->16574 16593 4028c3 htons 16593->16592 16593->16594 16594->16592 16594->16593 16596 402908 16595->16596 16598 402921 16595->16598 16597 402909 GetProcessHeap HeapFree 16596->16597 16597->16597 16597->16598 16598->16574 16600 40286b 16599->16600 16601 402836 16599->16601 16600->16590 16601->16600 16602 40285c htons 16601->16602 16602->16600 16602->16601 16604 406bc0 16603->16604 16605 406bbc 16603->16605 16606 40ebcc 4 API calls 16604->16606 16617 406bd4 16604->16617 16605->16143 16607 406be4 16606->16607 16608 406c07 CreateFileA 16607->16608 16609 406bfc 16607->16609 16607->16617 16611 406c34 WriteFile 16608->16611 16612 406c2a 16608->16612 16610 40ec2e codecvt 4 API calls 16609->16610 16610->16617 16614 406c49 CloseHandle DeleteFileA 16611->16614 16615 406c5a CloseHandle 16611->16615 16613 40ec2e codecvt 4 API calls 16612->16613 16613->16617 16614->16612 16616 40ec2e codecvt 4 API calls 16615->16616 16616->16617 16617->16143 14925 2860005 14930 286092b GetPEB 14925->14930 14927 2860030 14932 286003c 14927->14932 14931 2860972 14930->14931 14931->14927 14933 2860049 14932->14933 14947 2860e0f SetErrorMode SetErrorMode 14933->14947 14938 2860265 14939 28602ce VirtualProtect 14938->14939 14941 286030b 14939->14941 14940 2860439 VirtualFree 14944 28604be 14940->14944 14945 28605f4 LoadLibraryA 14940->14945 14941->14940 14942 28604e3 LoadLibraryA 14942->14944 14944->14942 14944->14945 14946 28608c7 14945->14946 14948 2860223 14947->14948 14949 2860d90 14948->14949 14950 2860dad 14949->14950 14951 2860238 VirtualAlloc 14950->14951 14952 2860dbb GetPEB 14950->14952 14951->14938 14952->14951 14953 2982001 14954 2982010 14953->14954 14957 29827a1 14954->14957 14958 29827bc 14957->14958 14959 29827c5 CreateToolhelp32Snapshot 14958->14959 14960 29827e1 Module32First 14958->14960 14959->14958 14959->14960 14961 29827f0 14960->14961 14962 2982019 14960->14962 14964 2982460 14961->14964 14965 298248b 14964->14965 14966 29824d4 14965->14966 14967 298249c VirtualAlloc 14965->14967 14966->14966 14967->14966
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                    • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                    • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                    • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                                  • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                                  • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                                  • ExitProcess.KERNEL32 ref: 00409C06
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                                  • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                                  • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                                  • wsprintfA.USER32 ref: 0040A0B6
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                                  • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                    • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                    • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                                  • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                                  • DeleteFileA.KERNEL32(C:\Users\user\Desktop\Eduhazqw4u.exe), ref: 0040A407
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                                  • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                  • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\Eduhazqw4u.exe$C:\Windows\SysWOW64\zuvmebno\irxigvn.exe$D$P$\$zuvmebno
                                                                                                  • API String ID: 2089075347-1392905253
                                                                                                  • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                  • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                                  • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                                  • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 492 40640b-40640f 489->492 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->492
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                                  • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                                  • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                  • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                                  • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                                  • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 285 407804-407808 283->285 286 4074a2-4074b1 call 406cad 284->286 287 407714-40771d RegCloseKey 284->287 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 360 4077e3-4077e6 RegCloseKey 352->360 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 360->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->360 384->383
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                                  • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "
                                                                                                  • API String ID: 3433985886-123907689
                                                                                                  • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                  • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                                  • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                                  • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 386 286003c-2860047 387 286004c-2860263 call 2860a3f call 2860e0f call 2860d90 VirtualAlloc 386->387 388 2860049 386->388 403 2860265-2860289 call 2860a69 387->403 404 286028b-2860292 387->404 388->387 409 28602ce-28603c2 VirtualProtect call 2860cce call 2860ce7 403->409 406 28602a1-28602b0 404->406 408 28602b2-28602cc 406->408 406->409 408->406 415 28603d1-28603e0 409->415 416 28603e2-2860437 call 2860ce7 415->416 417 2860439-28604b8 VirtualFree 415->417 416->415 418 28605f4-28605fe 417->418 419 28604be-28604cd 417->419 423 2860604-286060d 418->423 424 286077f-2860789 418->424 422 28604d3-28604dd 419->422 422->418 428 28604e3-2860505 LoadLibraryA 422->428 423->424 429 2860613-2860637 423->429 426 28607a6-28607b0 424->426 427 286078b-28607a3 424->427 430 28607b6-28607cb 426->430 431 286086e-28608be LoadLibraryA 426->431 427->426 432 2860517-2860520 428->432 433 2860507-2860515 428->433 434 286063e-2860648 429->434 435 28607d2-28607d5 430->435 438 28608c7-28608f9 431->438 436 2860526-2860547 432->436 433->436 434->424 437 286064e-286065a 434->437 439 28607d7-28607e0 435->439 440 2860824-2860833 435->440 441 286054d-2860550 436->441 437->424 442 2860660-286066a 437->442 443 2860902-286091d 438->443 444 28608fb-2860901 438->444 445 28607e4-2860822 439->445 446 28607e2 439->446 450 2860839-286083c 440->450 447 2860556-286056b 441->447 448 28605e0-28605ef 441->448 449 286067a-2860689 442->449 444->443 445->435 446->440 451 286056f-286057a 447->451 452 286056d 447->452 448->422 453 2860750-286077a 449->453 454 286068f-28606b2 449->454 450->431 455 286083e-2860847 450->455 457 286057c-2860599 451->457 458 286059b-28605bb 451->458 452->448 453->434 459 28606b4-28606ed 454->459 460 28606ef-28606fc 454->460 461 286084b-286086c 455->461 462 2860849 455->462 469 28605bd-28605db 457->469 458->469 459->460 463 28606fe-2860748 460->463 464 286074b 460->464 461->450 462->431 463->464 464->449 469->441
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0286024D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID: cess$kernel32.dll
                                                                                                  • API String ID: 4275171209-1230238691
                                                                                                  • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                  • Instruction ID: a300cb67fec88b03af7a3a4ef74deefd8f467b6be73749be2861eaa1549bae76
                                                                                                  • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                  • Instruction Fuzzy Hash: 84526978A01229DFDB64CF58C985BACBBB1BF09304F1480D9E94DAB351DB30AA85DF15

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                                  • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                                  • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2098669666-2746444292
                                                                                                  • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                  • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                                  • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                                  • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 502 404059-40405c 500->502 503 404052 501->503 504 404037-40403a 501->504 505 404054-404056 502->505 503->505 504->503 506 40403c-40403f 504->506 506->502 507 404041-404050 Sleep 506->507 507->499 507->503
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                                  • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                                  • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 408151869-0
                                                                                                  • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                  • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                                  • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                                  • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                  • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                  • String ID:
                                                                                                  • API String ID: 1209300637-0
                                                                                                  • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                  • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                                  • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                                  • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 509 406e36-406e5d GetUserNameW 510 406ebe-406ec2 509->510 511 406e5f-406e95 LookupAccountNameW 509->511 511->510 512 406e97-406e9b 511->512 513 406ebb-406ebd 512->513 514 406e9d-406ea3 512->514 513->510 514->513 515 406ea5-406eaa 514->515 516 406eb7-406eb9 515->516 517 406eac-406eb0 515->517 516->510 517->513 518 406eb2-406eb5 517->518 518->513 518->516
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                                  • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountLookupUser
                                                                                                  • String ID:
                                                                                                  • API String ID: 2370142434-0
                                                                                                  • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                                  • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 519 29827a1-29827ba 520 29827bc-29827be 519->520 521 29827c0 520->521 522 29827c5-29827d1 CreateToolhelp32Snapshot 520->522 521->522 523 29827e1-29827ee Module32First 522->523 524 29827d3-29827d9 522->524 525 29827f0-29827f1 call 2982460 523->525 526 29827f7-29827ff 523->526 524->523 530 29827db-29827df 524->530 531 29827f6 525->531 530->520 530->523 531->526
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 029827C9
                                                                                                  • Module32First.KERNEL32(00000000,00000224), ref: 029827E9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090526061.000000000297E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0297E000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_297e000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 3833638111-0
                                                                                                  • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction ID: fee4552fc762ec48349f82d1a737e182a16d11bd2300bc9c08b34fbc1e2749b2
                                                                                                  • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                  • Instruction Fuzzy Hash: 1BF09636A007556FE7203BFAAC8DB6E76ECAF49624F140528EE46950C0DB70F8454A71

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 532 2860e0f-2860e24 SetErrorMode * 2 533 2860e26 532->533 534 2860e2b-2860e2c 532->534 533->534
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000400,?,?,02860223,?,?), ref: 02860E19
                                                                                                  • SetErrorMode.KERNELBASE(00000000,?,?,02860223,?,?), ref: 02860E1E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                  • Instruction ID: 13f47b9541c6207de3e6593a9c9bc5ed00db9d5900c3480a992199a5652d673c
                                                                                                  • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                  • Instruction Fuzzy Hash: EDD0123554512877D7002AD4DC0DBDD7B1CDF05B66F008011FB0DD9080C770954046E9

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 535 406dc2-406dd5 536 406e33-406e35 535->536 537 406dd7-406df1 call 406cc9 call 40ef00 535->537 542 406df4-406df9 537->542 542->542 543 406dfb-406e00 542->543 544 406e02-406e22 GetVolumeInformationA 543->544 545 406e24 543->545 544->545 546 406e2e 544->546 545->546 546->536
                                                                                                  APIs
                                                                                                    • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                    • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                    • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                    • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                  • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                                  • String ID:
                                                                                                  • API String ID: 1823874839-0
                                                                                                  • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                  • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                                  • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                                  • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 547 409892-4098c0 548 4098c2-4098c5 547->548 549 4098d9 547->549 548->549 550 4098c7-4098d7 548->550 551 4098e0-4098f1 SetServiceStatus 549->551 550->551
                                                                                                  APIs
                                                                                                  • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ServiceStatus
                                                                                                  • String ID:
                                                                                                  • API String ID: 3969395364-0
                                                                                                  • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                  • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                                  • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                                  • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 552 2982460-298249a call 2982773 555 29824e8 552->555 556 298249c-29824cf VirtualAlloc call 29824ed 552->556 555->555 558 29824d4-29824e6 556->558 558->555
                                                                                                  APIs
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 029824B1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090526061.000000000297E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0297E000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_297e000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 4275171209-0
                                                                                                  • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction ID: 2b5e25494e701394fe4d9746beca14511c8c95dca95cb7cdd2cc10fbe70b6dad
                                                                                                  • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                  • Instruction Fuzzy Hash: 0E113979A00208EFDB01DF98C985E98BBF5AF08351F0980A5F9489B361D371EA90DF90

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 559 4098f2-4098f4 560 4098f6-409902 call 404280 559->560 563 409904-409913 Sleep 560->563 564 409917 560->564 563->560 567 409915 563->567 565 409919-409942 call 402544 call 40977c 564->565 566 40995e-409960 564->566 571 409947-409957 call 40ee2a 565->571 567->564 571->566
                                                                                                  APIs
                                                                                                    • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                  • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEventSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3100162736-0
                                                                                                  • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                  • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                                  • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                                  • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000), ref: 028665F6
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02866610
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02866631
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02866652
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                  • Instruction ID: 16dd4a84413003811932271edef91e7f182b45e5caacb5963c66fee3a89f4bd6
                                                                                                  • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                                  • Instruction Fuzzy Hash: 18117B79600258BFD7115F65EC49F9B3F6CEB057A5F104024FA09D7151E775DD008AA4
                                                                                                  APIs
                                                                                                  • ExitProcess.KERNEL32 ref: 02869E6D
                                                                                                  • lstrcpy.KERNEL32(?,00000000), ref: 02869FE1
                                                                                                  • lstrcat.KERNEL32(?,?), ref: 02869FF2
                                                                                                  • lstrcat.KERNEL32(?,0041070C), ref: 0286A004
                                                                                                  • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0286A054
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0286A09F
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0286A0D6
                                                                                                  • lstrcpy.KERNEL32 ref: 0286A12F
                                                                                                  • lstrlen.KERNEL32(00000022), ref: 0286A13C
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 02869F13
                                                                                                    • Part of subcall function 02867029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02867081
                                                                                                    • Part of subcall function 02866F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\upqhzwij,02867043), ref: 02866F4E
                                                                                                    • Part of subcall function 02866F30: GetProcAddress.KERNEL32(00000000), ref: 02866F55
                                                                                                    • Part of subcall function 02866F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02866F7B
                                                                                                    • Part of subcall function 02866F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02866F92
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0286A1A2
                                                                                                  • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0286A1C5
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0286A214
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0286A21B
                                                                                                  • GetDriveTypeA.KERNEL32(?), ref: 0286A265
                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0286A29F
                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 0286A2C5
                                                                                                  • lstrcat.KERNEL32(?,00000022), ref: 0286A2D9
                                                                                                  • lstrcat.KERNEL32(?,00410A34), ref: 0286A2F4
                                                                                                  • wsprintfA.USER32 ref: 0286A31D
                                                                                                  • lstrcat.KERNEL32(?,00000000), ref: 0286A345
                                                                                                  • lstrcat.KERNEL32(?,?), ref: 0286A364
                                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0286A387
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0286A398
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0286A1D1
                                                                                                    • Part of subcall function 02869966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0286999D
                                                                                                    • Part of subcall function 02869966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 028699BD
                                                                                                    • Part of subcall function 02869966: RegCloseKey.ADVAPI32(?), ref: 028699C6
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0286A3DB
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0286A3E2
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0286A41D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                                  • String ID: "$"$"$D$P$\
                                                                                                  • API String ID: 1653845638-2605685093
                                                                                                  • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                  • Instruction ID: 349af5ca12569d62b6ad1a3665be8fcd9e3f72ce00796c8baf70f6386bea8a41
                                                                                                  • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                                  • Instruction Fuzzy Hash: C9F15DB9C40219AEDF25DBA4DD4CFFF7BBDAB08304F0440A6E609E2141E7759A848F65
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                  • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                  • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                                  • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                                  • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                                  • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                                  • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                                  • wsprintfA.USER32 ref: 0040B3B7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                  • API String ID: 766114626-2976066047
                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02867D21
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 02867D46
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02867D7D
                                                                                                  • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02867DA2
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02867DC0
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 02867DD1
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02867DE5
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02867DF3
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02867E03
                                                                                                  • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02867E12
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02867E19
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02867E35
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe$D
                                                                                                  • API String ID: 2976863881-636235547
                                                                                                  • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                  • Instruction ID: 97e6902add46a3a921b1406152d580796ba94aade77de64998ea59551e44d4c9
                                                                                                  • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                                  • Instruction Fuzzy Hash: 36A16E79900219AFDB11CFA0DD88FFFBBB9FB08708F048569E509E6150D7758A84CBA5
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                                  • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe$D
                                                                                                  • API String ID: 2976863881-636235547
                                                                                                  • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                  • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                                  • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                                  • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                  • API String ID: 2400214276-165278494
                                                                                                  • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                  • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                                  • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                                  • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0040A7FB
                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                                  • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                                  • wsprintfA.USER32 ref: 0040A8AF
                                                                                                  • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                                  • wsprintfA.USER32 ref: 0040A8E2
                                                                                                  • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                                  • wsprintfA.USER32 ref: 0040A9B9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                  • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                  • API String ID: 3650048968-2394369944
                                                                                                  • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                  • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                                  • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                                  • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 02867A96
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02867ACD
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 02867ADF
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02867B01
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02867B1F
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 02867B39
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02867B4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02867B58
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02867B68
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02867B77
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02867B7E
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02867B9A
                                                                                                  • GetAce.ADVAPI32(?,?,?), ref: 02867BCA
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 02867BF1
                                                                                                  • DeleteAce.ADVAPI32(?,?), ref: 02867C0A
                                                                                                  • EqualSid.ADVAPI32(?,?), ref: 02867C2C
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02867CB1
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02867CBF
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02867CD0
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02867CE0
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02867CEE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction ID: d6951d5caffb8c978017514fed8eeb6ea0f239bb178163d33e75f04ac6ae8024
                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction Fuzzy Hash: C1815F7990021AAFEB11CFA4DD48FEEBBB9FF08308F148069E509E6150D7759681CFA4
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                                  • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                                  • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                                  • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                                  • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                                  • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                                  • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe$localcfg
                                                                                                  • API String ID: 237177642-3536369285
                                                                                                  • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                  • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                                  • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                                  • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                                  • API String ID: 1628651668-3716895483
                                                                                                  • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                  • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                                  • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                                  • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                                  • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                    • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                  • API String ID: 4207808166-1381319158
                                                                                                  • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                  • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                                  • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                                  • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                  • API String ID: 835516345-270533642
                                                                                                  • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                  • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                                  • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                                  • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0286865A
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0286867B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 028686A8
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 028686B1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: "$C:\Windows\SysWOW64\zuvmebno\irxigvn.exe
                                                                                                  • API String ID: 237177642-1517200737
                                                                                                  • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                  • Instruction ID: 5dca52605008e8ab2d83ff525b29bef45093eaeee79a7ad71ae298e7556beb9a
                                                                                                  • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                                  • Instruction Fuzzy Hash: EFC1A2BD940109BEEB119BA4DC8CFFF7B7DEB04304F144065F609E6051E7B08A988B66
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                                  • htons.WS2_32(00000000), ref: 00402ADB
                                                                                                  • select.WS2_32 ref: 00402B28
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                                  • htons.WS2_32(?), ref: 00402B71
                                                                                                  • htons.WS2_32(?), ref: 00402B8C
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 1639031587-0
                                                                                                  • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                  • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                                  • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                                  • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 02861601
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 028617D8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $<$@$D
                                                                                                  • API String ID: 1628651668-1974347203
                                                                                                  • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                  • Instruction ID: 356e0f1ac0d18f94ad9c885ab775d7967ce39bf2886e67ad2a6a68297b434904
                                                                                                  • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                                  • Instruction Fuzzy Hash: 76F1ABB95083419FD320CF64C88CBAAB7E5FB88305F40892DF69AD73A1D7B49944CB52
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 028676D9
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02867757
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0286778F
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 028678B4
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0286794E
                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0286796D
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0286797E
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 028679AC
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 02867A56
                                                                                                    • Part of subcall function 0286F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0286772A,?), ref: 0286F414
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 028679F6
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 02867A4D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "
                                                                                                  • API String ID: 3433985886-123907689
                                                                                                  • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                  • Instruction ID: 59d183afd2e85c8862d4ae32c8088e74cb5d4361c146b62af4b59fc8e11163dd
                                                                                                  • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                                  • Instruction Fuzzy Hash: 8FC1A47D900109AFEB119BA8DC48FFEBBB9EF49318F1040A5E504E6150EB75DA94CFA1
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                                  • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                                  • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                                    • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                  • String ID: $"
                                                                                                  • API String ID: 4293430545-3817095088
                                                                                                  • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                  • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                                  • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                                  • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02862CED
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 02862D07
                                                                                                  • htons.WS2_32(00000000), ref: 02862D42
                                                                                                  • select.WS2_32 ref: 02862D8F
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 02862DB1
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02862E62
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 127016686-0
                                                                                                  • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                  • Instruction ID: c472a66e06de49de2caab209f2fa43bfdd4168b5e265b5a7ef23e52cdf9ff925
                                                                                                  • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                                  • Instruction Fuzzy Hash: BE61CF79504309AFC7209FA4DC0CB7BBBE8EB48755F0048A9FD88D6195D7B5D880CBA6
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                    • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                    • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                    • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                    • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                    • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                                  • wsprintfA.USER32 ref: 0040AEA5
                                                                                                    • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                                  • wsprintfA.USER32 ref: 0040AE4F
                                                                                                  • wsprintfA.USER32 ref: 0040AE5E
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                  • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                  • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                                  • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                                  • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                                  • htons.WS2_32(00000035), ref: 00402E88
                                                                                                  • inet_addr.WS2_32(?), ref: 00402E93
                                                                                                  • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                  • API String ID: 929413710-2099955842
                                                                                                  • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                  • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                                  • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                                  • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                                  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                                  • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                                  • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                                  • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                                  • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2622201749-0
                                                                                                  • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                  • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                                  • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                                  • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                                  • wsprintfA.USER32 ref: 004093CE
                                                                                                  • wsprintfA.USER32 ref: 0040940C
                                                                                                  • wsprintfA.USER32 ref: 0040948D
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID: runas
                                                                                                  • API String ID: 3696105349-4000483414
                                                                                                  • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                  • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                                  • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                                  • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0040B467
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                    • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                  • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                  • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                                  • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                                  • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 0286202D
                                                                                                  • GetSystemInfo.KERNEL32(?), ref: 0286204F
                                                                                                  • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0286206A
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02862071
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 02862082
                                                                                                  • GetTickCount.KERNEL32 ref: 02862230
                                                                                                    • Part of subcall function 02861E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02861E7C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                                  • API String ID: 4207808166-1391650218
                                                                                                  • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                  • Instruction ID: 892c6b0ec42eecf2b88560447783c7db72393a0f6da5f190a794ba3323e993c6
                                                                                                  • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                                  • Instruction Fuzzy Hash: EE51F6BC5003486FE320AF699C8DF77BAECEB54708F00091DF99AC2142D7B5A544CB66
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00402078
                                                                                                  • GetTickCount.KERNEL32 ref: 004020D4
                                                                                                  • GetTickCount.KERNEL32 ref: 004020DB
                                                                                                  • GetTickCount.KERNEL32 ref: 0040212B
                                                                                                  • GetTickCount.KERNEL32 ref: 00402132
                                                                                                  • GetTickCount.KERNEL32 ref: 00402142
                                                                                                    • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                    • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                    • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                    • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                    • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                  • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                  • API String ID: 3976553417-1522128867
                                                                                                  • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                  • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                                  • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                                  • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                                  APIs
                                                                                                  • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                                  • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                  • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                                  • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                                  • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                                  • ExitProcess.KERNEL32 ref: 00404121
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEventExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 2404124870-0
                                                                                                  • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                  • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                                  • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                                  • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                    • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C363
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C378
                                                                                                  • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                                  • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                                  • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1553760989-1857712256
                                                                                                  • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                  • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                                  • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                                  • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02863068
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02863078
                                                                                                  • GetProcAddress.KERNEL32(00000000,00410408), ref: 02863095
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 028630B6
                                                                                                  • htons.WS2_32(00000035), ref: 028630EF
                                                                                                  • inet_addr.WS2_32(?), ref: 028630FA
                                                                                                  • gethostbyname.WS2_32(?), ref: 0286310D
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 0286314D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: iphlpapi.dll
                                                                                                  • API String ID: 2869546040-3565520932
                                                                                                  • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                  • Instruction ID: fa7c030725e7fa8f5d59a45bde2911c9eeed495152be91e3d0f81132bf31af13
                                                                                                  • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                                  • Instruction Fuzzy Hash: 0731B67DA00206ABDB119BB89C4CBBE77B8EF04B64F1441A5F51CE7290DB74D581CB58
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?), ref: 028695A7
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 028695D5
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 028695DC
                                                                                                  • wsprintfA.USER32 ref: 02869635
                                                                                                  • wsprintfA.USER32 ref: 02869673
                                                                                                  • wsprintfA.USER32 ref: 028696F4
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02869758
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0286978D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 028697D8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID:
                                                                                                  • API String ID: 3696105349-0
                                                                                                  • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                  • Instruction ID: 04769788593bf65d28f1a7f5ca18e6f64ddb63e73dcfc46b53950bd2bde7be83
                                                                                                  • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                                  • Instruction Fuzzy Hash: 9AA19CBA90020CAFEB21DFA4DC48FEA3BADEB04345F104066FA15D6191E7B5D584CFA5
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                  • API String ID: 3560063639-3847274415
                                                                                                  • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                  • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                                  • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                                  • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                                  APIs
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpi
                                                                                                  • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                  • API String ID: 1586166983-1625972887
                                                                                                  • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                  • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                                  • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                                  • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                                  • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188212458-0
                                                                                                  • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                                  • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                                  APIs
                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 028667C3
                                                                                                  • htonl.WS2_32(?), ref: 028667DF
                                                                                                  • htonl.WS2_32(?), ref: 028667EE
                                                                                                  • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 028668F1
                                                                                                  • ExitProcess.KERNEL32 ref: 028669BC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Processhtonl$CurrentExitHugeRead
                                                                                                  • String ID: except_info$localcfg
                                                                                                  • API String ID: 1150517154-3605449297
                                                                                                  • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                  • Instruction ID: 3567c6ec02645fe8363fe2ab6886a8547b191678414715ff40225b8cecf2c1f3
                                                                                                  • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                                  • Instruction Fuzzy Hash: D0616E75A40208AFDB609FB4DC45FEA77E9FB08300F248066FA6DD2161EB7599908F54
                                                                                                  APIs
                                                                                                  • htons.WS2_32(0286CC84), ref: 0286F5B4
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0286F5CE
                                                                                                  • closesocket.WS2_32(00000000), ref: 0286F5DC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                  • Instruction ID: d0e9f7899644c8b439c3c2e65e02671fc224f46af2329de9654b33c522fb3caf
                                                                                                  • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                                  • Instruction Fuzzy Hash: 53316D7990011CABDB10DFA9EC889EE7BBCEF48310F104566FA1AD7150E7709A81CBA5
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                                  • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                                  • wsprintfA.USER32 ref: 00407036
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                  • String ID: /%d$|
                                                                                                  • API String ID: 676856371-4124749705
                                                                                                  • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                  • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                                  • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                                  • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(?), ref: 02862FA1
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 02862FB1
                                                                                                  • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02862FC8
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02863000
                                                                                                  • RtlAllocateHeap.NTDLL(00000000), ref: 02863007
                                                                                                  • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02863032
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                                  • String ID: dnsapi.dll
                                                                                                  • API String ID: 1242400761-3175542204
                                                                                                  • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                  • Instruction ID: 639fe93378cf674d8dcaf10ee8e7fc6d94c998520458f3c1f4a47e032f375e5e
                                                                                                  • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                                  • Instruction Fuzzy Hash: 8F21A179D00229BBCB229B54DC48AFEBBBCEF08B10F004461F905E7540D7B49A8587E5
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                  • API String ID: 1082366364-3395550214
                                                                                                  • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                  • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                                  • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                                  • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02869A18
                                                                                                  • GetThreadContext.KERNEL32(?,?), ref: 02869A52
                                                                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 02869A60
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02869A98
                                                                                                  • SetThreadContext.KERNEL32(?,00010002), ref: 02869AB5
                                                                                                  • ResumeThread.KERNEL32(?), ref: 02869AC2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                  • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                  • Instruction ID: 4bf2d9859ad20bb5769e1b9c091af3d9ccb6d597b35acaa95cc68c016792be07
                                                                                                  • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                                  • Instruction Fuzzy Hash: C2215AB5A01229BBDF119BA1DC09EEF7BBCEF04755F004061FA09E1090E7758A50CAA4
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(004102D8), ref: 02861C18
                                                                                                  • LoadLibraryA.KERNEL32(004102C8), ref: 02861C26
                                                                                                  • GetProcessHeap.KERNEL32 ref: 02861C84
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02861C9D
                                                                                                  • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02861CC1
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 02861D02
                                                                                                  • FreeLibrary.KERNEL32(?), ref: 02861D0B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                                  • String ID:
                                                                                                  • API String ID: 2324436984-0
                                                                                                  • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                  • Instruction ID: a114bc73ca79f19efe68bb1525ad480253d50ef1ce6aec5f3f81c5f951081aaf
                                                                                                  • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                                  • Instruction Fuzzy Hash: 37317A3AE00209BFCB119FA4DC8D8BEBAB9EB45705B24407AE509E2211D7B55E80DB94
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02866CE4
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02866D22
                                                                                                  • GetLastError.KERNEL32 ref: 02866DA7
                                                                                                  • CloseHandle.KERNEL32(?), ref: 02866DB5
                                                                                                  • GetLastError.KERNEL32 ref: 02866DD6
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 02866DE7
                                                                                                  • GetLastError.KERNEL32 ref: 02866DFD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 3873183294-0
                                                                                                  • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction ID: 278d6ed99948ec16256b968d8eb72f4400ed09bfdf820fea08b9766856d5e03a
                                                                                                  • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                                  • Instruction Fuzzy Hash: FE31F07E900289BFCB01DFA4DD48EEE7F7DEB48310F148065E211E7210E775AA958B62
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\upqhzwij,02867043), ref: 02866F4E
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02866F55
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02866F7B
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02866F92
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$\\.\pipe\upqhzwij
                                                                                                  • API String ID: 1082366364-2229946552
                                                                                                  • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                  • Instruction ID: 635126cd5a071fcff3095ed6b416d736a98e1dc97a83220a354f500b2ecec184
                                                                                                  • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                                  • Instruction Fuzzy Hash: D821F22D7403903DF7225735AC8CFBB3E4C8B52764F1840A5F908D5480EBD984D682BE
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen
                                                                                                  • String ID: $localcfg
                                                                                                  • API String ID: 1659193697-2018645984
                                                                                                  • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                  • Instruction ID: d14de562a4bef4a20cd8e415c328ee344f9b5415a8f336a539d55c8548e08388
                                                                                                  • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                                  • Instruction Fuzzy Hash: 74713F7D900309AAEF299B58DCCDFFE376A9B00709F244067F909F6090DF62A5C48B56
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                    • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                                  • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                  • String ID: flags_upd$localcfg
                                                                                                  • API String ID: 204374128-3505511081
                                                                                                  • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                  • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                                  • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                                  • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                                  APIs
                                                                                                    • Part of subcall function 0286DF6C: GetCurrentThreadId.KERNEL32 ref: 0286DFBA
                                                                                                  • lstrcmp.KERNEL32(00410178,00000000), ref: 0286E8FA
                                                                                                  • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02866128), ref: 0286E950
                                                                                                  • lstrcmp.KERNEL32(?,00000008), ref: 0286E989
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                                  • String ID: A$ A$ A
                                                                                                  • API String ID: 2920362961-1846390581
                                                                                                  • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                  • Instruction ID: c7f152768896cf2f99c9a3880b9330adc89447efc1dd416530bb5578b17c6d2e
                                                                                                  • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                                  • Instruction Fuzzy Hash: 97318E3DA007159BDB718F24C88CFB67BE4EF05726F14852AE559CB550E770E880CB92
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID:
                                                                                                  • API String ID: 3609698214-0
                                                                                                  • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                  • Instruction ID: e16eb1968646f1527522ad58bb648d6a320886341a040c8285e849e3553c97fb
                                                                                                  • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                                  • Instruction Fuzzy Hash: FB214A7E204229FFDB109BE4EC4CEEF3FADEB49265B208525F506D1090EB74DA409A74
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID:
                                                                                                  • API String ID: 3609698214-0
                                                                                                  • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                  • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                                  • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                                  • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?), ref: 028692E2
                                                                                                  • wsprintfA.USER32 ref: 02869350
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02869375
                                                                                                  • lstrlen.KERNEL32(?,?,00000000), ref: 02869389
                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 02869394
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0286939B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 2439722600-0
                                                                                                  • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                  • Instruction ID: 91bd3a7733dccac542e90b2342a42b4182658de16655582922388cf5fa8da823
                                                                                                  • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                                  • Instruction Fuzzy Hash: 011172BD6401147FE7206735ED0DFFF3A6EDBC8B10F0080A5BB09E5090EAB44A458A65
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                  • wsprintfA.USER32 ref: 004090E9
                                                                                                  • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 2439722600-0
                                                                                                  • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                  • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                                  • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                                  • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                                  • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                                  • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                                  • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3819781495-0
                                                                                                  • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                  • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                                  • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                                  • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0286C6B4
                                                                                                  • InterlockedIncrement.KERNEL32(0286C74B), ref: 0286C715
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0286C747), ref: 0286C728
                                                                                                  • CloseHandle.KERNEL32(00000000,?,0286C747,00413588,02868A77), ref: 0286C733
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1026198776-1857712256
                                                                                                  • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                  • Instruction ID: dbab5694ca468b948a9cb3daaf5b71a895f0407d85fb35219a9f13cfa0ec06b4
                                                                                                  • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                                  • Instruction Fuzzy Hash: F6514DB9A01B458FD7248F29C99C62ABBE9FB48304B50693FE18BC7A91D774F440CB54
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                                    • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                                    • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                                    • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                                    • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                                    • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                                    • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                    • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                  • String ID: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe
                                                                                                  • API String ID: 124786226-1272795996
                                                                                                  • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                  • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                                  • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                                  • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 028671E1
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02867228
                                                                                                  • LocalFree.KERNEL32(?,?,?), ref: 02867286
                                                                                                  • wsprintfA.USER32 ref: 0286729D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                                  • String ID: |
                                                                                                  • API String ID: 2539190677-2343686810
                                                                                                  • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                  • Instruction ID: 2b7f966341507b21e772dd37d77e59893a14ec565623bc7a77339c576dc50c6d
                                                                                                  • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                                  • Instruction Fuzzy Hash: 6B312D7A900108BFDB01DFA8DC49BEA7BACEF04354F14C166F95ADB200EB75D6488B94
                                                                                                  APIs
                                                                                                  • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                  • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                  • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                  • String ID: LocalHost
                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                  • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                  • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                                  • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                                  • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                                  • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                                  • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1586453840-0
                                                                                                  • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                  • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                                  • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                                  • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0286B51A
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0286B529
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0286B548
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0286B590
                                                                                                  • wsprintfA.USER32 ref: 0286B61E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 4026320513-0
                                                                                                  • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction ID: 0c369074e87c173bc44587bc31526ab9efc8dfee4ff29525dbb1f66add5f8e40
                                                                                                  • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                                  • Instruction Fuzzy Hash: CA51F0B5D0021DAACF14DFD5D8895FEBBB9AF48308F10816AE505F6150E7B84AC9CF98
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                                  • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                  • String ID:
                                                                                                  • API String ID: 1371578007-0
                                                                                                  • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                  • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                                  • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                                  • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                                  APIs
                                                                                                  • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02866303
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 0286632A
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 028663B1
                                                                                                  • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02866405
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: HugeRead$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 3498078134-0
                                                                                                  • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                  • Instruction ID: 55950cd80a82ae5b5463d4be45cbec44f676e22062a2fb7bd760cea9200eb473
                                                                                                  • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                                  • Instruction Fuzzy Hash: 10414C7DA00269EBDB14CF58C988BB9B7B8FF04358F1C8169E819D7290E779E941CB50
                                                                                                  APIs
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                                  • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2438460464-0
                                                                                                  • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                  • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                                  • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                                  • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                  • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                                  • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                                  • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                                  APIs
                                                                                                    • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                    • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                    • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                  • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                                  • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                  • String ID: A$ A
                                                                                                  • API String ID: 3343386518-686259309
                                                                                                  • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                  • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                                  • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                                  • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040272E
                                                                                                  • htons.WS2_32(00000001), ref: 00402752
                                                                                                  • htons.WS2_32(0000000F), ref: 004027D5
                                                                                                  • htons.WS2_32(00000001), ref: 004027E3
                                                                                                  • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                    • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                    • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                                  • String ID:
                                                                                                  • API String ID: 1802437671-0
                                                                                                  • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                  • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                                  • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                                  • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                                  APIs
                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: setsockopt
                                                                                                  • String ID:
                                                                                                  • API String ID: 3981526788-0
                                                                                                  • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                  • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                                  • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                                  • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 028693C6
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 028693CD
                                                                                                  • CharToOemA.USER32(?,?), ref: 028693DB
                                                                                                  • wsprintfA.USER32 ref: 02869410
                                                                                                    • Part of subcall function 028692CB: GetTempPathA.KERNEL32(00000400,?), ref: 028692E2
                                                                                                    • Part of subcall function 028692CB: wsprintfA.USER32 ref: 02869350
                                                                                                    • Part of subcall function 028692CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02869375
                                                                                                    • Part of subcall function 028692CB: lstrlen.KERNEL32(?,?,00000000), ref: 02869389
                                                                                                    • Part of subcall function 028692CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02869394
                                                                                                    • Part of subcall function 028692CB: CloseHandle.KERNEL32(00000000), ref: 0286939B
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02869448
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3857584221-0
                                                                                                  • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                  • Instruction ID: d14b81c3b3a7c4ea35e19468ed6d14f911a010c041265248d7586d93635ef9e2
                                                                                                  • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                                  • Instruction Fuzzy Hash: B20152FA9001187BD721A7619D8DEEF377CDB95701F0040A1BB49E2080DAB496C58F75
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                                  • CharToOemA.USER32(?,?), ref: 00409174
                                                                                                  • wsprintfA.USER32 ref: 004091A9
                                                                                                    • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                    • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                    • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                    • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                    • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                    • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3857584221-0
                                                                                                  • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                  • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                                  • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                                  • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                                  • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                                  • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                  • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                  • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                                  • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                                  • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                  • API String ID: 2574300362-1087626847
                                                                                                  • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                  • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                                  • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                                  • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                                  APIs
                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: hi_id$localcfg
                                                                                                  • API String ID: 2777991786-2393279970
                                                                                                  • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                  • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                                  • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                                  • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                                  APIs
                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                                  • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                  • String ID: *p@
                                                                                                  • API String ID: 3429775523-2474123842
                                                                                                  • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                  • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                                  • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                                  • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg$u6A
                                                                                                  • API String ID: 1594361348-1940331995
                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction ID: e172fc9b44ed2c73fa77bd6bb3cddaefbc6e77fd586567cac5d098367f606316
                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction Fuzzy Hash: 5FE082386042218FCB008B28F84CAEA3BA4AF4A230F0081C0F888C72A4C7349C80AA80
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 028669E5
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 02866A26
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000), ref: 02866A3A
                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 02866BD8
                                                                                                    • Part of subcall function 0286EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02861DCF,?), ref: 0286EEA8
                                                                                                    • Part of subcall function 0286EE95: HeapFree.KERNEL32(00000000), ref: 0286EEAF
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 3384756699-0
                                                                                                  • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                  • Instruction ID: 2749aaf4f06c11c4c6c22b0776d120693561935e732b3ed987e74af0a5eded9b
                                                                                                  • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                                  • Instruction Fuzzy Hash: 1071177990026EEFDB109FA4CC84AFEBBB9FB04314F10456AE515E6190EB349E92CB50
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf
                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                  • API String ID: 2111968516-120809033
                                                                                                  • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                  • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                                  • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                                  • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0286E50A,00000000,00000000,00000000,00020106,00000000,0286E50A,00000000,000000E4), ref: 0286E319
                                                                                                  • RegSetValueExA.ADVAPI32(0286E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0286E38E
                                                                                                  • RegDeleteValueA.ADVAPI32(0286E50A,?,?,?,?,?,000000C8,004122F8), ref: 0286E3BF
                                                                                                  • RegCloseKey.ADVAPI32(0286E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0286E50A), ref: 0286E3C8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID:
                                                                                                  • API String ID: 2667537340-0
                                                                                                  • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                  • Instruction ID: 1d05883a43d13184579b6febf0e79793326f23ee95c3175250ba2fc206afd711
                                                                                                  • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                                  • Instruction Fuzzy Hash: 83215079A0021DBBDF219FA8ED89EEE7F79EF08750F088021F905E6150E7718A54DB91
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                  • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                                  • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                                  • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID:
                                                                                                  • API String ID: 2667537340-0
                                                                                                  • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                  • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                                  • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                                  • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0286421F
                                                                                                  • GetLastError.KERNEL32 ref: 02864229
                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 0286423A
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0286424D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction ID: 3c00394584c4c9c92a3b3364c714ecab8442ccad9df20fd7699cb5d7b695b74e
                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction Fuzzy Hash: 3A01C876511109AFDF11DF90ED88BEF7BACFB08256F108461F905E2150D770DA948BB6
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 028641AB
                                                                                                  • GetLastError.KERNEL32 ref: 028641B5
                                                                                                  • WaitForSingleObject.KERNEL32(?,?), ref: 028641C6
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 028641D9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction ID: 02193d32512f7715f5b1a6faf72b6ac6f6141d215906a39fda7b315abc3b1c24
                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction Fuzzy Hash: 67010C7A51110AAFDF11DF90ED88BEF7B6CEB18259F004062F905E2050D770DA548BB5
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                                  • GetLastError.KERNEL32 ref: 00403F4E
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                                  • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                                  • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                                  • GetLastError.KERNEL32 ref: 00403FC2
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                                  • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                                  • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                                  APIs
                                                                                                  • lstrcmp.KERNEL32(?,80000009), ref: 0286E066
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp
                                                                                                  • String ID: A$ A$ A
                                                                                                  • API String ID: 1534048567-1846390581
                                                                                                  • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                  • Instruction ID: 01cb878975cffa88e9aec5465b8c997780479ee51014c3c4ee21f9c23ed396eb
                                                                                                  • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                                  • Instruction Fuzzy Hash: 4EF0627D200706DBCF21CF25D888EA2B7E9FB05325B54862AE658C3460D374A498CB52
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                  • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                                  • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                  • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                                  • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                                  • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                                  • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                  • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                                  • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                                  • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                                  • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                                  • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                  • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                                  • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                                  • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00403103
                                                                                                  • GetTickCount.KERNEL32 ref: 0040310F
                                                                                                  • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                  • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                                  • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                                  • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 028683C6
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02868477
                                                                                                    • Part of subcall function 028669C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 028669E5
                                                                                                    • Part of subcall function 028669C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02866A26
                                                                                                    • Part of subcall function 028669C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02866A3A
                                                                                                    • Part of subcall function 0286EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02861DCF,?), ref: 0286EEA8
                                                                                                    • Part of subcall function 0286EE95: HeapFree.KERNEL32(00000000), ref: 0286EEAF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                                  • String ID: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe
                                                                                                  • API String ID: 359188348-1272795996
                                                                                                  • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                  • Instruction ID: 8faaac109c82e938c72b6dbd8e0cf9d834ceadfef3173fd8501c9c34b715099c
                                                                                                  • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                                  • Instruction Fuzzy Hash: C54184BE900108BFDB11EBA49D88EFF777DEB04344F0484A6E609D7410F7709A988B51
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0286AFFF
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0286B00D
                                                                                                    • Part of subcall function 0286AF6F: gethostname.WS2_32(?,00000080), ref: 0286AF83
                                                                                                    • Part of subcall function 0286AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0286AFE6
                                                                                                    • Part of subcall function 0286331C: gethostname.WS2_32(?,00000080), ref: 0286333F
                                                                                                    • Part of subcall function 0286331C: gethostbyname.WS2_32(?), ref: 02863349
                                                                                                    • Part of subcall function 0286AA0A: inet_ntoa.WS2_32(00000000), ref: 0286AA10
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %OUTLOOK_BND_
                                                                                                  • API String ID: 1981676241-3684217054
                                                                                                  • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                  • Instruction ID: b7397e0253cd0f62b67d0b8080cb440fc4ca6d64bd0a971a7c4f622e4fff5eb4
                                                                                                  • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                                  • Instruction Fuzzy Hash: 5141817A90020CABCB25EFA4DC49EEE3B6DFF08304F144426FA25E2051EB75D6448F55
                                                                                                  APIs
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02869536
                                                                                                  • Sleep.KERNEL32(000001F4), ref: 0286955D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShellSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 4194306370-3916222277
                                                                                                  • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                  • Instruction ID: bc426574d26b0015a21bb932f2188a92ba290154b52c18f53ed368bb0de72522
                                                                                                  • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                                  • Instruction Fuzzy Hash: 0341187D808388AFFB368B68D88CBB63FE49B02318F1441E5D48AD71E2D7744981C711
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                                  • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileWrite
                                                                                                  • String ID: ,k@
                                                                                                  • API String ID: 3934441357-1053005162
                                                                                                  • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                  • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                                  • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                                  • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0286B9D9
                                                                                                  • InterlockedIncrement.KERNEL32(00413648), ref: 0286BA3A
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 0286BA94
                                                                                                  • GetTickCount.KERNEL32 ref: 0286BB79
                                                                                                  • GetTickCount.KERNEL32 ref: 0286BB99
                                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 0286BE15
                                                                                                  • closesocket.WS2_32(00000000), ref: 0286BEB4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountIncrementInterlockedTick$closesocket
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 1869671989-2903620461
                                                                                                  • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                  • Instruction ID: 8d0a2a63c0b9a0d65827de47f4bf2b999323ae1478d3c0600603c1d0922dfc7e
                                                                                                  • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                                  • Instruction Fuzzy Hash: FB317C79400248DFDF25DFA4DC88AF9B7A9EB48708F20406AFA24E2160DB35D685CF11
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 536389180-1857712256
                                                                                                  • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                  • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                                  • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                                  • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTickwsprintf
                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                  • API String ID: 2424974917-1012700906
                                                                                                  • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                  • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                                  • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                                  • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                                  APIs
                                                                                                    • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                    • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 3716169038-2903620461
                                                                                                  • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                  • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                                  • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                                  • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                                  APIs
                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 028670BC
                                                                                                  • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 028670F4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountLookupUser
                                                                                                  • String ID: |
                                                                                                  • API String ID: 2370142434-2343686810
                                                                                                  • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction ID: e918cdec33d133095ace5ffa3b4d1c699388505f1f63aaefc98b65f1a0edadf0
                                                                                                  • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                                  • Instruction Fuzzy Hash: C4112A7A90011CEBDB11CBD4DC89AEEB7BCEB04309F1441A6E515E6094E7709B88CBA0
                                                                                                  APIs
                                                                                                    • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                    • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2777991786-1857712256
                                                                                                  • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                  • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                                  • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                                  • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                                  APIs
                                                                                                  • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                                  • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: IncrementInterlockedlstrcpyn
                                                                                                  • String ID: %FROM_EMAIL
                                                                                                  • API String ID: 224340156-2903620461
                                                                                                  • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                  • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                                  • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                                  • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                                  APIs
                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                                  • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                  • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                  • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                                  • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                                  • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                                  • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                  • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                                  • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                                  • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: ntdll.dll
                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                  • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                  • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                                  • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                                  • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                                  APIs
                                                                                                    • Part of subcall function 02862F88: GetModuleHandleA.KERNEL32(?), ref: 02862FA1
                                                                                                    • Part of subcall function 02862F88: LoadLibraryA.KERNEL32(?), ref: 02862FB1
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 028631DA
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 028631E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2090423490.0000000002860000.00000040.00001000.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_2860000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                  • Instruction ID: 188f3e7eb5ef546d0aaa32594e2c3469caa80b7c2c46b935ed5bd905534aea40
                                                                                                  • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                                  • Instruction Fuzzy Hash: 0C51A03990024AAFCB01DF64D888AF9B779FF15705F1441A9EC9AC7210E732DA19CB90
                                                                                                  APIs
                                                                                                    • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                    • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000C.00000002.2089147267.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_12_2_400000_irxigvn.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                  • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                                  • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                                  • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:15%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0.7%
                                                                                                  Total number of Nodes:1809
                                                                                                  Total number of Limit Nodes:18
                                                                                                  execution_graph 7898 2985099 7899 2984bd1 4 API calls 7898->7899 7900 29850a2 7899->7900 8082 298195b 8083 298196b 8082->8083 8084 2981971 8082->8084 8085 298ec2e codecvt 4 API calls 8083->8085 8085->8084 7901 2986511 wsprintfA IsBadReadPtr 7902 298656a htonl htonl wsprintfA wsprintfA 7901->7902 7903 298674e 7901->7903 7904 29865f3 7902->7904 7905 298e318 23 API calls 7903->7905 7907 298668a GetCurrentProcess StackWalk64 7904->7907 7908 29866a0 wsprintfA 7904->7908 7910 2986652 wsprintfA 7904->7910 7906 2986753 ExitProcess 7905->7906 7907->7904 7907->7908 7909 29866ba 7908->7909 7911 2986712 wsprintfA 7909->7911 7913 29866da wsprintfA 7909->7913 7914 29866ed wsprintfA 7909->7914 7910->7904 7912 298e8a1 30 API calls 7911->7912 7915 2986739 7912->7915 7913->7914 7914->7909 7916 298e318 23 API calls 7915->7916 7917 2986741 7916->7917 8086 2988c51 8087 2988c5d 8086->8087 8088 2988c86 8086->8088 8092 2988c7d 8087->8092 8093 2988c6e 8087->8093 8089 2988c8b lstrcmpA 8088->8089 8099 2988c7b 8088->8099 8090 2988c9e 8089->8090 8089->8099 8091 2988cad 8090->8091 8094 298ec2e codecvt 4 API calls 8090->8094 8098 298ebcc 4 API calls 8091->8098 8091->8099 8108 2988bb3 8092->8108 8100 2988be7 8093->8100 8094->8091 8098->8099 8101 2988c2a 8100->8101 8102 2988bf2 8100->8102 8101->8099 8103 2988bb3 6 API calls 8102->8103 8104 2988bf8 8103->8104 8112 2986410 8104->8112 8106 2988c01 8106->8101 8127 2986246 8106->8127 8109 2988be4 8108->8109 8110 2988bbc 8108->8110 8110->8109 8111 2986246 6 API calls 8110->8111 8111->8109 8113 298641e 8112->8113 8114 2986421 8112->8114 8113->8106 8115 298643a 8114->8115 8116 298643e VirtualAlloc 8114->8116 8115->8106 8117 298645b VirtualAlloc 8116->8117 8118 2986472 8116->8118 8117->8118 8126 29864fb 8117->8126 8119 298ebcc 4 API calls 8118->8119 8120 2986479 8119->8120 8120->8126 8137 2986069 8120->8137 8123 29864da 8125 2986246 6 API calls 8123->8125 8123->8126 8125->8126 8126->8106 8128 29862b3 8127->8128 8131 2986252 8127->8131 8128->8101 8129 2986297 8132 29862ad 8129->8132 8133 29862a0 VirtualFree 8129->8133 8130 298628f 8136 298ec2e codecvt 4 API calls 8130->8136 8131->8129 8131->8130 8135 2986281 FreeLibrary 8131->8135 8134 298ec2e codecvt 4 API calls 8132->8134 8133->8132 8134->8128 8135->8131 8136->8129 8138 2986089 8137->8138 8139 2986090 IsBadReadPtr 8137->8139 8138->8123 8147 2985f3f 8138->8147 8139->8138 8141 29860aa 8139->8141 8140 29860c0 LoadLibraryA 8140->8138 8140->8141 8141->8138 8141->8140 8142 298ebcc 4 API calls 8141->8142 8143 298ebed 8 API calls 8141->8143 8144 2986191 IsBadReadPtr 8141->8144 8145 2986141 GetProcAddress 8141->8145 8146 2986155 GetProcAddress 8141->8146 8142->8141 8143->8141 8144->8138 8144->8141 8145->8141 8146->8141 8148 2985fe6 8147->8148 8150 2985f61 8147->8150 8148->8123 8149 2985fbf VirtualProtect 8149->8148 8149->8150 8150->8148 8150->8149 7918 2984e92 GetTickCount 7919 2984ec0 InterlockedExchange 7918->7919 7920 2984ec9 7919->7920 7921 2984ead GetTickCount 7919->7921 7921->7920 7922 2984eb8 Sleep 7921->7922 7922->7919 8151 29843d2 8152 29843e0 8151->8152 8153 29843ef 8152->8153 8154 2981940 4 API calls 8152->8154 8154->8153 7923 2985d93 IsBadWritePtr 7924 2985ddc 7923->7924 7925 2985da8 7923->7925 7925->7924 7927 2985389 7925->7927 7928 2984bd1 4 API calls 7927->7928 7929 29853a5 7928->7929 7930 2984ae6 8 API calls 7929->7930 7933 29853ad 7930->7933 7931 2985407 7931->7924 7932 2984ae6 8 API calls 7932->7933 7933->7931 7933->7932 8155 2984ed3 8160 2984c9a 8155->8160 8162 2984ca9 8160->8162 8163 2984cd8 8160->8163 8161 298ec2e codecvt 4 API calls 8161->8163 8162->8161 8164 2985453 8169 298543a 8164->8169 8172 2985048 8169->8172 8173 2984bd1 4 API calls 8172->8173 8174 2985056 8173->8174 8175 298ec2e codecvt 4 API calls 8174->8175 8176 298508b 8174->8176 8175->8176 7934 2988314 7935 298675c 21 API calls 7934->7935 7936 2988324 7935->7936 8177 298e749 8178 298dd05 6 API calls 8177->8178 8179 298e751 8178->8179 8180 298e781 lstrcmpA 8179->8180 8181 298e799 8179->8181 8180->8179 7946 298448b 7948 2984499 7946->7948 7947 29844ab 7948->7947 7950 2981940 7948->7950 7951 298ec2e codecvt 4 API calls 7950->7951 7952 2981949 7951->7952 7952->7947 7953 2985e0d 7956 29850dc 7953->7956 7955 2985e20 7957 2984bd1 4 API calls 7956->7957 7958 29850f2 7957->7958 7959 2984ae6 8 API calls 7958->7959 7965 29850ff 7959->7965 7960 2985130 7962 2984ae6 8 API calls 7960->7962 7961 2984ae6 8 API calls 7963 2985110 lstrcmpA 7961->7963 7964 2985138 7962->7964 7963->7960 7963->7965 7966 298516e 7964->7966 7968 298513e 7964->7968 7969 2984ae6 8 API calls 7964->7969 7965->7960 7965->7961 7967 2984ae6 8 API calls 7965->7967 7966->7968 7971 2984ae6 8 API calls 7966->7971 7967->7965 7968->7955 7970 298515e 7969->7970 7970->7966 7973 2984ae6 8 API calls 7970->7973 7972 29851b6 7971->7972 7999 2984a3d 7972->7999 7973->7966 7976 2984ae6 8 API calls 7977 29851c7 7976->7977 7978 2984ae6 8 API calls 7977->7978 7979 29851d7 7978->7979 7980 2984ae6 8 API calls 7979->7980 7981 29851e7 7980->7981 7981->7968 7982 2984ae6 8 API calls 7981->7982 7983 2985219 7982->7983 7984 2984ae6 8 API calls 7983->7984 7985 2985227 7984->7985 7986 2984ae6 8 API calls 7985->7986 7987 298524f lstrcpyA 7986->7987 7988 2984ae6 8 API calls 7987->7988 7991 2985263 7988->7991 7989 2984ae6 8 API calls 7990 2985315 7989->7990 7992 2984ae6 8 API calls 7990->7992 7991->7989 7993 2985323 7992->7993 7994 2984ae6 8 API calls 7993->7994 7996 2985331 7994->7996 7995 2984ae6 8 API calls 7995->7996 7996->7968 7996->7995 7997 2984ae6 8 API calls 7996->7997 7998 2985351 lstrcmpA 7997->7998 7998->7968 7998->7996 8000 2984a4a 7999->8000 8001 2984a53 7999->8001 8002 298ebed 8 API calls 8000->8002 8003 2984a78 8001->8003 8004 298ebed 8 API calls 8001->8004 8002->8001 8005 2984a8e 8003->8005 8007 2984aa3 8003->8007 8004->8003 8006 2984a9b 8005->8006 8008 298ec2e codecvt 4 API calls 8005->8008 8006->7976 8007->8006 8009 298ebed 8 API calls 8007->8009 8008->8006 8009->8006 8010 2984c0d 8011 2984ae6 8 API calls 8010->8011 8012 2984c17 8011->8012 8186 2985e4d 8187 2985048 8 API calls 8186->8187 8188 2985e55 8187->8188 8189 2981940 4 API calls 8188->8189 8190 2985e64 8188->8190 8189->8190 8013 298f483 WSAStartup 8014 2985b84 IsBadWritePtr 8015 2985b99 8014->8015 8016 2985b9d 8014->8016 8017 2984bd1 4 API calls 8016->8017 8018 2985bcc 8017->8018 8019 2985472 18 API calls 8018->8019 8020 2985be5 8019->8020 8021 298f304 8024 298f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8021->8024 8023 298f312 8024->8023 8025 2985c05 IsBadWritePtr 8026 2985c24 IsBadWritePtr 8025->8026 8033 2985ca6 8025->8033 8027 2985c32 8026->8027 8026->8033 8028 2985c82 8027->8028 8029 2984bd1 4 API calls 8027->8029 8030 2984bd1 4 API calls 8028->8030 8029->8028 8031 2985c90 8030->8031 8032 2985472 18 API calls 8031->8032 8032->8033 8034 298be31 lstrcmpiA 8035 298be55 lstrcmpiA 8034->8035 8041 298be71 8034->8041 8037 298be61 lstrcmpiA 8035->8037 8035->8041 8036 298bf62 lstrcmpiA 8039 298bf77 lstrcmpiA 8036->8039 8042 298bf70 8036->8042 8038 298bfc8 8037->8038 8037->8041 8040 298bf8c lstrcmpiA 8039->8040 8039->8042 8040->8042 8041->8036 8045 298ebcc 4 API calls 8041->8045 8042->8038 8043 298bfc2 8042->8043 8044 298ec2e codecvt 4 API calls 8042->8044 8046 298ec2e codecvt 4 API calls 8043->8046 8044->8042 8047 298beb6 8045->8047 8046->8038 8047->8036 8047->8038 8048 298ebcc 4 API calls 8047->8048 8049 298bf5a 8047->8049 8048->8047 8049->8036 8050 2985d34 IsBadWritePtr 8051 2985d47 8050->8051 8052 2985d4a 8050->8052 8053 2985389 12 API calls 8052->8053 8054 2985d80 8053->8054 8055 2985029 8060 2984a02 8055->8060 8061 2984a18 8060->8061 8062 2984a12 8060->8062 8064 298ec2e codecvt 4 API calls 8061->8064 8066 2984a26 8061->8066 8063 298ec2e codecvt 4 API calls 8062->8063 8063->8061 8064->8066 8065 298ec2e codecvt 4 API calls 8067 2984a34 8065->8067 8066->8065 8066->8067 6126 2989a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6242 298ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6126->6242 6128 2989a95 6129 2989aa3 GetModuleHandleA GetModuleFileNameA 6128->6129 6135 298a3cc 6128->6135 6138 2989ac4 6129->6138 6130 298a41c CreateThread WSAStartup 6243 298e52e 6130->6243 7317 298405e CreateEventA 6130->7317 6132 2989afd GetCommandLineA 6143 2989b22 6132->6143 6133 298a406 DeleteFileA 6133->6135 6136 298a40d 6133->6136 6134 298a445 6262 298eaaf 6134->6262 6135->6130 6135->6133 6135->6136 6139 298a3ed GetLastError 6135->6139 6136->6130 6138->6132 6139->6136 6141 298a3f8 Sleep 6139->6141 6140 298a44d 6266 2981d96 6140->6266 6141->6133 6146 2989c0c 6143->6146 6153 2989b47 6143->6153 6144 298a457 6314 29880c9 6144->6314 6506 29896aa 6146->6506 6157 2989b96 lstrlenA 6153->6157 6159 2989b58 6153->6159 6154 2989c39 6158 298a167 GetModuleHandleA GetModuleFileNameA 6154->6158 6512 2984280 CreateEventA 6154->6512 6155 298a1d2 6161 298a1e3 GetCommandLineA 6155->6161 6157->6159 6160 2989c05 ExitProcess 6158->6160 6163 298a189 6158->6163 6159->6160 6465 298675c 6159->6465 6186 298a205 6161->6186 6163->6160 6169 298a1b2 GetDriveTypeA 6163->6169 6169->6160 6172 298a1c5 6169->6172 6613 2989145 GetModuleHandleA GetModuleFileNameA CharToOemA 6172->6613 6173 298675c 21 API calls 6175 2989c79 6173->6175 6175->6158 6182 2989e3e 6175->6182 6183 2989ca0 GetTempPathA 6175->6183 6176 2989bff 6176->6160 6178 298a491 6179 298a49f GetTickCount 6178->6179 6180 298a4be Sleep 6178->6180 6185 298a4b7 GetTickCount 6178->6185 6361 298c913 6178->6361 6179->6178 6179->6180 6180->6178 6189 2989e6b GetEnvironmentVariableA 6182->6189 6193 2989e04 6182->6193 6183->6182 6184 2989cba 6183->6184 6538 29899d2 lstrcpyA 6184->6538 6185->6180 6190 298a285 lstrlenA 6186->6190 6203 298a239 6186->6203 6189->6193 6194 2989e7d 6189->6194 6190->6203 6608 298ec2e 6193->6608 6195 29899d2 16 API calls 6194->6195 6196 2989e9d 6195->6196 6196->6193 6201 2989eb0 lstrcpyA lstrlenA 6196->6201 6199 2989d5f 6552 2986cc9 6199->6552 6200 298a3c2 6625 29898f2 6200->6625 6205 2989ef4 6201->6205 6621 2986ec3 6203->6621 6209 2986dc2 6 API calls 6205->6209 6211 2989f03 6205->6211 6206 298a39d StartServiceCtrlDispatcherA 6206->6200 6207 2989d72 lstrcpyA lstrcatA lstrcatA 6210 2989cf6 6207->6210 6208 298a3c7 6208->6135 6209->6211 6561 2989326 6210->6561 6212 2989f32 RegOpenKeyExA 6211->6212 6213 2989f48 RegSetValueExA RegCloseKey 6212->6213 6217 2989f70 6212->6217 6213->6217 6214 298a35f 6214->6200 6214->6206 6222 2989f9d GetModuleHandleA GetModuleFileNameA 6217->6222 6218 2989dde GetFileAttributesExA 6219 2989e0c DeleteFileA 6218->6219 6221 2989df7 6218->6221 6219->6182 6221->6193 6598 29896ff 6221->6598 6224 298a093 6222->6224 6225 2989fc2 6222->6225 6226 298a103 CreateProcessA 6224->6226 6229 298a0a4 wsprintfA 6224->6229 6225->6224 6230 2989ff1 GetDriveTypeA 6225->6230 6227 298a13a 6226->6227 6228 298a12a DeleteFileA 6226->6228 6227->6193 6234 29896ff 3 API calls 6227->6234 6228->6227 6604 2982544 6229->6604 6230->6224 6232 298a00d 6230->6232 6237 298a02d lstrcatA 6232->6237 6234->6193 6238 298a046 6237->6238 6239 298a052 lstrcatA 6238->6239 6240 298a064 lstrcatA 6238->6240 6239->6240 6240->6224 6241 298a081 lstrcatA 6240->6241 6241->6224 6242->6128 6632 298dd05 GetTickCount 6243->6632 6245 298e538 6640 298dbcf 6245->6640 6247 298e544 6248 298e555 GetFileSize 6247->6248 6252 298e5b8 6247->6252 6249 298e5b1 CloseHandle 6248->6249 6250 298e566 6248->6250 6249->6252 6664 298db2e 6250->6664 6650 298e3ca RegOpenKeyExA 6252->6650 6254 298e576 ReadFile 6254->6249 6256 298e58d 6254->6256 6668 298e332 6256->6668 6258 298e5f2 6260 298e3ca 19 API calls 6258->6260 6261 298e629 6258->6261 6260->6261 6261->6134 6263 298eabe 6262->6263 6265 298eaba 6262->6265 6264 298dd05 6 API calls 6263->6264 6263->6265 6264->6265 6265->6140 6267 298ee2a 6266->6267 6268 2981db4 GetVersionExA 6267->6268 6269 2981dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6268->6269 6271 2981e24 6269->6271 6272 2981e16 GetCurrentProcess 6269->6272 6726 298e819 6271->6726 6272->6271 6274 2981e3d 6275 298e819 11 API calls 6274->6275 6276 2981e4e 6275->6276 6277 2981e77 6276->6277 6767 298df70 6276->6767 6733 298ea84 6277->6733 6280 2981e6c 6282 298df70 12 API calls 6280->6282 6282->6277 6283 298e819 11 API calls 6284 2981e93 6283->6284 6737 298199c inet_addr LoadLibraryA 6284->6737 6287 298e819 11 API calls 6288 2981eb9 6287->6288 6289 298f04e 4 API calls 6288->6289 6296 2981ed8 6288->6296 6291 2981ec9 6289->6291 6290 298e819 11 API calls 6292 2981eee 6290->6292 6293 298ea84 30 API calls 6291->6293 6294 2981f0a 6292->6294 6751 2981b71 6292->6751 6293->6296 6295 298e819 11 API calls 6294->6295 6298 2981f23 6295->6298 6296->6290 6301 2981f3f 6298->6301 6755 2981bdf 6298->6755 6299 2981efd 6300 298ea84 30 API calls 6299->6300 6300->6294 6303 298e819 11 API calls 6301->6303 6305 2981f5e 6303->6305 6307 2981f77 6305->6307 6309 298ea84 30 API calls 6305->6309 6306 298ea84 30 API calls 6306->6301 6763 29830b5 6307->6763 6309->6307 6311 2986ec3 2 API calls 6313 2981f8e GetTickCount 6311->6313 6313->6144 6315 2986ec3 2 API calls 6314->6315 6316 29880eb 6315->6316 6317 29880f9 6316->6317 6318 29880ef 6316->6318 6834 298704c 6317->6834 6821 2987ee6 6318->6821 6321 2988269 CreateThread 6340 2985e6c 6321->6340 7295 298877e 6321->7295 6322 29880f4 6322->6321 6324 298675c 21 API calls 6322->6324 6323 2988110 6323->6322 6325 2988156 RegOpenKeyExA 6323->6325 6330 2988244 6324->6330 6326 298816d RegQueryValueExA 6325->6326 6327 2988216 6325->6327 6328 298818d 6326->6328 6329 29881f7 6326->6329 6327->6322 6328->6329 6334 298ebcc 4 API calls 6328->6334 6331 298820d RegCloseKey 6329->6331 6333 298ec2e codecvt 4 API calls 6329->6333 6330->6321 6332 298ec2e codecvt 4 API calls 6330->6332 6331->6327 6332->6321 6339 29881dd 6333->6339 6335 29881a0 6334->6335 6335->6331 6336 29881aa RegQueryValueExA 6335->6336 6336->6329 6337 29881c4 6336->6337 6338 298ebcc 4 API calls 6337->6338 6338->6339 6339->6331 6936 298ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6340->6936 6342 2985e71 6937 298e654 6342->6937 6344 2985ec1 6345 2983132 6344->6345 6346 298df70 12 API calls 6345->6346 6347 298313b 6346->6347 6348 298c125 6347->6348 6948 298ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6348->6948 6350 298c12d 6351 298e654 13 API calls 6350->6351 6352 298c2bd 6351->6352 6353 298e654 13 API calls 6352->6353 6354 298c2c9 6353->6354 6355 298e654 13 API calls 6354->6355 6356 298a47a 6355->6356 6357 2988db1 6356->6357 6358 2988dbc 6357->6358 6359 298e654 13 API calls 6358->6359 6360 2988dec Sleep 6359->6360 6360->6178 6362 298c92f 6361->6362 6363 298c93c 6362->6363 6960 298c517 6362->6960 6365 298ca2b 6363->6365 6366 298e819 11 API calls 6363->6366 6365->6178 6367 298c96a 6366->6367 6368 298e819 11 API calls 6367->6368 6369 298c97d 6368->6369 6370 298e819 11 API calls 6369->6370 6371 298c990 6370->6371 6372 298c9aa 6371->6372 6373 298ebcc 4 API calls 6371->6373 6372->6365 6949 2982684 6372->6949 6373->6372 6378 298ca26 6977 298c8aa 6378->6977 6381 298ca44 6382 298ca4b closesocket 6381->6382 6383 298ca83 6381->6383 6382->6378 6384 298ea84 30 API calls 6383->6384 6385 298caac 6384->6385 6386 298f04e 4 API calls 6385->6386 6387 298cab2 6386->6387 6388 298ea84 30 API calls 6387->6388 6389 298caca 6388->6389 6390 298ea84 30 API calls 6389->6390 6391 298cad9 6390->6391 6981 298c65c 6391->6981 6394 298cb60 closesocket 6394->6365 6396 298dad2 closesocket 6397 298e318 23 API calls 6396->6397 6398 298dae0 6397->6398 6398->6365 6399 298df4c 20 API calls 6412 298cb70 6399->6412 6404 298e654 13 API calls 6404->6412 6406 298c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6406->6412 6408 298f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6408->6412 6412->6396 6412->6399 6412->6404 6412->6406 6412->6408 6413 298ea84 30 API calls 6412->6413 6414 298cc1c GetTempPathA 6412->6414 6415 298d569 closesocket Sleep 6412->6415 6416 298d815 wsprintfA 6412->6416 6417 2987ead 6 API calls 6412->6417 6418 298c517 23 API calls 6412->6418 6420 298e8a1 30 API calls 6412->6420 6422 298ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6412->6422 6423 298cfe3 GetSystemDirectoryA 6412->6423 6424 298cfad GetEnvironmentVariableA 6412->6424 6425 298675c 21 API calls 6412->6425 6426 298d027 GetSystemDirectoryA 6412->6426 6427 298d105 lstrcatA 6412->6427 6428 298ef1e lstrlenA 6412->6428 6429 298cc9f CreateFileA 6412->6429 6431 2988e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6412->6431 6432 298d15b CreateFileA 6412->6432 6436 298d149 SetFileAttributesA 6412->6436 6438 298d36e GetEnvironmentVariableA 6412->6438 6439 298d1bf SetFileAttributesA 6412->6439 6441 298d22d GetEnvironmentVariableA 6412->6441 6442 298d3af lstrcatA 6412->6442 6444 2987fcf 64 API calls 6412->6444 6445 298d3f2 CreateFileA 6412->6445 6453 298d4b1 CreateProcessA 6412->6453 6454 298d3e0 SetFileAttributesA 6412->6454 6455 298d26e lstrcatA 6412->6455 6457 298d2b1 CreateFileA 6412->6457 6458 2987ee6 64 API calls 6412->6458 6459 298d452 SetFileAttributesA 6412->6459 6462 298d29f SetFileAttributesA 6412->6462 6464 298d31d SetFileAttributesA 6412->6464 6989 298c75d 6412->6989 7001 2987e2f 6412->7001 7023 2987ead 6412->7023 7033 29831d0 6412->7033 7050 2983c09 6412->7050 7060 2983a00 6412->7060 7064 298e7b4 6412->7064 7067 298c06c 6412->7067 7073 2986f5f GetUserNameA 6412->7073 7084 298e854 6412->7084 7094 2987dd6 6412->7094 6413->6412 6414->6412 7028 298e318 6415->7028 6416->6412 6417->6412 6418->6412 6420->6412 6421 298d582 ExitProcess 6422->6412 6423->6412 6424->6412 6425->6412 6426->6412 6427->6412 6428->6412 6429->6412 6430 298ccc6 WriteFile 6429->6430 6434 298cdcc CloseHandle 6430->6434 6435 298cced CloseHandle 6430->6435 6431->6412 6432->6412 6433 298d182 WriteFile CloseHandle 6432->6433 6433->6412 6434->6412 6440 298cd2f 6435->6440 6436->6432 6437 298cd16 wsprintfA 6437->6440 6438->6412 6439->6412 6440->6437 7010 2987fcf 6440->7010 6441->6412 6442->6412 6442->6445 6444->6412 6445->6412 6447 298d415 WriteFile CloseHandle 6445->6447 6447->6412 6448 298cda5 6450 2987ee6 64 API calls 6448->6450 6449 298cd81 WaitForSingleObject CloseHandle CloseHandle 6451 298f04e 4 API calls 6449->6451 6452 298cdbd DeleteFileA 6450->6452 6451->6448 6452->6412 6453->6412 6456 298d4e8 CloseHandle CloseHandle 6453->6456 6454->6445 6455->6412 6455->6457 6456->6412 6457->6412 6460 298d2d8 WriteFile CloseHandle 6457->6460 6458->6412 6459->6412 6460->6412 6462->6457 6464->6412 6466 298677a SetFileAttributesA 6465->6466 6467 2986784 CreateFileA 6465->6467 6466->6467 6468 29867a4 CreateFileA 6467->6468 6469 29867b5 6467->6469 6468->6469 6470 29867ba SetFileAttributesA 6469->6470 6471 29867c5 6469->6471 6470->6471 6472 29867cf GetFileSize 6471->6472 6473 2986977 6471->6473 6474 29867e5 6472->6474 6492 2986965 6472->6492 6473->6160 6493 2986a60 CreateFileA 6473->6493 6476 29867ed ReadFile 6474->6476 6474->6492 6475 298696e FindCloseChangeNotification 6475->6473 6477 2986811 SetFilePointer 6476->6477 6476->6492 6478 298682a ReadFile 6477->6478 6477->6492 6479 2986848 SetFilePointer 6478->6479 6478->6492 6480 2986867 6479->6480 6479->6492 6481 2986878 ReadFile 6480->6481 6482 29868d5 6480->6482 6483 29868d0 6481->6483 6486 2986891 6481->6486 6482->6475 6484 298ebcc 4 API calls 6482->6484 6483->6482 6485 29868f8 6484->6485 6487 2986900 SetFilePointer 6485->6487 6485->6492 6486->6481 6486->6483 6488 298695a 6487->6488 6489 298690d ReadFile 6487->6489 6491 298ec2e codecvt 4 API calls 6488->6491 6489->6488 6490 2986922 6489->6490 6490->6475 6491->6492 6492->6475 6494 2986b8c GetLastError 6493->6494 6495 2986a8f GetDiskFreeSpaceA 6493->6495 6504 2986b86 6494->6504 6496 2986ac5 6495->6496 6505 2986ad7 6495->6505 7179 298eb0e 6496->7179 6500 2986b56 CloseHandle 6503 2986b65 GetLastError CloseHandle 6500->6503 6500->6504 6501 2986b36 GetLastError CloseHandle 6502 2986b7f DeleteFileA 6501->6502 6502->6504 6503->6502 6504->6176 7183 2986987 6505->7183 6507 29896b9 6506->6507 6508 29873ff 17 API calls 6507->6508 6509 29896e2 6508->6509 6510 29896f7 6509->6510 6511 298704c 16 API calls 6509->6511 6510->6154 6510->6155 6511->6510 6513 29842a5 6512->6513 6518 298429d 6512->6518 7189 2983ecd 6513->7189 6515 29842b0 7193 2984000 6515->7193 6517 29843c1 CloseHandle 6517->6518 6518->6158 6518->6173 6519 29842b6 6519->6517 6519->6518 7199 2983f18 WriteFile 6519->7199 6524 29843ba CloseHandle 6524->6517 6525 2984318 6526 2983f18 4 API calls 6525->6526 6527 2984331 6526->6527 6528 2983f18 4 API calls 6527->6528 6529 298434a 6528->6529 6530 298ebcc 4 API calls 6529->6530 6531 2984350 6530->6531 6532 2983f18 4 API calls 6531->6532 6533 2984389 6532->6533 6534 298ec2e codecvt 4 API calls 6533->6534 6535 298438f 6534->6535 6536 2983f8c 4 API calls 6535->6536 6537 298439f CloseHandle CloseHandle 6536->6537 6537->6518 6539 29899eb 6538->6539 6540 2989a2f lstrcatA 6539->6540 6541 298ee2a 6540->6541 6542 2989a4b lstrcatA 6541->6542 6543 2986a60 13 API calls 6542->6543 6544 2989a60 6543->6544 6544->6182 6544->6210 6545 2986dc2 6544->6545 6546 2986e33 6545->6546 6547 2986dd7 6545->6547 6546->6199 6548 2986cc9 5 API calls 6547->6548 6549 2986ddc 6548->6549 6549->6549 6550 2986e02 GetVolumeInformationA 6549->6550 6551 2986e24 6549->6551 6550->6551 6551->6546 6553 2986cdc GetModuleHandleA GetProcAddress 6552->6553 6560 2986d8b 6552->6560 6554 2986cfd 6553->6554 6555 2986d12 GetSystemDirectoryA 6553->6555 6554->6555 6554->6560 6556 2986d1e 6555->6556 6557 2986d27 GetWindowsDirectoryA 6555->6557 6556->6557 6556->6560 6559 2986d42 6557->6559 6558 298ef1e lstrlenA 6558->6560 6559->6558 6560->6207 7207 2981910 6561->7207 6564 298934a GetModuleHandleA GetModuleFileNameA 6566 298937f 6564->6566 6567 29893d9 6566->6567 6568 29893a4 6566->6568 6570 2989401 wsprintfA 6567->6570 6569 29893c3 wsprintfA 6568->6569 6571 2989415 6569->6571 6570->6571 6572 29894a0 6571->6572 6575 2986cc9 5 API calls 6571->6575 6573 2986edd 5 API calls 6572->6573 6574 29894ac 6573->6574 6576 298962f 6574->6576 6577 29894e8 RegOpenKeyExA 6574->6577 6581 2989439 6575->6581 6583 2989646 6576->6583 7222 2981820 6576->7222 6579 29894fb 6577->6579 6580 2989502 6577->6580 6579->6576 6586 298958a 6579->6586 6584 298951f RegQueryValueExA 6580->6584 6585 298ef1e lstrlenA 6581->6585 6592 29895d6 6583->6592 7228 29891eb 6583->7228 6587 2989539 6584->6587 6588 2989530 6584->6588 6589 2989462 6585->6589 6586->6583 6590 2989593 6586->6590 6593 2989556 RegQueryValueExA 6587->6593 6591 298956e RegCloseKey 6588->6591 6594 298947e wsprintfA 6589->6594 6590->6592 7209 298f0e4 6590->7209 6591->6579 6592->6218 6592->6219 6593->6588 6593->6591 6594->6572 6596 29895bb 6596->6592 7216 29818e0 6596->7216 6599 2982544 6598->6599 6600 298972d RegOpenKeyExA 6599->6600 6601 2989765 6600->6601 6602 2989740 6600->6602 6601->6193 6603 298974f RegDeleteValueA RegCloseKey 6602->6603 6603->6601 6605 2982554 lstrcatA 6604->6605 6606 298ee2a 6605->6606 6607 298a0ec lstrcatA 6606->6607 6607->6226 6609 298a15d 6608->6609 6610 298ec37 6608->6610 6609->6158 6609->6160 6611 298eba0 codecvt 2 API calls 6610->6611 6612 298ec3d GetProcessHeap RtlFreeHeap 6611->6612 6612->6609 6614 2982544 6613->6614 6615 298919e wsprintfA 6614->6615 6616 29891bb 6615->6616 7266 2989064 GetTempPathA 6616->7266 6619 29891d5 ShellExecuteA 6620 29891e7 6619->6620 6620->6176 6622 2986ecc 6621->6622 6624 2986ed5 6621->6624 6623 2986e36 2 API calls 6622->6623 6623->6624 6624->6214 6626 29898f6 6625->6626 6627 2984280 30 API calls 6626->6627 6628 2989904 Sleep 6626->6628 6629 2989915 6626->6629 6627->6626 6628->6626 6628->6629 6631 2989947 6629->6631 7273 298977c 6629->7273 6631->6208 6633 298dd41 InterlockedExchange 6632->6633 6634 298dd4a 6633->6634 6635 298dd20 GetCurrentThreadId 6633->6635 6637 298dd53 GetCurrentThreadId 6634->6637 6636 298dd2e GetTickCount 6635->6636 6635->6637 6638 298dd39 Sleep 6636->6638 6639 298dd4c 6636->6639 6637->6245 6638->6633 6639->6637 6641 298dbf0 6640->6641 6673 298db67 GetEnvironmentVariableA 6641->6673 6643 298dc19 6644 298dcda 6643->6644 6645 298db67 3 API calls 6643->6645 6644->6247 6646 298dc5c 6645->6646 6646->6644 6647 298db67 3 API calls 6646->6647 6648 298dc9b 6647->6648 6648->6644 6649 298db67 3 API calls 6648->6649 6649->6644 6651 298e528 6650->6651 6652 298e3f4 6650->6652 6651->6258 6653 298e434 RegQueryValueExA 6652->6653 6654 298e458 6653->6654 6655 298e51d RegCloseKey 6653->6655 6656 298e46e RegQueryValueExA 6654->6656 6655->6651 6656->6654 6657 298e488 6656->6657 6657->6655 6658 298db2e 8 API calls 6657->6658 6659 298e499 6658->6659 6659->6655 6660 298e4b9 RegQueryValueExA 6659->6660 6661 298e4e8 6659->6661 6660->6659 6660->6661 6661->6655 6662 298e332 14 API calls 6661->6662 6663 298e513 6662->6663 6663->6655 6665 298db3a 6664->6665 6667 298db55 6664->6667 6677 298ebed 6665->6677 6667->6249 6667->6254 6695 298f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6668->6695 6670 298e3be 6670->6249 6671 298e342 6671->6670 6698 298de24 6671->6698 6674 298db89 lstrcpyA CreateFileA 6673->6674 6675 298dbca 6673->6675 6674->6643 6675->6643 6678 298ec01 6677->6678 6679 298ebf6 6677->6679 6689 298eba0 6678->6689 6686 298ebcc GetProcessHeap RtlAllocateHeap 6679->6686 6687 298eb74 2 API calls 6686->6687 6688 298ebe8 6687->6688 6688->6667 6690 298eba7 GetProcessHeap HeapSize 6689->6690 6691 298ebbf GetProcessHeap HeapReAlloc 6689->6691 6690->6691 6692 298eb74 6691->6692 6693 298eb7b GetProcessHeap HeapSize 6692->6693 6694 298eb93 6692->6694 6693->6694 6694->6667 6709 298eb41 6695->6709 6697 298f0b7 6697->6671 6699 298de3a 6698->6699 6706 298de4e 6699->6706 6718 298dd84 6699->6718 6702 298ebed 8 API calls 6704 298def6 6702->6704 6703 298de9e 6703->6702 6703->6706 6704->6706 6708 298ddcf lstrcmpA 6704->6708 6705 298de76 6722 298ddcf 6705->6722 6706->6671 6708->6706 6710 298eb4a 6709->6710 6711 298eb61 6709->6711 6714 298eae4 6710->6714 6711->6697 6713 298eb54 6713->6697 6713->6711 6715 298eaed LoadLibraryA 6714->6715 6716 298eb02 GetProcAddress 6714->6716 6715->6716 6717 298eb01 6715->6717 6716->6713 6717->6713 6719 298dd96 6718->6719 6720 298ddc5 6718->6720 6719->6720 6721 298ddad lstrcmpiA 6719->6721 6720->6703 6720->6705 6721->6719 6721->6720 6723 298de20 6722->6723 6724 298dddd 6722->6724 6723->6706 6724->6723 6725 298ddfa lstrcmpA 6724->6725 6725->6724 6727 298dd05 6 API calls 6726->6727 6728 298e821 6727->6728 6729 298dd84 lstrcmpiA 6728->6729 6730 298e82c 6729->6730 6731 298e844 6730->6731 6776 2982480 6730->6776 6731->6274 6734 298ea98 6733->6734 6785 298e8a1 6734->6785 6736 2981e84 6736->6283 6738 29819d5 GetProcAddress GetProcAddress GetProcAddress 6737->6738 6741 29819ce 6737->6741 6739 2981ab3 FreeLibrary 6738->6739 6740 2981a04 6738->6740 6739->6741 6740->6739 6742 2981a14 GetBestInterface GetProcessHeap 6740->6742 6741->6287 6742->6741 6743 2981a2e HeapAlloc 6742->6743 6743->6741 6744 2981a42 GetAdaptersInfo 6743->6744 6745 2981a62 6744->6745 6746 2981a52 HeapReAlloc 6744->6746 6747 2981a69 GetAdaptersInfo 6745->6747 6748 2981aa1 FreeLibrary 6745->6748 6746->6745 6747->6748 6749 2981a75 HeapFree 6747->6749 6748->6741 6749->6748 6813 2981ac3 LoadLibraryA 6751->6813 6754 2981bcf 6754->6299 6756 2981ac3 13 API calls 6755->6756 6757 2981c09 6756->6757 6758 2981c5a 6757->6758 6759 2981c0d GetComputerNameA 6757->6759 6758->6306 6760 2981c1f 6759->6760 6761 2981c45 GetVolumeInformationA 6759->6761 6760->6761 6762 2981c41 6760->6762 6761->6758 6762->6758 6764 298ee2a 6763->6764 6765 29830d0 gethostname gethostbyname 6764->6765 6766 2981f82 6765->6766 6766->6311 6766->6313 6768 298dd05 6 API calls 6767->6768 6769 298df7c 6768->6769 6770 298dd84 lstrcmpiA 6769->6770 6774 298df89 6770->6774 6771 298dfc4 6771->6280 6772 298ddcf lstrcmpA 6772->6774 6773 298ec2e codecvt 4 API calls 6773->6774 6774->6771 6774->6772 6774->6773 6775 298dd84 lstrcmpiA 6774->6775 6775->6774 6779 2982419 lstrlenA 6776->6779 6778 2982491 6778->6731 6780 298243d lstrlenA 6779->6780 6781 2982474 6779->6781 6782 298244e lstrcmpiA 6780->6782 6783 2982464 lstrlenA 6780->6783 6781->6778 6782->6783 6784 298245c 6782->6784 6783->6780 6783->6781 6784->6781 6784->6783 6786 298dd05 6 API calls 6785->6786 6787 298e8b4 6786->6787 6788 298dd84 lstrcmpiA 6787->6788 6789 298e8c0 6788->6789 6790 298e8c8 lstrcpynA 6789->6790 6791 298e90a 6789->6791 6793 298e8f5 6790->6793 6792 2982419 4 API calls 6791->6792 6801 298ea27 6791->6801 6794 298e926 lstrlenA lstrlenA 6792->6794 6806 298df4c 6793->6806 6795 298e96a 6794->6795 6796 298e94c lstrlenA 6794->6796 6800 298ebcc 4 API calls 6795->6800 6795->6801 6796->6795 6798 298e901 6799 298dd84 lstrcmpiA 6798->6799 6799->6791 6802 298e98f 6800->6802 6801->6736 6802->6801 6803 298df4c 20 API calls 6802->6803 6804 298ea1e 6803->6804 6805 298ec2e codecvt 4 API calls 6804->6805 6805->6801 6807 298dd05 6 API calls 6806->6807 6808 298df51 6807->6808 6809 298f04e 4 API calls 6808->6809 6810 298df58 6809->6810 6811 298de24 10 API calls 6810->6811 6812 298df63 6811->6812 6812->6798 6814 2981ae2 GetProcAddress 6813->6814 6820 2981b68 GetComputerNameA GetVolumeInformationA 6813->6820 6817 2981af5 6814->6817 6814->6820 6815 2981b1c GetAdaptersAddresses 6815->6817 6818 2981b29 6815->6818 6816 298ebed 8 API calls 6816->6817 6817->6815 6817->6816 6817->6818 6818->6818 6819 298ec2e codecvt 4 API calls 6818->6819 6818->6820 6819->6820 6820->6754 6822 2986ec3 2 API calls 6821->6822 6823 2987ef4 6822->6823 6833 2987fc9 6823->6833 6857 29873ff 6823->6857 6825 2987f16 6825->6833 6877 2987809 GetUserNameA 6825->6877 6827 2987f63 6827->6833 6901 298ef1e lstrlenA 6827->6901 6830 298ef1e lstrlenA 6831 2987fb7 6830->6831 6903 2987a95 RegOpenKeyExA 6831->6903 6833->6322 6835 2987073 6834->6835 6836 29870b9 RegOpenKeyExA 6835->6836 6837 29870d0 6836->6837 6851 29871b8 6836->6851 6838 2986dc2 6 API calls 6837->6838 6841 29870d5 6838->6841 6839 298719b RegEnumValueA 6840 29871af RegCloseKey 6839->6840 6839->6841 6840->6851 6841->6839 6843 29871d0 6841->6843 6934 298f1a5 lstrlenA 6841->6934 6844 2987205 RegCloseKey 6843->6844 6845 2987227 6843->6845 6844->6851 6846 29872b8 ___ascii_stricmp 6845->6846 6847 298728e RegCloseKey 6845->6847 6848 29872cd RegCloseKey 6846->6848 6849 29872dd 6846->6849 6847->6851 6848->6851 6850 2987311 RegCloseKey 6849->6850 6852 2987335 6849->6852 6850->6851 6851->6323 6853 29873d5 RegCloseKey 6852->6853 6855 298737e GetFileAttributesExA 6852->6855 6856 2987397 6852->6856 6854 29873e4 6853->6854 6855->6856 6856->6853 6858 298741b 6857->6858 6859 2986dc2 6 API calls 6858->6859 6860 298743f 6859->6860 6861 2987469 RegOpenKeyExA 6860->6861 6862 29877f9 6861->6862 6873 2987487 ___ascii_stricmp 6861->6873 6862->6825 6863 2987703 RegEnumKeyA 6864 2987714 RegCloseKey 6863->6864 6863->6873 6864->6862 6865 298f1a5 lstrlenA 6865->6873 6866 29874d2 RegOpenKeyExA 6866->6873 6867 298772c 6869 298774b 6867->6869 6870 2987742 RegCloseKey 6867->6870 6868 2987521 RegQueryValueExA 6868->6873 6871 29877ec RegCloseKey 6869->6871 6870->6869 6871->6862 6872 29876e4 RegCloseKey 6872->6873 6873->6863 6873->6865 6873->6866 6873->6867 6873->6868 6873->6872 6874 2987769 6873->6874 6876 298777e GetFileAttributesExA 6873->6876 6875 29877e3 RegCloseKey 6874->6875 6875->6871 6876->6874 6878 298783d LookupAccountNameA 6877->6878 6879 2987a8d 6877->6879 6878->6879 6880 2987874 GetLengthSid GetFileSecurityA 6878->6880 6879->6827 6880->6879 6881 29878a8 GetSecurityDescriptorOwner 6880->6881 6882 298791d GetSecurityDescriptorDacl 6881->6882 6883 29878c5 EqualSid 6881->6883 6882->6879 6891 2987941 6882->6891 6883->6882 6884 29878dc LocalAlloc 6883->6884 6884->6882 6885 29878ef InitializeSecurityDescriptor 6884->6885 6887 29878fb SetSecurityDescriptorOwner 6885->6887 6888 2987916 LocalFree 6885->6888 6886 298795b GetAce 6886->6891 6887->6888 6889 298790b SetFileSecurityA 6887->6889 6888->6882 6889->6888 6890 2987980 EqualSid 6890->6891 6891->6879 6891->6886 6891->6890 6892 2987a3d 6891->6892 6893 29879be EqualSid 6891->6893 6894 298799d DeleteAce 6891->6894 6892->6879 6895 2987a43 LocalAlloc 6892->6895 6893->6891 6894->6891 6895->6879 6896 2987a56 InitializeSecurityDescriptor 6895->6896 6897 2987a62 SetSecurityDescriptorDacl 6896->6897 6898 2987a86 LocalFree 6896->6898 6897->6898 6899 2987a73 SetFileSecurityA 6897->6899 6898->6879 6899->6898 6900 2987a83 6899->6900 6900->6898 6902 2987fa6 6901->6902 6902->6830 6904 2987acb GetUserNameA 6903->6904 6905 2987ac4 6903->6905 6906 2987aed LookupAccountNameA 6904->6906 6907 2987da7 RegCloseKey 6904->6907 6905->6833 6906->6907 6908 2987b24 RegGetKeySecurity 6906->6908 6907->6905 6908->6907 6909 2987b49 GetSecurityDescriptorOwner 6908->6909 6910 2987bb8 GetSecurityDescriptorDacl 6909->6910 6911 2987b63 EqualSid 6909->6911 6912 2987da6 6910->6912 6926 2987bdc 6910->6926 6911->6910 6913 2987b74 LocalAlloc 6911->6913 6912->6907 6913->6910 6914 2987b8a InitializeSecurityDescriptor 6913->6914 6916 2987bb1 LocalFree 6914->6916 6917 2987b96 SetSecurityDescriptorOwner 6914->6917 6915 2987bf8 GetAce 6915->6926 6916->6910 6917->6916 6918 2987ba6 RegSetKeySecurity 6917->6918 6918->6916 6919 2987c1d EqualSid 6919->6926 6920 2987cd9 6920->6912 6923 2987d5a LocalAlloc 6920->6923 6925 2987cf2 RegOpenKeyExA 6920->6925 6921 2987c5f EqualSid 6921->6926 6922 2987c3a DeleteAce 6922->6926 6923->6912 6924 2987d70 InitializeSecurityDescriptor 6923->6924 6927 2987d7c SetSecurityDescriptorDacl 6924->6927 6928 2987d9f LocalFree 6924->6928 6925->6923 6931 2987d0f 6925->6931 6926->6912 6926->6915 6926->6919 6926->6920 6926->6921 6926->6922 6927->6928 6929 2987d8c RegSetKeySecurity 6927->6929 6928->6912 6929->6928 6930 2987d9c 6929->6930 6930->6928 6932 2987d43 RegSetValueExA 6931->6932 6932->6923 6933 2987d54 6932->6933 6933->6923 6935 298f1c3 6934->6935 6935->6841 6936->6342 6938 298dd05 6 API calls 6937->6938 6941 298e65f 6938->6941 6939 298e6a5 6940 298ebcc 4 API calls 6939->6940 6943 298e6f5 6939->6943 6945 298e6b0 6940->6945 6941->6939 6942 298e68c lstrcmpA 6941->6942 6942->6941 6944 298e6b7 6943->6944 6946 298e71d lstrcmpA 6943->6946 6944->6344 6945->6943 6945->6944 6947 298e6e0 lstrcpynA 6945->6947 6946->6943 6947->6943 6948->6350 6950 2982692 inet_addr 6949->6950 6952 298268e 6949->6952 6951 298269e gethostbyname 6950->6951 6950->6952 6951->6952 6953 298f428 6952->6953 7101 298f315 6953->7101 6956 298f43e 6957 298f473 recv 6956->6957 6958 298f458 6957->6958 6959 298f47c 6957->6959 6958->6957 6958->6959 6959->6381 6961 298c532 6960->6961 6962 298c525 6960->6962 6963 298c548 6961->6963 7114 298e7ff 6961->7114 6962->6961 6965 298ec2e codecvt 4 API calls 6962->6965 6966 298e7ff lstrcmpiA 6963->6966 6975 298c54f 6963->6975 6965->6961 6967 298c615 6966->6967 6968 298ebcc 4 API calls 6967->6968 6967->6975 6968->6975 6969 298c5d1 6972 298ebcc 4 API calls 6969->6972 6971 298e819 11 API calls 6973 298c5b7 6971->6973 6972->6975 6974 298f04e 4 API calls 6973->6974 6976 298c5bf 6974->6976 6975->6363 6976->6963 6976->6969 6979 298c8d2 6977->6979 6978 298c907 6978->6365 6979->6978 6980 298c517 23 API calls 6979->6980 6980->6978 6982 298c670 6981->6982 6983 298c67d 6981->6983 6984 298ebcc 4 API calls 6982->6984 6985 298ebcc 4 API calls 6983->6985 6987 298c699 6983->6987 6984->6983 6985->6987 6986 298c6f3 6986->6394 6986->6412 6987->6986 6988 298c73c send 6987->6988 6988->6986 6990 298c770 6989->6990 6991 298c77d 6989->6991 6992 298ebcc 4 API calls 6990->6992 6993 298c799 6991->6993 6994 298ebcc 4 API calls 6991->6994 6992->6991 6995 298c7b5 6993->6995 6996 298ebcc 4 API calls 6993->6996 6994->6993 6997 298f43e recv 6995->6997 6996->6995 6998 298c7cb 6997->6998 6999 298f43e recv 6998->6999 7000 298c7d3 6998->7000 6999->7000 7000->6412 7117 2987db7 7001->7117 7004 2987e70 7005 2987e96 7004->7005 7007 298f04e 4 API calls 7004->7007 7005->6412 7006 298f04e 4 API calls 7008 2987e4c 7006->7008 7007->7005 7008->7004 7009 298f04e 4 API calls 7008->7009 7009->7004 7011 2986ec3 2 API calls 7010->7011 7012 2987fdd 7011->7012 7013 29880c2 CreateProcessA 7012->7013 7014 29873ff 17 API calls 7012->7014 7013->6448 7013->6449 7015 2987fff 7014->7015 7015->7013 7016 2987809 21 API calls 7015->7016 7017 298804d 7016->7017 7017->7013 7018 298ef1e lstrlenA 7017->7018 7019 298809e 7018->7019 7020 298ef1e lstrlenA 7019->7020 7021 29880af 7020->7021 7022 2987a95 24 API calls 7021->7022 7022->7013 7024 2987db7 2 API calls 7023->7024 7025 2987eb8 7024->7025 7026 298f04e 4 API calls 7025->7026 7027 2987ece DeleteFileA 7026->7027 7027->6412 7029 298dd05 6 API calls 7028->7029 7030 298e31d 7029->7030 7121 298e177 7030->7121 7032 298e326 7032->6421 7034 29831f3 7033->7034 7044 29831ec 7033->7044 7035 298ebcc 4 API calls 7034->7035 7048 29831fc 7035->7048 7036 298344b 7037 2983459 7036->7037 7038 298349d 7036->7038 7039 298f04e 4 API calls 7037->7039 7040 298ec2e codecvt 4 API calls 7038->7040 7041 298345f 7039->7041 7040->7044 7042 29830fa 4 API calls 7041->7042 7042->7044 7043 298ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7043->7048 7044->6412 7045 298344d 7046 298ec2e codecvt 4 API calls 7045->7046 7046->7036 7048->7036 7048->7043 7048->7044 7048->7045 7049 2983141 lstrcmpiA 7048->7049 7147 29830fa GetTickCount 7048->7147 7049->7048 7051 29830fa 4 API calls 7050->7051 7052 2983c1a 7051->7052 7053 2983ce6 7052->7053 7152 2983a72 7052->7152 7053->6412 7056 2983a72 9 API calls 7057 2983c5e 7056->7057 7057->7053 7058 2983a72 9 API calls 7057->7058 7059 298ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7057->7059 7058->7057 7059->7057 7061 2983a10 7060->7061 7062 29830fa 4 API calls 7061->7062 7063 2983a1a 7062->7063 7063->6412 7065 298dd05 6 API calls 7064->7065 7066 298e7be 7065->7066 7066->6412 7068 298c07e wsprintfA 7067->7068 7072 298c105 7067->7072 7161 298bfce GetTickCount wsprintfA 7068->7161 7070 298c0ef 7162 298bfce GetTickCount wsprintfA 7070->7162 7072->6412 7074 2987047 7073->7074 7075 2986f88 7073->7075 7074->6412 7075->7075 7076 2986f94 LookupAccountNameA 7075->7076 7077 2986fcb 7076->7077 7078 2987025 7076->7078 7081 2986fdb ConvertSidToStringSidA 7077->7081 7163 2986edd 7078->7163 7081->7078 7082 2986ff1 7081->7082 7083 2987013 LocalFree 7082->7083 7083->7078 7085 298dd05 6 API calls 7084->7085 7086 298e85c 7085->7086 7087 298dd84 lstrcmpiA 7086->7087 7088 298e867 7087->7088 7089 298e885 lstrcpyA 7088->7089 7174 29824a5 7088->7174 7177 298dd69 7089->7177 7095 2987db7 2 API calls 7094->7095 7096 2987de1 7095->7096 7097 2987e16 7096->7097 7098 298f04e 4 API calls 7096->7098 7097->6412 7099 2987df2 7098->7099 7099->7097 7100 298f04e 4 API calls 7099->7100 7100->7097 7102 298f33b 7101->7102 7111 298ca1d 7101->7111 7103 298f347 htons socket 7102->7103 7104 298f382 ioctlsocket 7103->7104 7105 298f374 closesocket 7103->7105 7106 298f3aa connect select 7104->7106 7107 298f39d 7104->7107 7105->7111 7109 298f3f2 __WSAFDIsSet 7106->7109 7106->7111 7108 298f39f closesocket 7107->7108 7108->7111 7109->7108 7110 298f403 ioctlsocket 7109->7110 7113 298f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7110->7113 7111->6378 7111->6956 7113->7111 7115 298dd84 lstrcmpiA 7114->7115 7116 298c58e 7115->7116 7116->6963 7116->6969 7116->6971 7118 2987dc8 InterlockedExchange 7117->7118 7119 2987dc0 Sleep 7118->7119 7120 2987dd4 7118->7120 7119->7118 7120->7004 7120->7006 7122 298e184 7121->7122 7123 298e2e4 7122->7123 7124 298e223 7122->7124 7137 298dfe2 7122->7137 7123->7032 7124->7123 7126 298dfe2 8 API calls 7124->7126 7128 298e23c 7126->7128 7127 298e1be 7127->7124 7129 298dbcf 3 API calls 7127->7129 7128->7123 7141 298e095 RegCreateKeyExA 7128->7141 7131 298e1d6 7129->7131 7130 298e21a CloseHandle 7130->7124 7131->7124 7131->7130 7132 298e1f9 WriteFile 7131->7132 7132->7130 7134 298e213 7132->7134 7134->7130 7135 298e2a3 7135->7123 7136 298e095 4 API calls 7135->7136 7136->7123 7138 298dffc 7137->7138 7140 298e024 7137->7140 7139 298db2e 8 API calls 7138->7139 7138->7140 7139->7140 7140->7127 7142 298e0c0 7141->7142 7143 298e172 7141->7143 7144 298e13d 7142->7144 7146 298e115 RegSetValueExA 7142->7146 7143->7135 7145 298e14e RegDeleteValueA RegCloseKey 7144->7145 7145->7143 7146->7142 7146->7144 7148 2983122 InterlockedExchange 7147->7148 7149 298312e 7148->7149 7150 298310f GetTickCount 7148->7150 7149->7048 7150->7149 7151 298311a Sleep 7150->7151 7151->7148 7153 298f04e 4 API calls 7152->7153 7160 2983a83 7153->7160 7154 2983ac1 7154->7053 7154->7056 7155 2983be6 7158 298ec2e codecvt 4 API calls 7155->7158 7156 298ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7157 2983bc0 7156->7157 7157->7155 7157->7156 7158->7154 7159 2983b66 lstrlenA 7159->7154 7159->7160 7160->7154 7160->7157 7160->7159 7161->7070 7162->7072 7164 2986f55 wsprintfA 7163->7164 7165 2986eef AllocateAndInitializeSid 7163->7165 7164->7074 7166 2986f1c CheckTokenMembership 7165->7166 7167 2986f44 7165->7167 7168 2986f3b FreeSid 7166->7168 7169 2986f2e 7166->7169 7167->7164 7171 2986e36 GetUserNameW 7167->7171 7168->7167 7169->7168 7172 2986e5f LookupAccountNameW 7171->7172 7173 2986e97 7171->7173 7172->7173 7173->7164 7175 2982419 4 API calls 7174->7175 7176 29824b6 7175->7176 7176->7089 7178 298dd79 lstrlenA 7177->7178 7178->6412 7180 298eb21 7179->7180 7181 298eb17 7179->7181 7180->6505 7182 298eae4 2 API calls 7181->7182 7182->7180 7184 29869b9 WriteFile 7183->7184 7186 2986a3c 7184->7186 7187 29869ff 7184->7187 7186->6500 7186->6501 7187->7186 7188 2986a10 WriteFile 7187->7188 7188->7186 7188->7187 7190 2983edc 7189->7190 7191 2983ee2 7189->7191 7192 2986dc2 6 API calls 7190->7192 7191->6515 7192->7191 7194 298400b CreateFileA 7193->7194 7195 298402c GetLastError 7194->7195 7196 2984052 7194->7196 7195->7196 7197 2984037 7195->7197 7196->6519 7197->7196 7198 2984041 Sleep 7197->7198 7198->7194 7198->7196 7200 2983f7c 7199->7200 7201 2983f4e GetLastError 7199->7201 7203 2983f8c ReadFile 7200->7203 7201->7200 7202 2983f5b WaitForSingleObject GetOverlappedResult 7201->7202 7202->7200 7204 2983ff0 7203->7204 7205 2983fc2 GetLastError 7203->7205 7204->6524 7204->6525 7205->7204 7206 2983fcf WaitForSingleObject GetOverlappedResult 7205->7206 7206->7204 7208 2981924 GetVersionExA 7207->7208 7208->6564 7210 298f0ed 7209->7210 7211 298f0f1 7209->7211 7210->6596 7212 298f119 7211->7212 7213 298f0fa lstrlenA SysAllocStringByteLen 7211->7213 7214 298f11c MultiByteToWideChar 7212->7214 7213->7214 7215 298f117 7213->7215 7214->7215 7215->6596 7217 2981820 17 API calls 7216->7217 7218 29818f2 7217->7218 7219 29818f9 7218->7219 7233 2981280 7218->7233 7219->6592 7221 2981908 7221->6592 7245 2981000 7222->7245 7224 2981839 7225 298183d 7224->7225 7226 2981851 GetCurrentProcess 7224->7226 7225->6583 7227 2981864 7226->7227 7227->6583 7229 2989308 7228->7229 7232 298920e 7228->7232 7229->6592 7230 29892f1 Sleep 7230->7232 7231 29892bf ShellExecuteA 7231->7229 7231->7232 7232->7229 7232->7230 7232->7231 7234 29812e1 7233->7234 7235 29816f9 GetLastError 7234->7235 7243 29813a8 7234->7243 7241 2981699 7235->7241 7236 2981570 lstrlenW 7236->7243 7237 29815be GetStartupInfoW 7237->7243 7238 29815ff CreateProcessWithLogonW 7239 29816bf GetLastError 7238->7239 7240 298163f WaitForSingleObject 7238->7240 7239->7241 7242 2981659 CloseHandle 7240->7242 7240->7243 7241->7221 7242->7243 7243->7236 7243->7237 7243->7238 7243->7241 7244 2981668 CloseHandle 7243->7244 7244->7243 7246 298100d LoadLibraryA 7245->7246 7254 2981023 7245->7254 7247 2981021 7246->7247 7246->7254 7247->7224 7248 29810b5 GetProcAddress 7249 298127b 7248->7249 7250 29810d1 GetProcAddress 7248->7250 7249->7224 7250->7249 7251 29810f0 GetProcAddress 7250->7251 7251->7249 7252 2981110 GetProcAddress 7251->7252 7252->7249 7253 2981130 GetProcAddress 7252->7253 7253->7249 7255 298114f GetProcAddress 7253->7255 7254->7248 7265 29810ae 7254->7265 7255->7249 7256 298116f GetProcAddress 7255->7256 7256->7249 7257 298118f GetProcAddress 7256->7257 7257->7249 7258 29811ae GetProcAddress 7257->7258 7258->7249 7259 29811ce GetProcAddress 7258->7259 7259->7249 7260 29811ee GetProcAddress 7259->7260 7260->7249 7261 2981209 GetProcAddress 7260->7261 7261->7249 7262 2981225 GetProcAddress 7261->7262 7262->7249 7263 2981241 GetProcAddress 7262->7263 7263->7249 7264 298125c GetProcAddress 7263->7264 7264->7249 7265->7224 7267 298908d 7266->7267 7268 29890e2 wsprintfA 7267->7268 7269 298ee2a 7268->7269 7270 29890fd CreateFileA 7269->7270 7271 298911a lstrlenA WriteFile CloseHandle 7270->7271 7272 298913f 7270->7272 7271->7272 7272->6619 7272->6620 7274 298ee2a 7273->7274 7275 2989794 CreateProcessA 7274->7275 7276 29897c2 7275->7276 7277 29897bb 7275->7277 7278 29897d4 GetThreadContext 7276->7278 7277->6631 7279 2989801 7278->7279 7280 29897f5 7278->7280 7287 298637c 7279->7287 7281 29897f6 TerminateProcess 7280->7281 7281->7277 7283 2989816 7283->7281 7284 298981e WriteProcessMemory 7283->7284 7284->7280 7285 298983b SetThreadContext 7284->7285 7285->7280 7286 2989858 ResumeThread 7285->7286 7286->7277 7288 298638a GetModuleHandleA VirtualAlloc 7287->7288 7289 2986386 7287->7289 7290 29863f5 7288->7290 7291 29863b6 7288->7291 7289->7283 7290->7283 7292 29863be VirtualAllocEx 7291->7292 7292->7290 7293 29863d6 7292->7293 7294 29863df WriteProcessMemory 7293->7294 7294->7290 7296 2988791 7295->7296 7297 298879f 7295->7297 7298 298f04e 4 API calls 7296->7298 7299 29887bc 7297->7299 7300 298f04e 4 API calls 7297->7300 7298->7297 7301 298e819 11 API calls 7299->7301 7300->7299 7302 29887d7 7301->7302 7315 2988803 7302->7315 7450 29826b2 gethostbyaddr 7302->7450 7305 29887eb 7307 298e8a1 30 API calls 7305->7307 7305->7315 7307->7315 7310 298e819 11 API calls 7310->7315 7311 298f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7311->7315 7312 29888a0 Sleep 7312->7315 7314 29826b2 2 API calls 7314->7315 7315->7310 7315->7311 7315->7312 7315->7314 7316 298e8a1 30 API calls 7315->7316 7347 2988cee 7315->7347 7355 298c4d6 7315->7355 7358 298c4e2 7315->7358 7361 2982011 7315->7361 7396 2988328 7315->7396 7316->7315 7318 298407d 7317->7318 7319 2984084 7317->7319 7320 2983ecd 6 API calls 7319->7320 7321 298408f 7320->7321 7322 2984000 3 API calls 7321->7322 7323 2984095 7322->7323 7324 2984130 7323->7324 7325 29840c0 7323->7325 7326 2983ecd 6 API calls 7324->7326 7330 2983f18 4 API calls 7325->7330 7327 2984159 CreateNamedPipeA 7326->7327 7328 2984188 ConnectNamedPipe 7327->7328 7329 2984167 Sleep 7327->7329 7332 2984195 GetLastError 7328->7332 7342 29841ab 7328->7342 7329->7324 7333 2984176 CloseHandle 7329->7333 7331 29840da 7330->7331 7334 2983f8c 4 API calls 7331->7334 7335 298425e DisconnectNamedPipe 7332->7335 7332->7342 7333->7328 7336 29840ec 7334->7336 7335->7328 7337 2984127 CloseHandle 7336->7337 7338 2984101 7336->7338 7337->7324 7339 2983f18 4 API calls 7338->7339 7340 298411c ExitProcess 7339->7340 7341 2983f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7341->7342 7342->7328 7342->7335 7342->7341 7343 2983f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7342->7343 7344 298426a CloseHandle CloseHandle 7342->7344 7343->7342 7345 298e318 23 API calls 7344->7345 7346 298427b 7345->7346 7346->7346 7348 2988dae 7347->7348 7349 2988d02 GetTickCount 7347->7349 7348->7315 7349->7348 7351 2988d19 7349->7351 7350 2988da1 GetTickCount 7350->7348 7351->7350 7354 2988d89 7351->7354 7455 298a677 7351->7455 7458 298a688 7351->7458 7354->7350 7466 298c2dc 7355->7466 7359 298c2dc 142 API calls 7358->7359 7360 298c4ec 7359->7360 7360->7315 7362 2982020 7361->7362 7363 298202e 7361->7363 7364 298f04e 4 API calls 7362->7364 7365 298204b 7363->7365 7366 298f04e 4 API calls 7363->7366 7364->7363 7367 298206e GetTickCount 7365->7367 7368 298f04e 4 API calls 7365->7368 7366->7365 7369 29820db GetTickCount 7367->7369 7378 2982090 7367->7378 7371 2982068 7368->7371 7370 2982132 GetTickCount GetTickCount 7369->7370 7381 29820e7 7369->7381 7374 298f04e 4 API calls 7370->7374 7371->7367 7372 29820d4 GetTickCount 7372->7369 7373 298212b GetTickCount 7373->7370 7376 2982159 7374->7376 7375 2982684 2 API calls 7375->7378 7379 29821b4 7376->7379 7380 298e854 13 API calls 7376->7380 7378->7372 7378->7375 7386 29820ce 7378->7386 7806 2981978 7378->7806 7382 298f04e 4 API calls 7379->7382 7383 298218e 7380->7383 7381->7373 7388 2981978 15 API calls 7381->7388 7389 2982125 7381->7389 7796 2982ef8 7381->7796 7385 29821d1 7382->7385 7387 298e819 11 API calls 7383->7387 7390 29821f2 7385->7390 7392 298ea84 30 API calls 7385->7392 7386->7372 7391 298219c 7387->7391 7388->7381 7389->7373 7390->7315 7391->7379 7811 2981c5f 7391->7811 7393 29821ec 7392->7393 7394 298f04e 4 API calls 7393->7394 7394->7390 7397 2987dd6 6 API calls 7396->7397 7398 298833c 7397->7398 7399 2986ec3 2 API calls 7398->7399 7425 2988340 7398->7425 7400 298834f 7399->7400 7401 298835c 7400->7401 7406 298846b 7400->7406 7402 29873ff 17 API calls 7401->7402 7426 2988373 7402->7426 7403 29885df 7404 2988626 GetTempPathA 7403->7404 7416 2988768 7403->7416 7431 2988671 7403->7431 7417 2988638 7404->7417 7405 298675c 21 API calls 7405->7403 7408 29884a7 RegOpenKeyExA 7406->7408 7423 2988450 7406->7423 7410 29884c0 RegQueryValueExA 7408->7410 7411 298852f 7408->7411 7409 29886ad 7412 2988762 7409->7412 7415 2987e2f 6 API calls 7409->7415 7413 29884dd 7410->7413 7414 2988521 RegCloseKey 7410->7414 7418 2988564 RegOpenKeyExA 7411->7418 7429 29885a5 7411->7429 7412->7416 7413->7414 7420 298ebcc 4 API calls 7413->7420 7414->7411 7430 29886bb 7415->7430 7422 298ec2e codecvt 4 API calls 7416->7422 7416->7425 7417->7431 7419 2988573 RegSetValueExA RegCloseKey 7418->7419 7418->7429 7419->7429 7424 29884f0 7420->7424 7421 298875b DeleteFileA 7421->7412 7422->7425 7423->7403 7423->7405 7424->7414 7428 29884f8 RegQueryValueExA 7424->7428 7425->7315 7426->7423 7426->7425 7432 29883ea RegOpenKeyExA 7426->7432 7428->7414 7433 2988515 7428->7433 7429->7423 7434 298ec2e codecvt 4 API calls 7429->7434 7430->7421 7437 29886e0 lstrcpyA lstrlenA 7430->7437 7883 2986ba7 IsBadCodePtr 7431->7883 7432->7423 7435 29883fd RegQueryValueExA 7432->7435 7436 298ec2e codecvt 4 API calls 7433->7436 7434->7423 7438 298842d RegSetValueExA 7435->7438 7439 298841e 7435->7439 7441 298851d 7436->7441 7442 2987fcf 64 API calls 7437->7442 7440 2988447 RegCloseKey 7438->7440 7439->7438 7439->7440 7440->7423 7441->7414 7443 2988719 CreateProcessA 7442->7443 7444 298873d CloseHandle CloseHandle 7443->7444 7445 298874f 7443->7445 7444->7416 7446 2987ee6 64 API calls 7445->7446 7447 2988754 7446->7447 7448 2987ead 6 API calls 7447->7448 7449 298875a 7448->7449 7449->7421 7451 29826fb 7450->7451 7452 29826cd 7450->7452 7451->7305 7453 29826e1 inet_ntoa 7452->7453 7454 29826de 7452->7454 7453->7454 7454->7305 7461 298a63d 7455->7461 7457 298a685 7457->7351 7459 298a63d GetTickCount 7458->7459 7460 298a696 7459->7460 7460->7351 7462 298a64d 7461->7462 7463 298a645 7461->7463 7464 298a65e GetTickCount 7462->7464 7465 298a66e 7462->7465 7463->7457 7464->7465 7465->7457 7483 298a4c7 GetTickCount 7466->7483 7469 298c47a 7474 298c4ab InterlockedIncrement CreateThread 7469->7474 7475 298c4d2 7469->7475 7470 298c300 GetTickCount 7473 298c337 7470->7473 7471 298c326 7472 298c32b GetTickCount 7471->7472 7471->7473 7472->7473 7473->7469 7477 298c363 GetTickCount 7473->7477 7474->7475 7476 298c4cb CloseHandle 7474->7476 7488 298b535 7474->7488 7475->7315 7476->7475 7477->7469 7478 298c373 7477->7478 7479 298c378 GetTickCount 7478->7479 7480 298c37f 7478->7480 7479->7480 7481 298c43b GetTickCount 7480->7481 7482 298c45e 7481->7482 7482->7469 7484 298a4f7 InterlockedExchange 7483->7484 7485 298a500 7484->7485 7486 298a4e4 GetTickCount 7484->7486 7485->7469 7485->7470 7485->7471 7486->7485 7487 298a4ef Sleep 7486->7487 7487->7484 7489 298b566 7488->7489 7490 298ebcc 4 API calls 7489->7490 7491 298b587 7490->7491 7492 298ebcc 4 API calls 7491->7492 7517 298b590 7492->7517 7493 298bdcd InterlockedDecrement 7494 298bde2 7493->7494 7496 298ec2e codecvt 4 API calls 7494->7496 7497 298bdea 7496->7497 7498 298ec2e codecvt 4 API calls 7497->7498 7500 298bdf2 7498->7500 7499 298bdb7 Sleep 7499->7517 7501 298be05 7500->7501 7503 298ec2e codecvt 4 API calls 7500->7503 7502 298bdcc 7502->7493 7503->7501 7504 298ebed 8 API calls 7504->7517 7507 298b6b6 lstrlenA 7507->7517 7508 29830b5 2 API calls 7508->7517 7509 298b6ed lstrcpyA 7563 2985ce1 7509->7563 7510 298e819 11 API calls 7510->7517 7513 298b71f lstrcmpA 7514 298b731 lstrlenA 7513->7514 7513->7517 7514->7517 7515 298b772 GetTickCount 7515->7517 7516 298bd49 InterlockedIncrement 7657 298a628 7516->7657 7517->7493 7517->7499 7517->7502 7517->7504 7517->7507 7517->7508 7517->7509 7517->7510 7517->7513 7517->7514 7517->7515 7517->7516 7520 298bc5b InterlockedIncrement 7517->7520 7521 298b7ce InterlockedIncrement 7517->7521 7524 298b912 GetTickCount 7517->7524 7525 298b826 InterlockedIncrement 7517->7525 7526 298bcdc closesocket 7517->7526 7527 298b932 GetTickCount 7517->7527 7529 29838f0 6 API calls 7517->7529 7531 298a7c1 22 API calls 7517->7531 7532 298bba6 InterlockedIncrement 7517->7532 7535 298bc4c closesocket 7517->7535 7537 2985ce1 22 API calls 7517->7537 7538 298ba71 wsprintfA 7517->7538 7539 2985ded 12 API calls 7517->7539 7542 298ab81 lstrcpynA InterlockedIncrement 7517->7542 7543 298ef1e lstrlenA 7517->7543 7544 298a688 GetTickCount 7517->7544 7545 2983e10 7517->7545 7548 2983e4f 7517->7548 7551 298384f 7517->7551 7571 298a7a3 inet_ntoa 7517->7571 7578 298abee 7517->7578 7590 2981feb GetTickCount 7517->7590 7611 2983cfb 7517->7611 7614 298b3c5 7517->7614 7645 298ab81 7517->7645 7520->7517 7573 298acd7 7521->7573 7524->7517 7525->7515 7526->7517 7527->7517 7528 298bc6d InterlockedIncrement 7527->7528 7528->7517 7529->7517 7531->7517 7532->7517 7535->7517 7537->7517 7591 298a7c1 7538->7591 7539->7517 7542->7517 7543->7517 7544->7517 7546 29830fa 4 API calls 7545->7546 7547 2983e1d 7546->7547 7547->7517 7549 29830fa 4 API calls 7548->7549 7550 2983e5c 7549->7550 7550->7517 7552 29830fa 4 API calls 7551->7552 7553 2983863 7552->7553 7554 29838b9 7553->7554 7555 2983889 7553->7555 7562 29838b2 7553->7562 7666 29835f9 7554->7666 7660 2983718 7555->7660 7560 2983718 6 API calls 7560->7562 7561 29835f9 6 API calls 7561->7562 7562->7517 7564 2985cec 7563->7564 7565 2985cf4 7563->7565 7672 2984bd1 GetTickCount 7564->7672 7567 2984bd1 4 API calls 7565->7567 7568 2985d02 7567->7568 7677 2985472 7568->7677 7572 298a7b9 7571->7572 7572->7517 7574 298f315 14 API calls 7573->7574 7575 298aceb 7574->7575 7576 298acff 7575->7576 7577 298f315 14 API calls 7575->7577 7576->7517 7577->7576 7579 298abfb 7578->7579 7582 298ac65 7579->7582 7740 2982f22 7579->7740 7581 298f315 14 API calls 7581->7582 7582->7581 7583 298ac8a 7582->7583 7584 298ac6f 7582->7584 7583->7517 7586 298ab81 2 API calls 7584->7586 7585 298ac23 7585->7582 7588 2982684 2 API calls 7585->7588 7587 298ac81 7586->7587 7748 29838f0 7587->7748 7588->7585 7590->7517 7592 298a87d lstrlenA send 7591->7592 7593 298a7df 7591->7593 7594 298a899 7592->7594 7595 298a8bf 7592->7595 7593->7592 7599 298a7fa wsprintfA 7593->7599 7602 298a80a 7593->7602 7603 298a8f2 7593->7603 7596 298a8a5 wsprintfA 7594->7596 7610 298a89e 7594->7610 7597 298a8c4 send 7595->7597 7595->7603 7596->7610 7600 298a8d8 wsprintfA 7597->7600 7597->7603 7598 298a978 recv 7598->7603 7604 298a982 7598->7604 7599->7602 7600->7610 7601 298a9b0 wsprintfA 7601->7610 7602->7592 7603->7598 7603->7601 7603->7604 7605 29830b5 2 API calls 7604->7605 7604->7610 7606 298ab05 7605->7606 7607 298e819 11 API calls 7606->7607 7608 298ab17 7607->7608 7609 298a7a3 inet_ntoa 7608->7609 7609->7610 7610->7517 7612 29830fa 4 API calls 7611->7612 7613 2983d0b 7612->7613 7613->7517 7615 2985ce1 22 API calls 7614->7615 7616 298b3e6 7615->7616 7617 2985ce1 22 API calls 7616->7617 7618 298b404 7617->7618 7619 298b440 7618->7619 7621 298ef7c 3 API calls 7618->7621 7620 298ef7c 3 API calls 7619->7620 7622 298b458 wsprintfA 7620->7622 7623 298b42b 7621->7623 7624 298ef7c 3 API calls 7622->7624 7625 298ef7c 3 API calls 7623->7625 7626 298b480 7624->7626 7625->7619 7627 298ef7c 3 API calls 7626->7627 7628 298b493 7627->7628 7629 298ef7c 3 API calls 7628->7629 7630 298b4bb 7629->7630 7764 298ad89 GetLocalTime SystemTimeToFileTime 7630->7764 7634 298b4cc 7635 298ef7c 3 API calls 7634->7635 7636 298b4dd 7635->7636 7637 298b211 7 API calls 7636->7637 7638 298b4ec 7637->7638 7639 298ef7c 3 API calls 7638->7639 7640 298b4fd 7639->7640 7641 298b211 7 API calls 7640->7641 7642 298b509 7641->7642 7643 298ef7c 3 API calls 7642->7643 7644 298b51a 7643->7644 7644->7517 7646 298abe9 GetTickCount 7645->7646 7648 298ab8c 7645->7648 7650 298a51d 7646->7650 7647 298aba8 lstrcpynA 7647->7648 7648->7646 7648->7647 7649 298abe1 InterlockedIncrement 7648->7649 7649->7648 7651 298a4c7 4 API calls 7650->7651 7652 298a52c 7651->7652 7653 298a542 GetTickCount 7652->7653 7654 298a539 GetTickCount 7652->7654 7653->7654 7656 298a56c 7654->7656 7656->7517 7658 298a4c7 4 API calls 7657->7658 7659 298a633 7658->7659 7659->7517 7661 298f04e 4 API calls 7660->7661 7663 298372a 7661->7663 7662 2983847 7662->7560 7662->7562 7663->7662 7664 29837b3 GetCurrentThreadId 7663->7664 7664->7663 7665 29837c8 GetCurrentThreadId 7664->7665 7665->7663 7667 298f04e 4 API calls 7666->7667 7670 298360c 7667->7670 7668 29836f1 7668->7561 7668->7562 7669 29836da GetCurrentThreadId 7669->7668 7671 29836e5 GetCurrentThreadId 7669->7671 7670->7668 7670->7669 7671->7668 7673 2984bff InterlockedExchange 7672->7673 7674 2984c08 7673->7674 7675 2984bec GetTickCount 7673->7675 7674->7565 7675->7674 7676 2984bf7 Sleep 7675->7676 7676->7673 7696 2984763 7677->7696 7679 2985b58 7706 2984699 7679->7706 7682 2984763 lstrlenA 7683 2985b6e 7682->7683 7727 2984f9f 7683->7727 7685 2985b79 7685->7517 7687 2985549 lstrlenA 7695 298548a 7687->7695 7688 2984ae6 8 API calls 7688->7695 7690 298558d lstrcpynA 7690->7695 7691 2985a9f lstrcpyA 7691->7695 7692 2985935 lstrcpynA 7692->7695 7693 2985472 13 API calls 7693->7695 7694 29858e7 lstrcpyA 7694->7695 7695->7679 7695->7688 7695->7690 7695->7691 7695->7692 7695->7693 7695->7694 7700 2984ae6 7695->7700 7704 298ef7c lstrlenA lstrlenA lstrlenA 7695->7704 7698 298477a 7696->7698 7697 2984859 7697->7695 7698->7697 7699 298480d lstrlenA 7698->7699 7699->7698 7701 2984af3 7700->7701 7703 2984b03 7700->7703 7702 298ebed 8 API calls 7701->7702 7702->7703 7703->7687 7705 298efb4 7704->7705 7705->7695 7732 29845b3 7706->7732 7709 29845b3 7 API calls 7710 29846c6 7709->7710 7711 29845b3 7 API calls 7710->7711 7712 29846d8 7711->7712 7713 29845b3 7 API calls 7712->7713 7714 29846ea 7713->7714 7715 29845b3 7 API calls 7714->7715 7716 29846ff 7715->7716 7717 29845b3 7 API calls 7716->7717 7718 2984711 7717->7718 7719 29845b3 7 API calls 7718->7719 7720 2984723 7719->7720 7721 298ef7c 3 API calls 7720->7721 7722 2984735 7721->7722 7723 298ef7c 3 API calls 7722->7723 7724 298474a 7723->7724 7725 298ef7c 3 API calls 7724->7725 7726 298475c 7725->7726 7726->7682 7728 2984fac 7727->7728 7729 2984fb0 7727->7729 7728->7685 7730 2984ffd 7729->7730 7731 2984fd5 IsBadCodePtr 7729->7731 7730->7685 7731->7729 7733 29845c8 7732->7733 7734 29845c1 7732->7734 7735 29845e1 7733->7735 7737 298ebcc 4 API calls 7733->7737 7736 298ebcc 4 API calls 7734->7736 7738 2984691 7735->7738 7739 298ef7c 3 API calls 7735->7739 7736->7733 7737->7735 7738->7709 7739->7735 7755 2982d21 GetModuleHandleA 7740->7755 7743 2982fcf GetProcessHeap HeapFree 7747 2982f44 7743->7747 7744 2982f4f 7746 2982f6b GetProcessHeap HeapFree 7744->7746 7745 2982f85 7745->7743 7745->7745 7746->7747 7747->7585 7749 2983900 7748->7749 7753 2983980 7748->7753 7750 29830fa 4 API calls 7749->7750 7754 298390a 7750->7754 7751 298391b GetCurrentThreadId 7751->7754 7752 2983939 GetCurrentThreadId 7752->7754 7753->7583 7754->7751 7754->7752 7754->7753 7756 2982d5b GetProcAddress 7755->7756 7757 2982d46 LoadLibraryA 7755->7757 7758 2982d6b DnsQuery_A 7756->7758 7761 2982d54 7756->7761 7757->7756 7757->7761 7759 2982d7d 7758->7759 7758->7761 7760 2982d97 GetProcessHeap HeapAlloc 7759->7760 7759->7761 7760->7761 7762 2982dac 7760->7762 7761->7744 7761->7745 7761->7747 7762->7759 7763 2982db5 lstrcpynA 7762->7763 7763->7762 7765 298adbf 7764->7765 7789 298ad08 gethostname 7765->7789 7768 29830b5 2 API calls 7769 298add3 7768->7769 7770 298a7a3 inet_ntoa 7769->7770 7778 298ade4 7769->7778 7770->7778 7771 298ae85 wsprintfA 7772 298ef7c 3 API calls 7771->7772 7773 298aebb 7772->7773 7775 298ef7c 3 API calls 7773->7775 7774 298ae36 wsprintfA wsprintfA 7776 298ef7c 3 API calls 7774->7776 7777 298aed2 7775->7777 7776->7778 7779 298b211 7777->7779 7778->7771 7778->7774 7780 298b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7779->7780 7781 298b2af GetLocalTime 7779->7781 7782 298b2d2 7780->7782 7781->7782 7783 298b2d9 SystemTimeToFileTime 7782->7783 7784 298b31c GetTimeZoneInformation 7782->7784 7785 298b2ec 7783->7785 7787 298b33a wsprintfA 7784->7787 7786 298b312 FileTimeToSystemTime 7785->7786 7786->7784 7787->7634 7790 298ad71 7789->7790 7795 298ad26 lstrlenA 7789->7795 7792 298ad79 lstrcpyA 7790->7792 7793 298ad85 7790->7793 7792->7793 7793->7768 7794 298ad68 lstrlenA 7794->7790 7795->7790 7795->7794 7797 2982d21 7 API calls 7796->7797 7798 2982f01 7797->7798 7799 2982f14 7798->7799 7800 2982f06 7798->7800 7801 2982684 2 API calls 7799->7801 7819 2982df2 GetModuleHandleA 7800->7819 7803 2982f1d 7801->7803 7803->7381 7805 2982f1f 7805->7381 7807 298f428 14 API calls 7806->7807 7808 298198a 7807->7808 7809 2981998 7808->7809 7810 2981990 closesocket 7808->7810 7809->7378 7810->7809 7812 2981c80 7811->7812 7813 2981cc2 wsprintfA 7812->7813 7814 2981d1c 7812->7814 7818 2981d79 7812->7818 7815 2982684 2 API calls 7813->7815 7814->7814 7816 2981d47 wsprintfA 7814->7816 7815->7812 7817 2982684 2 API calls 7816->7817 7817->7818 7818->7379 7820 2982e0b 7819->7820 7821 2982e10 LoadLibraryA 7819->7821 7820->7821 7822 2982e17 7820->7822 7821->7822 7823 2982ef1 7822->7823 7824 2982e28 GetProcAddress 7822->7824 7823->7799 7823->7805 7824->7823 7825 2982e3e GetProcessHeap HeapAlloc 7824->7825 7827 2982e62 7825->7827 7826 2982ede GetProcessHeap HeapFree 7826->7823 7827->7823 7827->7826 7828 2982e7f htons inet_addr 7827->7828 7829 2982ea5 gethostbyname 7827->7829 7831 2982ceb 7827->7831 7828->7827 7828->7829 7829->7827 7832 2982cf2 7831->7832 7834 2982d1c 7832->7834 7835 2982d0e Sleep 7832->7835 7836 2982a62 GetProcessHeap HeapAlloc 7832->7836 7834->7827 7835->7832 7835->7834 7837 2982a99 socket 7836->7837 7838 2982a92 7836->7838 7839 2982cd3 GetProcessHeap HeapFree 7837->7839 7840 2982ab4 7837->7840 7838->7832 7839->7838 7840->7839 7852 2982abd 7840->7852 7841 2982adb htons 7856 29826ff 7841->7856 7843 2982b04 select 7843->7852 7844 2982ca4 7845 2982cb3 GetProcessHeap HeapFree closesocket 7844->7845 7845->7838 7846 2982b3f recv 7846->7852 7847 2982b66 htons 7847->7844 7847->7852 7848 2982b87 htons 7848->7844 7848->7852 7850 2982bf3 GetProcessHeap HeapAlloc 7850->7852 7852->7841 7852->7843 7852->7844 7852->7845 7852->7846 7852->7847 7852->7848 7852->7850 7853 2982c17 htons 7852->7853 7855 2982c4d GetProcessHeap HeapFree 7852->7855 7863 2982923 7852->7863 7875 2982904 7852->7875 7871 2982871 7853->7871 7855->7852 7857 298271d 7856->7857 7858 2982717 7856->7858 7860 298272b GetTickCount htons 7857->7860 7859 298ebcc 4 API calls 7858->7859 7859->7857 7861 29827cc htons htons sendto 7860->7861 7862 298278a 7860->7862 7861->7852 7862->7861 7864 2982944 7863->7864 7866 298293d 7863->7866 7879 2982816 htons 7864->7879 7866->7852 7867 2982950 7867->7866 7868 2982871 htons 7867->7868 7869 29829bd htons htons htons 7867->7869 7868->7867 7869->7866 7870 29829f6 GetProcessHeap HeapAlloc 7869->7870 7870->7866 7870->7867 7872 29828e3 7871->7872 7873 2982889 7871->7873 7872->7852 7873->7872 7873->7873 7874 29828c3 htons 7873->7874 7874->7872 7874->7873 7876 2982908 7875->7876 7877 2982921 7875->7877 7878 2982909 GetProcessHeap HeapFree 7876->7878 7877->7852 7878->7877 7878->7878 7880 298286b 7879->7880 7881 2982836 7879->7881 7880->7867 7881->7880 7882 298285c htons 7881->7882 7882->7880 7882->7881 7884 2986bbc 7883->7884 7885 2986bc0 7883->7885 7884->7409 7886 298ebcc 4 API calls 7885->7886 7888 2986bd4 7885->7888 7887 2986be4 7886->7887 7887->7888 7889 2986bfc 7887->7889 7890 2986c07 CreateFileA 7887->7890 7888->7409 7891 298ec2e codecvt 4 API calls 7889->7891 7892 2986c2a 7890->7892 7893 2986c34 WriteFile 7890->7893 7891->7888 7894 298ec2e codecvt 4 API calls 7892->7894 7895 2986c49 CloseHandle DeleteFileA 7893->7895 7896 2986c5a CloseHandle 7893->7896 7894->7888 7895->7892 7897 298ec2e codecvt 4 API calls 7896->7897 7897->7888 8203 2984960 8204 298496d 8203->8204 8206 298497d 8203->8206 8205 298ebed 8 API calls 8204->8205 8205->8206 8068 2985e21 8069 2985e29 8068->8069 8070 2985e36 8068->8070 8071 29850dc 17 API calls 8069->8071 8071->8070 8207 2984861 IsBadWritePtr 8208 2984876 8207->8208 8209 2989961 RegisterServiceCtrlHandlerA 8210 298997d 8209->8210 8217 29899cb 8209->8217 8219 2989892 8210->8219 8212 298999a 8213 29899ba 8212->8213 8214 2989892 SetServiceStatus 8212->8214 8216 2989892 SetServiceStatus 8213->8216 8213->8217 8215 29899aa 8214->8215 8215->8213 8218 29898f2 41 API calls 8215->8218 8216->8217 8218->8213 8220 29898c2 SetServiceStatus 8219->8220 8220->8212 8072 29835a5 8073 29830fa 4 API calls 8072->8073 8074 29835b3 8073->8074 8078 29835ea 8074->8078 8079 298355d 8074->8079 8076 29835da 8077 298355d 4 API calls 8076->8077 8076->8078 8077->8078 8080 298f04e 4 API calls 8079->8080 8081 298356a 8080->8081 8081->8076
                                                                                                  APIs
                                                                                                  • closesocket.WS2_32(?), ref: 0298CA4E
                                                                                                  • closesocket.WS2_32(?), ref: 0298CB63
                                                                                                  • GetTempPathA.KERNEL32(00000120,?), ref: 0298CC28
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0298CCB4
                                                                                                  • WriteFile.KERNEL32(0298A4B3,?,-000000E8,?,00000000), ref: 0298CCDC
                                                                                                  • CloseHandle.KERNEL32(0298A4B3), ref: 0298CCED
                                                                                                  • wsprintfA.USER32 ref: 0298CD21
                                                                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0298CD77
                                                                                                  • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0298CD89
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0298CD98
                                                                                                  • CloseHandle.KERNEL32(?), ref: 0298CD9D
                                                                                                  • DeleteFileA.KERNEL32(?), ref: 0298CDC4
                                                                                                  • CloseHandle.KERNEL32(0298A4B3), ref: 0298CDCC
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0298CFB1
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0298CFEF
                                                                                                  • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0298D033
                                                                                                  • lstrcatA.KERNEL32(?,04100108), ref: 0298D10C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0298D155
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0298D171
                                                                                                  • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000), ref: 0298D195
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0298D19C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 0298D1C8
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0298D231
                                                                                                  • lstrcatA.KERNEL32(?,04100108,?,?,?,?,?,?,?,00000100), ref: 0298D27C
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0298D2AB
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0298D2C7
                                                                                                  • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0298D2EB
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0298D2F2
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0298D326
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0298D372
                                                                                                  • lstrcatA.KERNEL32(?,04100108,?,?,?,?,?,?,?,00000100), ref: 0298D3BD
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0298D3EC
                                                                                                  • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0298D408
                                                                                                  • WriteFile.KERNEL32(00000000,0410012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0298D428
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0298D42F
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0298D45B
                                                                                                  • CreateProcessA.KERNEL32(?,02990264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0298D4DE
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0298D4F4
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0298D4FC
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0298D513
                                                                                                  • closesocket.WS2_32(?), ref: 0298D56C
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0298D577
                                                                                                  • ExitProcess.KERNEL32 ref: 0298D583
                                                                                                  • wsprintfA.USER32 ref: 0298D81F
                                                                                                    • Part of subcall function 0298C65C: send.WS2_32(00000000,?,00000000), ref: 0298C74B
                                                                                                  • closesocket.WS2_32(?), ref: 0298DAD5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                                  • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\zuvmebno\irxigvn.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                                  • API String ID: 562065436-526785942
                                                                                                  • Opcode ID: 1921639163eb9c81b4cb2cd7f8b0cf5fcc4c52d6725a87e39209b3d906468e36
                                                                                                  • Instruction ID: ef0fe2d43948c8bdbb76095bdf94b27bf5bcfafdd1dfccda2ec212b5a190b398
                                                                                                  • Opcode Fuzzy Hash: 1921639163eb9c81b4cb2cd7f8b0cf5fcc4c52d6725a87e39209b3d906468e36
                                                                                                  • Instruction Fuzzy Hash: 8CB2A372D44209AFEB24BFA8DC85FEE7BBDAB44314F18046AF549A7180D7309A55CF60
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 02989A7F
                                                                                                  • SetErrorMode.KERNELBASE(00000003), ref: 02989A83
                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(02986511), ref: 02989A8A
                                                                                                    • Part of subcall function 0298EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0298EC5E
                                                                                                    • Part of subcall function 0298EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0298EC72
                                                                                                    • Part of subcall function 0298EC54: GetTickCount.KERNEL32 ref: 0298EC78
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02989AB3
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 02989ABA
                                                                                                  • GetCommandLineA.KERNEL32 ref: 02989AFD
                                                                                                  • lstrlenA.KERNEL32(?), ref: 02989B99
                                                                                                  • ExitProcess.KERNEL32 ref: 02989C06
                                                                                                  • GetTempPathA.KERNEL32(000001F4,?), ref: 02989CAC
                                                                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 02989D7A
                                                                                                  • lstrcatA.KERNEL32(?,?), ref: 02989D8B
                                                                                                  • lstrcatA.KERNEL32(?,0299070C), ref: 02989D9D
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02989DED
                                                                                                  • DeleteFileA.KERNEL32(00000022), ref: 02989E38
                                                                                                  • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02989E6F
                                                                                                  • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02989EC8
                                                                                                  • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02989ED5
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02989F3B
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02989F5E
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02989F6A
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02989FAD
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02989FB4
                                                                                                  • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02989FFE
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0298A038
                                                                                                  • lstrcatA.KERNEL32(00000022,02990A34), ref: 0298A05E
                                                                                                  • lstrcatA.KERNEL32(00000022,00000022), ref: 0298A072
                                                                                                  • lstrcatA.KERNEL32(00000022,02990A34), ref: 0298A08D
                                                                                                  • wsprintfA.USER32 ref: 0298A0B6
                                                                                                  • lstrcatA.KERNEL32(00000022,00000000), ref: 0298A0DE
                                                                                                  • lstrcatA.KERNEL32(00000022,?), ref: 0298A0FD
                                                                                                  • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0298A120
                                                                                                  • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0298A131
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0298A174
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 0298A17B
                                                                                                  • GetDriveTypeA.KERNEL32(00000022), ref: 0298A1B6
                                                                                                  • GetCommandLineA.KERNEL32 ref: 0298A1E5
                                                                                                    • Part of subcall function 029899D2: lstrcpyA.KERNEL32(?,?,00000100,029922F8,00000000,?,02989E9D,?,00000022,?,?,?,?,?,?,?), ref: 029899DF
                                                                                                    • Part of subcall function 029899D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02989E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02989A3C
                                                                                                    • Part of subcall function 029899D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02989E9D,?,00000022,?,?,?), ref: 02989A52
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0298A288
                                                                                                  • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0298A3B7
                                                                                                  • GetLastError.KERNEL32 ref: 0298A3ED
                                                                                                  • Sleep.KERNEL32(000003E8), ref: 0298A400
                                                                                                  • DeleteFileA.KERNELBASE(029933D8), ref: 0298A407
                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,0298405E,00000000,00000000,00000000), ref: 0298A42C
                                                                                                  • WSAStartup.WS2_32(00001010,?), ref: 0298A43A
                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,0298877E,00000000,00000000,00000000), ref: 0298A469
                                                                                                  • Sleep.KERNELBASE(00000BB8), ref: 0298A48A
                                                                                                  • GetTickCount.KERNEL32 ref: 0298A49F
                                                                                                  • GetTickCount.KERNEL32 ref: 0298A4B7
                                                                                                  • Sleep.KERNELBASE(00001A90), ref: 0298A4C3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                                  • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\zuvmebno\irxigvn.exe$D$P$\$zuvmebno
                                                                                                  • API String ID: 2089075347-3989569355
                                                                                                  • Opcode ID: 4588b4b382161a0a77c7fcd9338fcfd3db7e6239508300dd0d44f321f5ab37fa
                                                                                                  • Instruction ID: 54eebe819bf62ef1908017b8a6440113116dfa78b08f405d6b7e0c41a4f12a17
                                                                                                  • Opcode Fuzzy Hash: 4588b4b382161a0a77c7fcd9338fcfd3db7e6239508300dd0d44f321f5ab37fa
                                                                                                  • Instruction Fuzzy Hash: 525282B2C44259AFEF21ABA4CC49EFE7BBCAF44314F0844A6F519E6141E7709A44CF60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 905 298199c-29819cc inet_addr LoadLibraryA 906 29819ce-29819d0 905->906 907 29819d5-29819fe GetProcAddress * 3 905->907 908 2981abf-2981ac2 906->908 909 2981ab3-2981ab6 FreeLibrary 907->909 910 2981a04-2981a06 907->910 912 2981abc 909->912 910->909 911 2981a0c-2981a0e 910->911 911->909 913 2981a14-2981a28 GetBestInterface GetProcessHeap 911->913 914 2981abe 912->914 913->912 915 2981a2e-2981a40 HeapAlloc 913->915 914->908 915->912 916 2981a42-2981a50 GetAdaptersInfo 915->916 917 2981a62-2981a67 916->917 918 2981a52-2981a60 HeapReAlloc 916->918 919 2981a69-2981a73 GetAdaptersInfo 917->919 920 2981aa1-2981aad FreeLibrary 917->920 918->917 919->920 922 2981a75 919->922 920->912 921 2981aaf-2981ab1 920->921 921->914 923 2981a77-2981a80 922->923 924 2981a8a-2981a91 923->924 925 2981a82-2981a86 923->925 927 2981a93 924->927 928 2981a96-2981a9b HeapFree 924->928 925->923 926 2981a88 925->926 926->928 927->928 928->920
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(123.45.67.89), ref: 029819B1
                                                                                                  • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02981E9E), ref: 029819BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 029819E2
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 029819ED
                                                                                                  • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 029819F9
                                                                                                  • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02981E9E), ref: 02981A1B
                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02981E9E), ref: 02981A1D
                                                                                                  • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02981E9E), ref: 02981A36
                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,02981E9E,?,?,?,?,00000001,02981E9E), ref: 02981A4A
                                                                                                  • HeapReAlloc.KERNEL32(?,00000000,00000000,02981E9E,?,?,?,?,00000001,02981E9E), ref: 02981A5A
                                                                                                  • GetAdaptersInfo.IPHLPAPI(00000000,02981E9E,?,?,?,?,00000001,02981E9E), ref: 02981A6E
                                                                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02981E9E), ref: 02981A9B
                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02981E9E), ref: 02981AA4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                                  • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                                  • API String ID: 293628436-270533642
                                                                                                  • Opcode ID: fe9dfb88682f8ed96fcb2de78a1b508244558e84f497a254d03921c4aa13e748
                                                                                                  • Instruction ID: b2a805e520d80c2d085b55f15e7ec4c30a757fde37c8a3db9807f99cbbef93e0
                                                                                                  • Opcode Fuzzy Hash: fe9dfb88682f8ed96fcb2de78a1b508244558e84f497a254d03921c4aa13e748
                                                                                                  • Instruction Fuzzy Hash: B9316236D40219AFDF11AFE8DC888BEBBB9EF45215F180979E519E3110D7344A81CB60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 696 2987a95-2987ac2 RegOpenKeyExA 697 2987acb-2987ae7 GetUserNameA 696->697 698 2987ac4-2987ac6 696->698 700 2987aed-2987b1e LookupAccountNameA 697->700 701 2987da7-2987db3 RegCloseKey 697->701 699 2987db4-2987db6 698->699 700->701 702 2987b24-2987b43 RegGetKeySecurity 700->702 701->699 702->701 703 2987b49-2987b61 GetSecurityDescriptorOwner 702->703 704 2987bb8-2987bd6 GetSecurityDescriptorDacl 703->704 705 2987b63-2987b72 EqualSid 703->705 706 2987bdc-2987be1 704->706 707 2987da6 704->707 705->704 708 2987b74-2987b88 LocalAlloc 705->708 706->707 709 2987be7-2987bf2 706->709 707->701 708->704 710 2987b8a-2987b94 InitializeSecurityDescriptor 708->710 709->707 711 2987bf8-2987c08 GetAce 709->711 712 2987bb1-2987bb2 LocalFree 710->712 713 2987b96-2987ba4 SetSecurityDescriptorOwner 710->713 714 2987c0e-2987c1b 711->714 715 2987cc6 711->715 712->704 713->712 716 2987ba6-2987bab RegSetKeySecurity 713->716 718 2987c1d-2987c2f EqualSid 714->718 719 2987c4f-2987c52 714->719 717 2987cc9-2987cd3 715->717 716->712 717->711 720 2987cd9-2987cdc 717->720 721 2987c31-2987c34 718->721 722 2987c36-2987c38 718->722 723 2987c5f-2987c71 EqualSid 719->723 724 2987c54-2987c5e 719->724 720->707 725 2987ce2-2987ce8 720->725 721->718 721->722 722->719 726 2987c3a-2987c4d DeleteAce 722->726 727 2987c73-2987c84 723->727 728 2987c86 723->728 724->723 729 2987d5a-2987d6e LocalAlloc 725->729 730 2987cea-2987cf0 725->730 726->717 731 2987c8b-2987c8e 727->731 728->731 729->707 734 2987d70-2987d7a InitializeSecurityDescriptor 729->734 730->729 735 2987cf2-2987d0d RegOpenKeyExA 730->735 732 2987c9d-2987c9f 731->732 733 2987c90-2987c96 731->733 736 2987ca1-2987ca5 732->736 737 2987ca7-2987cc3 732->737 733->732 738 2987d7c-2987d8a SetSecurityDescriptorDacl 734->738 739 2987d9f-2987da0 LocalFree 734->739 735->729 740 2987d0f-2987d16 735->740 736->715 736->737 737->715 738->739 741 2987d8c-2987d9a RegSetKeySecurity 738->741 739->707 742 2987d19-2987d1e 740->742 741->739 743 2987d9c 741->743 742->742 744 2987d20-2987d52 call 2982544 RegSetValueExA 742->744 743->739 744->729 747 2987d54 744->747 747->729
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02987ABA
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 02987ADF
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,0299070C,?,?,?), ref: 02987B16
                                                                                                  • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02987B3B
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02987B59
                                                                                                  • EqualSid.ADVAPI32(?,00000022), ref: 02987B6A
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02987B7E
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02987B8C
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02987B9C
                                                                                                  • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02987BAB
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02987BB2
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,02987FC9,?,00000000), ref: 02987BCE
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                                  • String ID: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe$D
                                                                                                  • API String ID: 2976863881-636235547
                                                                                                  • Opcode ID: 3512cddf4012f6a9477799483d0683633381bb2e3000b9204229da2aec367e01
                                                                                                  • Instruction ID: c5a9d463c014a95ef830a2f5fb0cbc54b5c7c5b25f96fcf9ae4e8d97199f4a9c
                                                                                                  • Opcode Fuzzy Hash: 3512cddf4012f6a9477799483d0683633381bb2e3000b9204229da2aec367e01
                                                                                                  • Instruction Fuzzy Hash: 1CA15A76D40219ABEF11AFA4CC88EFEBBBDFF44314F184469EA15E2140E7358A55CB60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 748 2987809-2987837 GetUserNameA 749 298783d-298786e LookupAccountNameA 748->749 750 2987a8e-2987a94 748->750 749->750 751 2987874-29878a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 29878a8-29878c3 GetSecurityDescriptorOwner 751->752 753 298791d-298793b GetSecurityDescriptorDacl 752->753 754 29878c5-29878da EqualSid 752->754 755 2987a8d 753->755 756 2987941-2987946 753->756 754->753 757 29878dc-29878ed LocalAlloc 754->757 755->750 756->755 758 298794c-2987955 756->758 757->753 759 29878ef-29878f9 InitializeSecurityDescriptor 757->759 758->755 760 298795b-298796b GetAce 758->760 761 29878fb-2987909 SetSecurityDescriptorOwner 759->761 762 2987916-2987917 LocalFree 759->762 763 2987a2a 760->763 764 2987971-298797e 760->764 761->762 765 298790b-2987910 SetFileSecurityA 761->765 762->753 768 2987a2d-2987a37 763->768 766 29879ae-29879b1 764->766 767 2987980-2987992 EqualSid 764->767 765->762 772 29879be-29879d0 EqualSid 766->772 773 29879b3-29879bd 766->773 769 2987999-298799b 767->769 770 2987994-2987997 767->770 768->760 771 2987a3d-2987a41 768->771 769->766 774 298799d-29879ac DeleteAce 769->774 770->767 770->769 771->755 775 2987a43-2987a54 LocalAlloc 771->775 776 29879d2-29879e3 772->776 777 29879e5 772->777 773->772 774->768 775->755 778 2987a56-2987a60 InitializeSecurityDescriptor 775->778 779 29879ea-29879ed 776->779 777->779 780 2987a62-2987a71 SetSecurityDescriptorDacl 778->780 781 2987a86-2987a87 LocalFree 778->781 782 29879f8-29879fb 779->782 783 29879ef-29879f5 779->783 780->781 786 2987a73-2987a81 SetFileSecurityA 780->786 781->755 784 29879fd-2987a01 782->784 785 2987a03-2987a0e 782->785 783->782 784->763 784->785 787 2987a19-2987a24 785->787 788 2987a10-2987a17 785->788 786->781 789 2987a83 786->789 790 2987a27 787->790 788->790 789->781 790->763
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 0298782F
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02987866
                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 02987878
                                                                                                  • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0298789A
                                                                                                  • GetSecurityDescriptorOwner.ADVAPI32(?,02987F63,?), ref: 029878B8
                                                                                                  • EqualSid.ADVAPI32(?,02987F63), ref: 029878D2
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 029878E3
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029878F1
                                                                                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02987901
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02987910
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02987917
                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02987933
                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 02987963
                                                                                                  • EqualSid.ADVAPI32(?,02987F63), ref: 0298798A
                                                                                                  • DeleteAce.ADVAPI32(?,00000000), ref: 029879A3
                                                                                                  • EqualSid.ADVAPI32(?,02987F63), ref: 029879C5
                                                                                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 02987A4A
                                                                                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02987A58
                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02987A69
                                                                                                  • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02987A79
                                                                                                  • LocalFree.KERNEL32(00000000), ref: 02987A87
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                                  • String ID: D
                                                                                                  • API String ID: 3722657555-2746444292
                                                                                                  • Opcode ID: 106c74a3477dd7f6f77816d42a3a04ca825bc8f479a220b002c08fbccfc42d35
                                                                                                  • Instruction ID: 5d10bb2c56aa859b5530a476893de475c7500addc4c3fc0828513c538f3fb61f
                                                                                                  • Opcode Fuzzy Hash: 106c74a3477dd7f6f77816d42a3a04ca825bc8f479a220b002c08fbccfc42d35
                                                                                                  • Instruction Fuzzy Hash: 22813A76D0421AABDB21DFE4CD84FEEBBBCAF08344F28456AE515E2140E7359651CFA0

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 791 2988328-298833e call 2987dd6 794 2988348-2988356 call 2986ec3 791->794 795 2988340-2988343 791->795 799 298846b-2988474 794->799 800 298835c-2988378 call 29873ff 794->800 796 298877b-298877d 795->796 802 298847a-2988480 799->802 803 29885c2-29885ce 799->803 810 298837e-2988384 800->810 811 2988464-2988466 800->811 802->803 807 2988486-29884ba call 2982544 RegOpenKeyExA 802->807 805 29885d0-29885da call 298675c 803->805 806 2988615-2988620 803->806 818 29885df-29885eb 805->818 808 2988626-298864c GetTempPathA call 2988274 call 298eca5 806->808 809 29886a7-29886b0 call 2986ba7 806->809 824 29884c0-29884db RegQueryValueExA 807->824 825 2988543-2988571 call 2982544 RegOpenKeyExA 807->825 845 298864e-298866f call 298eca5 808->845 846 2988671-29886a4 call 2982544 call 298ef00 call 298ee2a 808->846 826 2988762 809->826 827 29886b6-29886bd call 2987e2f 809->827 810->811 816 298838a-298838d 810->816 817 2988779-298877a 811->817 816->811 822 2988393-2988399 816->822 817->796 818->806 823 29885ed-29885ef 818->823 829 298839c-29883a1 822->829 823->806 830 29885f1-29885fa 823->830 832 29884dd-29884e1 824->832 833 2988521-298852d RegCloseKey 824->833 851 2988573-298857b 825->851 852 29885a5-29885b7 call 298ee2a 825->852 835 2988768-298876b 826->835 856 298875b-298875c DeleteFileA 827->856 857 29886c3-298873b call 298ee2a * 2 lstrcpyA lstrlenA call 2987fcf CreateProcessA 827->857 829->829 837 29883a3-29883af 829->837 830->806 839 29885fc-298860f call 29824c2 830->839 832->833 841 29884e3-29884e6 832->841 833->825 838 298852f-2988541 call 298eed1 833->838 843 298876d-2988775 call 298ec2e 835->843 844 2988776-2988778 835->844 847 29883b1 837->847 848 29883b3-29883ba 837->848 838->825 838->852 839->806 839->835 841->833 853 29884e8-29884f6 call 298ebcc 841->853 843->844 844->817 845->846 846->809 847->848 862 2988450-298845f call 298ee2a 848->862 863 29883c0-29883fb call 2982544 RegOpenKeyExA 848->863 865 298857e-2988583 851->865 852->803 876 29885b9-29885c1 call 298ec2e 852->876 853->833 875 29884f8-2988513 RegQueryValueExA 853->875 856->826 899 298873d-298874d CloseHandle * 2 857->899 900 298874f-298875a call 2987ee6 call 2987ead 857->900 862->803 863->862 885 29883fd-298841c RegQueryValueExA 863->885 865->865 874 2988585-298859f RegSetValueExA RegCloseKey 865->874 874->852 875->833 881 2988515-298851e call 298ec2e 875->881 876->803 881->833 890 298842d-2988441 RegSetValueExA 885->890 891 298841e-2988421 885->891 892 2988447-298844a RegCloseKey 890->892 891->890 896 2988423-2988426 891->896 892->862 896->890 897 2988428-298842b 896->897 897->890 897->892 899->835 900->856
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 029883F3
                                                                                                  • RegQueryValueExA.KERNELBASE(02990750,?,00000000,?,02988893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02988414
                                                                                                  • RegSetValueExA.KERNELBASE(02990750,?,00000000,00000004,02988893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02988441
                                                                                                  • RegCloseKey.ADVAPI32(02990750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0298844A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseOpenQuery
                                                                                                  • String ID: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe$localcfg
                                                                                                  • API String ID: 237177642-3536369285
                                                                                                  • Opcode ID: afc41faf678b030a55809cf8e2184183c72e8ccb31435a60c74386433eb18e5a
                                                                                                  • Instruction ID: 0162da3c5bc236f8dea430033c63625b513b563d4a25d96b05497eacbffe752c
                                                                                                  • Opcode Fuzzy Hash: afc41faf678b030a55809cf8e2184183c72e8ccb31435a60c74386433eb18e5a
                                                                                                  • Instruction Fuzzy Hash: C2C18EB2D8424DBEEB11BBA89C85EFE7BBDEB44314F5804A6F505A2041E7304A94CF61

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32 ref: 02981DC6
                                                                                                  • GetSystemInfo.KERNELBASE(?), ref: 02981DE8
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02981E03
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02981E0A
                                                                                                  • GetCurrentProcess.KERNEL32(?), ref: 02981E1B
                                                                                                  • GetTickCount.KERNEL32 ref: 02981FC9
                                                                                                    • Part of subcall function 02981BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02981C15
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                                  • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                                  • API String ID: 4207808166-1381319158
                                                                                                  • Opcode ID: 33e520c55001b65c5529b49621fea858ca4972af5ab98e94555a802690d5bdb4
                                                                                                  • Instruction ID: abe6e680cfe398687eb838bd571fe34ead50e9f26ea3ed4e00ed2bf08f0ee92e
                                                                                                  • Opcode Fuzzy Hash: 33e520c55001b65c5529b49621fea858ca4972af5ab98e94555a802690d5bdb4
                                                                                                  • Instruction Fuzzy Hash: 0B5193B19083446FE720BF798C85F2BBAECEF85758F08091DF59A82242D774A545CB61

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 999 29873ff-2987419 1000 298741b 999->1000 1001 298741d-2987422 999->1001 1000->1001 1002 2987424 1001->1002 1003 2987426-298742b 1001->1003 1002->1003 1004 298742d 1003->1004 1005 2987430-2987435 1003->1005 1004->1005 1006 298743a-2987481 call 2986dc2 call 2982544 RegOpenKeyExA 1005->1006 1007 2987437 1005->1007 1012 29877f9-29877fe call 298ee2a 1006->1012 1013 2987487-298749d call 298ee2a 1006->1013 1007->1006 1018 2987801 1012->1018 1019 2987703-298770e RegEnumKeyA 1013->1019 1022 2987804-2987808 1018->1022 1020 29874a2-29874b1 call 2986cad 1019->1020 1021 2987714-298771d RegCloseKey 1019->1021 1025 29876ed-2987700 1020->1025 1026 29874b7-29874cc call 298f1a5 1020->1026 1021->1018 1025->1019 1026->1025 1029 29874d2-29874f8 RegOpenKeyExA 1026->1029 1030 29874fe-2987530 call 2982544 RegQueryValueExA 1029->1030 1031 2987727-298772a 1029->1031 1030->1031 1038 2987536-298753c 1030->1038 1033 298772c-2987740 call 298ef00 1031->1033 1034 2987755-2987764 call 298ee2a 1031->1034 1042 298774b-298774e 1033->1042 1043 2987742-2987745 RegCloseKey 1033->1043 1044 29876df-29876e2 1034->1044 1041 298753f-2987544 1038->1041 1041->1041 1045 2987546-298754b 1041->1045 1046 29877ec-29877f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 29876e4-29876e7 RegCloseKey 1044->1047 1045->1034 1048 2987551-298756b call 298ee95 1045->1048 1046->1022 1047->1025 1048->1034 1051 2987571-2987593 call 2982544 call 298ee95 1048->1051 1056 2987599-29875a0 1051->1056 1057 2987753 1051->1057 1058 29875c8-29875d7 call 298ed03 1056->1058 1059 29875a2-29875c6 call 298ef00 call 298ed03 1056->1059 1057->1034 1065 29875d8-29875da 1058->1065 1059->1065 1067 29875dc 1065->1067 1068 29875df-2987623 call 298ee95 call 2982544 call 298ee95 call 298ee2a 1065->1068 1067->1068 1077 2987626-298762b 1068->1077 1077->1077 1078 298762d-2987634 1077->1078 1079 2987637-298763c 1078->1079 1079->1079 1080 298763e-2987642 1079->1080 1081 298765c-2987673 call 298ed23 1080->1081 1082 2987644-2987656 call 298ed77 1080->1082 1088 2987680 1081->1088 1089 2987675-298767e 1081->1089 1082->1081 1087 2987769-298777c call 298ef00 1082->1087 1094 29877e3-29877e6 RegCloseKey 1087->1094 1090 2987683-298768e call 2986cad 1088->1090 1089->1090 1096 2987722-2987725 1090->1096 1097 2987694-29876bf call 298f1a5 call 2986c96 1090->1097 1094->1046 1098 29876dd 1096->1098 1103 29876d8 1097->1103 1104 29876c1-29876c7 1097->1104 1098->1044 1103->1098 1104->1103 1105 29876c9-29876d2 1104->1105 1105->1103 1106 298777e-2987797 GetFileAttributesExA 1105->1106 1107 2987799 1106->1107 1108 298779a-298779f 1106->1108 1107->1108 1109 29877a1 1108->1109 1110 29877a3-29877a8 1108->1110 1109->1110 1111 29877aa-29877c0 call 298ee08 1110->1111 1112 29877c4-29877c8 1110->1112 1111->1112 1114 29877ca-29877d6 call 298ef00 1112->1114 1115 29877d7-29877dc 1112->1115 1114->1115 1118 29877de 1115->1118 1119 29877e0-29877e2 1115->1119 1118->1119 1119->1094
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 02987472
                                                                                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 029874F0
                                                                                                  • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 02987528
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 0298764D
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 029876E7
                                                                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02987706
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02987717
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 02987745
                                                                                                  • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 029877EF
                                                                                                    • Part of subcall function 0298F1A5: lstrlenA.KERNEL32(000000C8,000000E4,029922F8,000000C8,02987150,?), ref: 0298F1AD
                                                                                                  • GetFileAttributesExA.KERNELBASE(00000022,00000000,?), ref: 0298778F
                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 029877E6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                                  • String ID: "
                                                                                                  • API String ID: 3433985886-123907689
                                                                                                  • Opcode ID: e1c2122f8cd53573e814348f9be5281a2dc6022c6700e4ae12192ca01921dfa4
                                                                                                  • Instruction ID: a06f904de8d09b1d5ff360d6e3ed75d26de9aaffdb560bfeb42ecb8082671fe1
                                                                                                  • Opcode Fuzzy Hash: e1c2122f8cd53573e814348f9be5281a2dc6022c6700e4ae12192ca01921dfa4
                                                                                                  • Instruction Fuzzy Hash: D8C18276944209AFEB11ABA4DC44FEEBBBEEF45310F2804A5F544E6190EB31DA54CF60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1121 298675c-2986778 1122 298677a-298677e SetFileAttributesA 1121->1122 1123 2986784-29867a2 CreateFileA 1121->1123 1122->1123 1124 29867a4-29867b2 CreateFileA 1123->1124 1125 29867b5-29867b8 1123->1125 1124->1125 1126 29867ba-29867bf SetFileAttributesA 1125->1126 1127 29867c5-29867c9 1125->1127 1126->1127 1128 29867cf-29867df GetFileSize 1127->1128 1129 2986977-2986986 1127->1129 1130 298696b 1128->1130 1131 29867e5-29867e7 1128->1131 1132 298696e-2986971 FindCloseChangeNotification 1130->1132 1131->1130 1133 29867ed-298680b ReadFile 1131->1133 1132->1129 1133->1130 1134 2986811-2986824 SetFilePointer 1133->1134 1134->1130 1135 298682a-2986842 ReadFile 1134->1135 1135->1130 1136 2986848-2986861 SetFilePointer 1135->1136 1136->1130 1137 2986867-2986876 1136->1137 1138 2986878-298688f ReadFile 1137->1138 1139 29868d5-29868df 1137->1139 1141 2986891-298689e 1138->1141 1142 29868d2 1138->1142 1139->1132 1140 29868e5-29868eb 1139->1140 1143 29868ed 1140->1143 1144 29868f0-29868fe call 298ebcc 1140->1144 1145 29868a0-29868b5 1141->1145 1146 29868b7-29868ba 1141->1146 1142->1139 1143->1144 1144->1130 1153 2986900-298690b SetFilePointer 1144->1153 1148 29868bd-29868c3 1145->1148 1146->1148 1150 29868c8-29868ce 1148->1150 1151 29868c5 1148->1151 1150->1138 1152 29868d0 1150->1152 1151->1150 1152->1139 1154 298695a-2986969 call 298ec2e 1153->1154 1155 298690d-2986920 ReadFile 1153->1155 1154->1132 1155->1154 1156 2986922-2986958 1155->1156 1156->1132
                                                                                                  APIs
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0298677E
                                                                                                  • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0298679A
                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 029867B0
                                                                                                  • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 029867BF
                                                                                                  • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 029867D3
                                                                                                  • ReadFile.KERNELBASE(000000FF,?,00000040,02988244,00000000,?,75920F10,00000000), ref: 02986807
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0298681F
                                                                                                  • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0298683E
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0298685C
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000028,02988244,00000000,?,75920F10,00000000), ref: 0298688B
                                                                                                  • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 02986906
                                                                                                  • ReadFile.KERNEL32(000000FF,?,00000000,02988244,00000000,?,75920F10,00000000), ref: 0298691C
                                                                                                  • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 02986971
                                                                                                    • Part of subcall function 0298EC2E: GetProcessHeap.KERNEL32(00000000,0298EA27,00000000,0298EA27,00000000), ref: 0298EC41
                                                                                                    • Part of subcall function 0298EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0298EC48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 1400801100-0
                                                                                                  • Opcode ID: 48f78f495e4c727b565ff227dabe42123e7808606827dccab001fcbb0ef50279
                                                                                                  • Instruction ID: d2ad0e7bcd9cdb13f730fda190aff7040d1792ee15d2a22820ba653615465e5d
                                                                                                  • Opcode Fuzzy Hash: 48f78f495e4c727b565ff227dabe42123e7808606827dccab001fcbb0ef50279
                                                                                                  • Instruction Fuzzy Hash: A6711571C04219EFDF159FA8CC80AEEBBBDFB04354F14456AE515AA190E7319E92CF60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1159 298f315-298f332 1160 298f33b-298f372 call 298ee2a htons socket 1159->1160 1161 298f334-298f336 1159->1161 1165 298f382-298f39b ioctlsocket 1160->1165 1166 298f374-298f37d closesocket 1160->1166 1162 298f424-298f427 1161->1162 1167 298f3aa-298f3f0 connect select 1165->1167 1168 298f39d 1165->1168 1166->1162 1170 298f421 1167->1170 1171 298f3f2-298f401 __WSAFDIsSet 1167->1171 1169 298f39f-298f3a8 closesocket 1168->1169 1173 298f423 1169->1173 1170->1173 1171->1169 1172 298f403-298f416 ioctlsocket call 298f26d 1171->1172 1175 298f41b-298f41f 1172->1175 1173->1162 1175->1173
                                                                                                  APIs
                                                                                                  • htons.WS2_32(0298CA1D), ref: 0298F34D
                                                                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 0298F367
                                                                                                  • closesocket.WS2_32(00000000), ref: 0298F375
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesockethtonssocket
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 311057483-2401304539
                                                                                                  • Opcode ID: cfb197f62acc85df333180a52d59eec9b709c4e3e6cde60924a120484c7ed7f9
                                                                                                  • Instruction ID: e3d2a5e3ab84411d0ab1ce94761fd32fb3810c0fff1c8e807c32c8bbebe07968
                                                                                                  • Opcode Fuzzy Hash: cfb197f62acc85df333180a52d59eec9b709c4e3e6cde60924a120484c7ed7f9
                                                                                                  • Instruction Fuzzy Hash: B9318C72944118ABDB10EFA8DC88DFE7BBCFF88360F144566F919E3140E7309A518BA0

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1176 298405e-298407b CreateEventA 1177 298407d-2984081 1176->1177 1178 2984084-29840a8 call 2983ecd call 2984000 1176->1178 1183 29840ae-29840be call 298ee2a 1178->1183 1184 2984130-298413e call 298ee2a 1178->1184 1183->1184 1190 29840c0-29840f1 call 298eca5 call 2983f18 call 2983f8c 1183->1190 1189 298413f-2984165 call 2983ecd CreateNamedPipeA 1184->1189 1195 2984188-2984193 ConnectNamedPipe 1189->1195 1196 2984167-2984174 Sleep 1189->1196 1207 29840f3-29840ff 1190->1207 1208 2984127-298412a CloseHandle 1190->1208 1199 29841ab-29841c0 call 2983f8c 1195->1199 1200 2984195-29841a5 GetLastError 1195->1200 1196->1189 1201 2984176-2984182 CloseHandle 1196->1201 1199->1195 1209 29841c2-29841f2 call 2983f18 call 2983f8c 1199->1209 1200->1199 1203 298425e-2984265 DisconnectNamedPipe 1200->1203 1201->1195 1203->1195 1207->1208 1210 2984101-2984121 call 2983f18 ExitProcess 1207->1210 1208->1184 1209->1203 1217 29841f4-2984200 1209->1217 1217->1203 1218 2984202-2984215 call 2983f8c 1217->1218 1218->1203 1221 2984217-298421b 1218->1221 1221->1203 1222 298421d-2984230 call 2983f8c 1221->1222 1222->1203 1225 2984232-2984236 1222->1225 1225->1195 1226 298423c-2984251 call 2983f18 1225->1226 1229 298426a-2984276 CloseHandle * 2 call 298e318 1226->1229 1230 2984253-2984259 1226->1230 1232 298427b 1229->1232 1230->1195 1232->1232
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02984070
                                                                                                  • ExitProcess.KERNEL32 ref: 02984121
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEventExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 2404124870-0
                                                                                                  • Opcode ID: f2ed8a12cf17f3e2c6faf5fa711f22d6e54efba7341d700def4bb74bcca1cff9
                                                                                                  • Instruction ID: 996ae0aa3cd6413b2f8907fffae12830094630d747aeda002677184f28fa880c
                                                                                                  • Opcode Fuzzy Hash: f2ed8a12cf17f3e2c6faf5fa711f22d6e54efba7341d700def4bb74bcca1cff9
                                                                                                  • Instruction Fuzzy Hash: 945180B1D4021ABBEB20BAA48D85FBF7A7DEF61714F080565F614B6180E7358A11CBA1

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1233 2982d21-2982d44 GetModuleHandleA 1234 2982d5b-2982d69 GetProcAddress 1233->1234 1235 2982d46-2982d52 LoadLibraryA 1233->1235 1236 2982d54-2982d56 1234->1236 1237 2982d6b-2982d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 2982dee-2982df1 1236->1238 1237->1236 1239 2982d7d-2982d88 1237->1239 1240 2982d8a-2982d8b 1239->1240 1241 2982deb 1239->1241 1242 2982d90-2982d95 1240->1242 1241->1238 1243 2982de2-2982de8 1242->1243 1244 2982d97-2982daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2982dea 1243->1245 1244->1245 1246 2982dac-2982dd9 call 298ee2a lstrcpynA 1244->1246 1245->1241 1249 2982ddb-2982dde 1246->1249 1250 2982de0 1246->1250 1249->1243 1250->1243
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02982F01,?,029820FF,02992000), ref: 02982D3A
                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 02982D4A
                                                                                                  • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02982D61
                                                                                                  • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02982D77
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02982D99
                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 02982DA0
                                                                                                  • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02982DCB
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                                  • String ID: DnsQuery_A$dnsapi.dll
                                                                                                  • API String ID: 233223969-3847274415
                                                                                                  • Opcode ID: b7590400c897629e7565be4477f279984ea160664335706304972adab4684800
                                                                                                  • Instruction ID: 2576d15ba61c5ba789d03a7a91f95078cd84a40cf1a576aaf9f89a688ba305ba
                                                                                                  • Opcode Fuzzy Hash: b7590400c897629e7565be4477f279984ea160664335706304972adab4684800
                                                                                                  • Instruction Fuzzy Hash: 73217C71D40225ABCB21AF68DC44AAEBFBCEF08B60F054412F905A7100E370D981CBE0

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1251 29880c9-29880ed call 2986ec3 1254 29880f9-2988115 call 298704c 1251->1254 1255 29880ef call 2987ee6 1251->1255 1260 298811b-2988121 1254->1260 1261 2988225-298822b 1254->1261 1259 29880f4 1255->1259 1259->1261 1260->1261 1264 2988127-298812a 1260->1264 1262 298826c-2988273 1261->1262 1263 298822d-2988233 1261->1263 1263->1262 1265 2988235-298823f call 298675c 1263->1265 1264->1261 1266 2988130-2988167 call 2982544 RegOpenKeyExA 1264->1266 1269 2988244-298824b 1265->1269 1272 298816d-298818b RegQueryValueExA 1266->1272 1273 2988216-2988222 call 298ee2a 1266->1273 1269->1262 1271 298824d-2988269 call 29824c2 call 298ec2e 1269->1271 1271->1262 1275 298818d-2988191 1272->1275 1276 29881f7-29881fe 1272->1276 1273->1261 1275->1276 1281 2988193-2988196 1275->1281 1279 298820d-2988210 RegCloseKey 1276->1279 1280 2988200-2988206 call 298ec2e 1276->1280 1279->1273 1289 298820c 1280->1289 1281->1276 1285 2988198-29881a8 call 298ebcc 1281->1285 1285->1279 1291 29881aa-29881c2 RegQueryValueExA 1285->1291 1289->1279 1291->1276 1292 29881c4-29881ca 1291->1292 1293 29881cd-29881d2 1292->1293 1293->1293 1294 29881d4-29881e5 call 298ebcc 1293->1294 1294->1279 1297 29881e7-29881f5 call 298ef00 1294->1297 1297->1289
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0298815F
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0298A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02988187
                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0298A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 029881BE
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02988210
                                                                                                    • Part of subcall function 0298675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0298677E
                                                                                                    • Part of subcall function 0298675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0298679A
                                                                                                    • Part of subcall function 0298675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 029867B0
                                                                                                    • Part of subcall function 0298675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 029867BF
                                                                                                    • Part of subcall function 0298675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 029867D3
                                                                                                    • Part of subcall function 0298675C: ReadFile.KERNELBASE(000000FF,?,00000040,02988244,00000000,?,75920F10,00000000), ref: 02986807
                                                                                                    • Part of subcall function 0298675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0298681F
                                                                                                    • Part of subcall function 0298675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0298683E
                                                                                                    • Part of subcall function 0298675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0298685C
                                                                                                    • Part of subcall function 0298EC2E: GetProcessHeap.KERNEL32(00000000,0298EA27,00000000,0298EA27,00000000), ref: 0298EC41
                                                                                                    • Part of subcall function 0298EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0298EC48
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                                  • String ID: C:\Windows\SysWOW64\zuvmebno\irxigvn.exe
                                                                                                  • API String ID: 124786226-1272795996
                                                                                                  • Opcode ID: c6004e40965a92fb1eb97ef73923c32e6157b322958741f640a729b01efbc698
                                                                                                  • Instruction ID: 7e056d3715d4828b7e2f06da7c444461a4b4a5e5b8b6f337532238ab31b4d6bc
                                                                                                  • Opcode Fuzzy Hash: c6004e40965a92fb1eb97ef73923c32e6157b322958741f640a729b01efbc698
                                                                                                  • Instruction Fuzzy Hash: 2B417FB2D4510DBFEB11FBA89D81EBE77BDAB44354F5808AAE905E3000E7305A54CB61

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1300 2981ac3-2981adc LoadLibraryA 1301 2981b6b-2981b70 1300->1301 1302 2981ae2-2981af3 GetProcAddress 1300->1302 1303 2981b6a 1302->1303 1304 2981af5-2981b01 1302->1304 1303->1301 1305 2981b1c-2981b27 GetAdaptersAddresses 1304->1305 1306 2981b29-2981b2b 1305->1306 1307 2981b03-2981b12 call 298ebed 1305->1307 1308 2981b5b-2981b5e 1306->1308 1309 2981b2d-2981b32 1306->1309 1307->1306 1318 2981b14-2981b1b 1307->1318 1311 2981b69 1308->1311 1313 2981b60-2981b68 call 298ec2e 1308->1313 1309->1311 1312 2981b34-2981b3b 1309->1312 1311->1303 1315 2981b3d-2981b52 1312->1315 1316 2981b54-2981b59 1312->1316 1313->1311 1315->1315 1315->1316 1316->1308 1316->1312 1318->1305
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02981AD4
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02981AE9
                                                                                                  • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02981B20
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                                  • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                                  • API String ID: 3646706440-1087626847
                                                                                                  • Opcode ID: f22eb223537a55cfef9146ff57233a664f8ca1d9d49a9262ea2ffe82e5641a08
                                                                                                  • Instruction ID: a53f6ea26ff892d79bfb986e6b5c47ee5fe24681f9d6ff373539b4950f9cee30
                                                                                                  • Opcode Fuzzy Hash: f22eb223537a55cfef9146ff57233a664f8ca1d9d49a9262ea2ffe82e5641a08
                                                                                                  • Instruction Fuzzy Hash: 65119A71E01134AFDB15ABADDC858EDBBBDEB44B10F18445EE019E7154E7309A41CB94

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1320 298e3ca-298e3ee RegOpenKeyExA 1321 298e528-298e52d 1320->1321 1322 298e3f4-298e3fb 1320->1322 1323 298e3fe-298e403 1322->1323 1323->1323 1324 298e405-298e40f 1323->1324 1325 298e411-298e413 1324->1325 1326 298e414-298e452 call 298ee08 call 298f1ed RegQueryValueExA 1324->1326 1325->1326 1331 298e458-298e486 call 298f1ed RegQueryValueExA 1326->1331 1332 298e51d-298e527 RegCloseKey 1326->1332 1335 298e488-298e48a 1331->1335 1332->1321 1335->1332 1336 298e490-298e4a1 call 298db2e 1335->1336 1336->1332 1339 298e4a3-298e4a6 1336->1339 1340 298e4a9-298e4d3 call 298f1ed RegQueryValueExA 1339->1340 1343 298e4e8-298e4ea 1340->1343 1344 298e4d5-298e4da 1340->1344 1343->1332 1346 298e4ec-298e516 call 2982544 call 298e332 1343->1346 1344->1343 1345 298e4dc-298e4e6 1344->1345 1345->1340 1345->1343 1346->1332
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,0298E5F2,00000000,00020119,0298E5F2,029922F8), ref: 0298E3E6
                                                                                                  • RegQueryValueExA.ADVAPI32(0298E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0298E44E
                                                                                                  • RegQueryValueExA.ADVAPI32(0298E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0298E482
                                                                                                  • RegQueryValueExA.ADVAPI32(0298E5F2,?,00000000,?,80000001,?), ref: 0298E4CF
                                                                                                  • RegCloseKey.ADVAPI32(0298E5F2,?,?,?,?,000000C8,000000E4), ref: 0298E520
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: QueryValue$CloseOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1586453840-0
                                                                                                  • Opcode ID: 4ccaaa5438e25cf5a3273a032b3b675feed692d1373b685effb5b807efd3fe72
                                                                                                  • Instruction ID: c19e83861a76d9ff6126e16a18f8513ec944b14f7a3a23af31991c7e60e03a1a
                                                                                                  • Opcode Fuzzy Hash: 4ccaaa5438e25cf5a3273a032b3b675feed692d1373b685effb5b807efd3fe72
                                                                                                  • Instruction Fuzzy Hash: 304118B2D0021DAFDF11AFE8DC81DFEBBBDEB08304F584466FA14A2150E3319A158B60

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1351 298f26d-298f303 setsockopt * 5
                                                                                                  APIs
                                                                                                  • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0298F2A0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0298F2C0
                                                                                                  • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0298F2DD
                                                                                                  • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0298F2EC
                                                                                                  • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0298F2FD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: setsockopt
                                                                                                  • String ID:
                                                                                                  • API String ID: 3981526788-0
                                                                                                  • Opcode ID: f799d757802421a99006c5f44d0d870836381b1f6b8445c08be64a96b8410c27
                                                                                                  • Instruction ID: 84dd851680c6edc0f0b08fd260e4d69916f1812afc91dc41dbcc5899625a07cf
                                                                                                  • Opcode Fuzzy Hash: f799d757802421a99006c5f44d0d870836381b1f6b8445c08be64a96b8410c27
                                                                                                  • Instruction Fuzzy Hash: 2811FBB1A40248BAEB11DE94CD41FAE7FBCEB44751F004066BB04EA1D0E6B19A44CB94

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 1352 2981bdf-2981c04 call 2981ac3 1354 2981c09-2981c0b 1352->1354 1355 2981c5a-2981c5e 1354->1355 1356 2981c0d-2981c1d GetComputerNameA 1354->1356 1357 2981c1f-2981c24 1356->1357 1358 2981c45-2981c57 GetVolumeInformationA 1356->1358 1357->1358 1359 2981c26-2981c3b 1357->1359 1358->1355 1359->1359 1360 2981c3d-2981c3f 1359->1360 1360->1358 1361 2981c41-2981c43 1360->1361 1361->1355
                                                                                                  APIs
                                                                                                    • Part of subcall function 02981AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02981AD4
                                                                                                    • Part of subcall function 02981AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02981AE9
                                                                                                    • Part of subcall function 02981AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02981B20
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 02981C15
                                                                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02981C51
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: hi_id$localcfg
                                                                                                  • API String ID: 2794401326-2393279970
                                                                                                  • Opcode ID: 5534037b4a33841759f7aac803f561fb4b0e706be58706a1b196c2b0759c7dbc
                                                                                                  • Instruction ID: 2eed7ef97cfaf281464e6038e630795f909223470d73f322d1d574196e291913
                                                                                                  • Opcode Fuzzy Hash: 5534037b4a33841759f7aac803f561fb4b0e706be58706a1b196c2b0759c7dbc
                                                                                                  • Instruction Fuzzy Hash: 270192B6A04118BFEB10EAF8C8C59FFBBBCEB44655F140875E706E3100D2309E4596A0
                                                                                                  APIs
                                                                                                    • Part of subcall function 02981AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02981AD4
                                                                                                    • Part of subcall function 02981AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02981AE9
                                                                                                    • Part of subcall function 02981AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02981B20
                                                                                                  • GetComputerNameA.KERNEL32(?,0000000F), ref: 02981BA3
                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02981EFD,00000000,00000000,00000000,00000000), ref: 02981BB8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2794401326-1857712256
                                                                                                  • Opcode ID: f2299361be16e57a9a30c273934c3f2633857fe99bbc62a24d288683797a7e53
                                                                                                  • Instruction ID: dafd900bac882327f930f0bfa0257805b010f9b72d728841905e362ee9aa7000
                                                                                                  • Opcode Fuzzy Hash: f2299361be16e57a9a30c273934c3f2633857fe99bbc62a24d288683797a7e53
                                                                                                  • Instruction Fuzzy Hash: BE0162B7D0410CBFE701ABE9C8819EFFBBDEB48664F150565AB15F7140D5705E058AA0
                                                                                                  APIs
                                                                                                  • inet_addr.WS2_32(00000001), ref: 02982693
                                                                                                  • gethostbyname.WS2_32(00000001), ref: 0298269F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynameinet_addr
                                                                                                  • String ID: time_cfg
                                                                                                  • API String ID: 1594361348-2401304539
                                                                                                  • Opcode ID: 8e5eb2dcb5ac4737897dec8cfe12ab4c97630104044eb92b17c3fa8f405aa454
                                                                                                  • Instruction ID: 57828e58794e60174b306a91036b5e0b9dd67cdc4fae94ab3d5df90cecc685d3
                                                                                                  • Opcode Fuzzy Hash: 8e5eb2dcb5ac4737897dec8cfe12ab4c97630104044eb92b17c3fa8f405aa454
                                                                                                  • Instruction Fuzzy Hash: 65E01230E185519FDB50AB2CF444BE977E9EF4A230F094586F854D7194D734DC819794
                                                                                                  APIs
                                                                                                    • Part of subcall function 0298DD05: GetTickCount.KERNEL32 ref: 0298DD0F
                                                                                                    • Part of subcall function 0298DD05: InterlockedExchange.KERNEL32(029936B4,00000001), ref: 0298DD44
                                                                                                    • Part of subcall function 0298DD05: GetCurrentThreadId.KERNEL32 ref: 0298DD53
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0298A445), ref: 0298E558
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,0298A445), ref: 0298E583
                                                                                                  • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0298A445), ref: 0298E5B2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                                  • String ID:
                                                                                                  • API String ID: 3683885500-0
                                                                                                  • Opcode ID: 35b8dcb71096c31908c9f8443228ef3409b0735266e6b3741834aab328b26735
                                                                                                  • Instruction ID: 3dc5a9d0160eaa49e60dbf7348091df2c74bd92b992bf27e0c5baa820b8c6822
                                                                                                  • Opcode Fuzzy Hash: 35b8dcb71096c31908c9f8443228ef3409b0735266e6b3741834aab328b26735
                                                                                                  • Instruction Fuzzy Hash: CF2107B29843013AF6207B399C15FAB3A4DDFD1720F080454BE4EB11D2EA56D810C9F1
                                                                                                  APIs
                                                                                                  • Sleep.KERNELBASE(000003E8), ref: 029888A5
                                                                                                    • Part of subcall function 0298F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0298E342,00000000,7508EA50,80000001,00000000,0298E513,?,00000000,00000000,?,000000E4), ref: 0298F089
                                                                                                    • Part of subcall function 0298F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0298E342,00000000,7508EA50,80000001,00000000,0298E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0298F093
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$FileSystem$Sleep
                                                                                                  • String ID: localcfg$rresolv
                                                                                                  • API String ID: 1561729337-486471987
                                                                                                  • Opcode ID: 88cad9b0d926050b5ba0a0d4947bfae381a932c6939e0b29e6edd9325d68ae9b
                                                                                                  • Instruction ID: 63a182f673d2da8001ed3c51eefe853799e60230222b95f6768530bcb1f699e7
                                                                                                  • Opcode Fuzzy Hash: 88cad9b0d926050b5ba0a0d4947bfae381a932c6939e0b29e6edd9325d68ae9b
                                                                                                  • Instruction Fuzzy Hash: B6219531D8C3057AF314FB686C46F7A369AAB95734FDC081AF914950C1EBA145D489B2
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,029922F8,029842B6,00000000,00000001,029922F8,00000000,?,029898FD), ref: 02984021
                                                                                                  • GetLastError.KERNEL32(?,029898FD,00000001,00000100,029922F8,0298A3C7), ref: 0298402C
                                                                                                  • Sleep.KERNEL32(000001F4,?,029898FD,00000001,00000100,029922F8,0298A3C7), ref: 02984046
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateErrorFileLastSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 408151869-0
                                                                                                  • Opcode ID: 2f33dd5361c6ff9bd96a34e26e377d287d8d1edaebc355b22adfcea531239884
                                                                                                  • Instruction ID: 53cee997da6cf2ba073c8639673b62d76af91ac29bb8e962ae279b336dd364ee
                                                                                                  • Opcode Fuzzy Hash: 2f33dd5361c6ff9bd96a34e26e377d287d8d1edaebc355b22adfcea531239884
                                                                                                  • Instruction Fuzzy Hash: C0F0A7326442026BD7312E38AC49B2B3269EF81738F2A5F24F3B5F20D0C7304481DB14
                                                                                                  APIs
                                                                                                  • GetEnvironmentVariableA.KERNEL32(0298DC19,?,00000104), ref: 0298DB7F
                                                                                                  • lstrcpyA.KERNEL32(?,029928F8), ref: 0298DBA4
                                                                                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0298DBC2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                                  • String ID:
                                                                                                  • API String ID: 2536392590-0
                                                                                                  • Opcode ID: 880dfab591c80af6887e216c071415f7e6ffddce9f0f0513028a5a67aa558e97
                                                                                                  • Instruction ID: e40b346171dc1b5fc850be296c1b1a4153f8dc794dbe64f327480e4ac3506975
                                                                                                  • Opcode Fuzzy Hash: 880dfab591c80af6887e216c071415f7e6ffddce9f0f0513028a5a67aa558e97
                                                                                                  • Instruction Fuzzy Hash: 7DF09A70540209ABEF209F68DC89FE93B69AB10318F2045A4BBA1A40D0D7F2D595CB20
                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0298EC5E
                                                                                                  • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0298EC72
                                                                                                  • GetTickCount.KERNEL32 ref: 0298EC78
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$CountFileInformationSystemTickVolume
                                                                                                  • String ID:
                                                                                                  • API String ID: 1209300637-0
                                                                                                  • Opcode ID: 607946f0a127955c225b8de1de9bf8dec4093f078e036b8255709b1e3e758518
                                                                                                  • Instruction ID: 80ccca4edf9ae199d124da602c1f9d0804bbe466829c523f0cdb7a0c3e6b826d
                                                                                                  • Opcode Fuzzy Hash: 607946f0a127955c225b8de1de9bf8dec4093f078e036b8255709b1e3e758518
                                                                                                  • Instruction Fuzzy Hash: 42E09AF5C54104BFE701ABB4DC4AE7B77BCFB08325F500A50B921D6090DA709A14CB64
                                                                                                  APIs
                                                                                                  • gethostname.WS2_32(?,00000080), ref: 029830D8
                                                                                                  • gethostbyname.WS2_32(?), ref: 029830E2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbynamegethostname
                                                                                                  • String ID:
                                                                                                  • API String ID: 3961807697-0
                                                                                                  • Opcode ID: c67508d8697c06587b6f1f8dbae2e19d2dcb27e8624e7100eda8f96ab6f8ca15
                                                                                                  • Instruction ID: 0309094f7022ce7dbcc88c6519089ee09edaa974d96c5529417047d8ef83bed6
                                                                                                  • Opcode Fuzzy Hash: c67508d8697c06587b6f1f8dbae2e19d2dcb27e8624e7100eda8f96ab6f8ca15
                                                                                                  • Instruction Fuzzy Hash: CCE09B72D001199BCF10EBACEC85FAA77ECFF04318F080461F945E3244EA34E5048790
                                                                                                  APIs
                                                                                                    • Part of subcall function 0298EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0298EC0A,00000000,80000001,?,0298DB55,7FFF0001), ref: 0298EBAD
                                                                                                    • Part of subcall function 0298EBA0: HeapSize.KERNEL32(00000000,?,0298DB55,7FFF0001), ref: 0298EBB4
                                                                                                  • GetProcessHeap.KERNEL32(00000000,0298EA27,00000000,0298EA27,00000000), ref: 0298EC41
                                                                                                  • RtlFreeHeap.NTDLL(00000000), ref: 0298EC48
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$FreeSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 1305341483-0
                                                                                                  • Opcode ID: 63540fdec8d37f631f0d7c4cac6adffcd5ab4042185b9fdfad95244b72f32b5b
                                                                                                  • Instruction ID: aa338eabc69fc14c678a948624b2e67cc55749e6a27e84cc1d1f92c70c4c8615
                                                                                                  • Opcode Fuzzy Hash: 63540fdec8d37f631f0d7c4cac6adffcd5ab4042185b9fdfad95244b72f32b5b
                                                                                                  • Instruction Fuzzy Hash: B1C01232C4A2306FC5613A55B81CFAB6B5C9F46621F0D0809F54566044876058404AE1
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0298EBFE,7FFF0001,?,0298DB55,7FFF0001), ref: 0298EBD3
                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,0298DB55,7FFF0001), ref: 0298EBDA
                                                                                                    • Part of subcall function 0298EB74: GetProcessHeap.KERNEL32(00000000,00000000,0298EC28,00000000,?,0298DB55,7FFF0001), ref: 0298EB81
                                                                                                    • Part of subcall function 0298EB74: HeapSize.KERNEL32(00000000,?,0298DB55,7FFF0001), ref: 0298EB88
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AllocateSize
                                                                                                  • String ID:
                                                                                                  • API String ID: 2559512979-0
                                                                                                  • Opcode ID: 1d34f3c952355845393f96f3a3c56832e984cf6fe335c94cae08c48a323836fa
                                                                                                  • Instruction ID: a91a657fbbab919b26825fc73b2044e7e84f1a34c6c916ec3cb232409541e797
                                                                                                  • Opcode Fuzzy Hash: 1d34f3c952355845393f96f3a3c56832e984cf6fe335c94cae08c48a323836fa
                                                                                                  • Instruction Fuzzy Hash: C0C0803254C2206FC61137E97C0CFAA3E94DF44372F0C0404F505C1154C73048508F95
                                                                                                  APIs
                                                                                                  • recv.WS2_32(000000C8,?,00000000,0298CA44), ref: 0298F476
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: recv
                                                                                                  • String ID:
                                                                                                  • API String ID: 1507349165-0
                                                                                                  • Opcode ID: 1a26aede9f0c03e9c8786a666c7faf16bb509be0eb0f4d5c30fbdad4496af658
                                                                                                  • Instruction ID: fadb3820e9cd622c810cab77b2c729c79baaf0d8d22d8d9bebab024e523880bc
                                                                                                  • Opcode Fuzzy Hash: 1a26aede9f0c03e9c8786a666c7faf16bb509be0eb0f4d5c30fbdad4496af658
                                                                                                  • Instruction Fuzzy Hash: A5F0127320155DAB9B11AE6DDC88CAB3BAEFBC93507480522FA19D7110D631D8218B60
                                                                                                  APIs
                                                                                                  • closesocket.WS2_32(00000000), ref: 02981992
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: closesocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 2781271927-0
                                                                                                  • Opcode ID: b8053f993ce58b79e2800daf84463e8b9f402868626fd926ba818ad33928429b
                                                                                                  • Instruction ID: e01639e2ffc6677fa278dc97ba4b3425b44fb3fb63e546725e0d9e96701e9c65
                                                                                                  • Opcode Fuzzy Hash: b8053f993ce58b79e2800daf84463e8b9f402868626fd926ba818ad33928429b
                                                                                                  • Instruction Fuzzy Hash: 5CD012265486316A56113769F80447FBB9CDF49672751941BFC4CC1150D735C8428795
                                                                                                  APIs
                                                                                                  • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0298DDB5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpi
                                                                                                  • String ID:
                                                                                                  • API String ID: 1586166983-0
                                                                                                  • Opcode ID: c9387a3b86140ab163a81ae0794e09c5812715b1676e31b3d2b7f240ed1628f7
                                                                                                  • Instruction ID: ddc48530194ff9d9aed845dda71d042223b8ee90acb44369585cb105fd40e411
                                                                                                  • Opcode Fuzzy Hash: c9387a3b86140ab163a81ae0794e09c5812715b1676e31b3d2b7f240ed1628f7
                                                                                                  • Instruction Fuzzy Hash: 85F01231604302DBDB20EE799844656B7ECEF46329F1C4D2EE559D66C0E730D855CB71
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02989816,EntryPoint), ref: 0298638F
                                                                                                  • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02989816,EntryPoint), ref: 029863A9
                                                                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 029863CA
                                                                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 029863EB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 1965334864-0
                                                                                                  • Opcode ID: 54712eb7cff0b3db28bf4bd4ccb2856ecfacad9fda8f305ed7dfb5949dd8335b
                                                                                                  • Instruction ID: db48889a4a94b8234ca0a1e58556dfc574071319b5bb0fe7754b372a4a69dbc7
                                                                                                  • Opcode Fuzzy Hash: 54712eb7cff0b3db28bf4bd4ccb2856ecfacad9fda8f305ed7dfb5949dd8335b
                                                                                                  • Instruction Fuzzy Hash: A4119472A04219BFDB215E69DC49FAB3BACEB447A5F044425F914DA240D770DC108AA0
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02981839,02989646), ref: 02981012
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 029810C2
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 029810E1
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02981101
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02981121
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02981140
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02981160
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02981180
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0298119F
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtClose), ref: 029811BF
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 029811DF
                                                                                                  • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 029811FE
                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0298121A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                  • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                                  • API String ID: 2238633743-3228201535
                                                                                                  • Opcode ID: 68c6c2bb2444b1ec1a508efac315e98707a19dfd55257dbd4c1a771081e63ef0
                                                                                                  • Instruction ID: c38052cf99f22bc0454b340778262cc33547d4558e61e495a3f597a11e64f12a
                                                                                                  • Opcode Fuzzy Hash: 68c6c2bb2444b1ec1a508efac315e98707a19dfd55257dbd4c1a771081e63ef0
                                                                                                  • Instruction Fuzzy Hash: E651657198A602EFEB25AFADEC4477236EC6748234F180B96D82AD21D0D770C4D2CF59
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0298B2B3
                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0298B2C2
                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0298B2D0
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0298B2E1
                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0298B31A
                                                                                                  • GetTimeZoneInformation.KERNEL32(?), ref: 0298B329
                                                                                                  • wsprintfA.USER32 ref: 0298B3B7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                                  • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                                  • API String ID: 766114626-2976066047
                                                                                                  • Opcode ID: 995b5e55aba15fb063328777294a0d635db8dce1f43b2d6d7b16914a3e232a64
                                                                                                  • Instruction ID: 1f03a46b49f8dda3819d7d54bec880aabf050504d0b9e0ad90618c61f980b4a0
                                                                                                  • Opcode Fuzzy Hash: 995b5e55aba15fb063328777294a0d635db8dce1f43b2d6d7b16914a3e232a64
                                                                                                  • Instruction Fuzzy Hash: E35150B2E0021DAADF14DFD8D9859EFBBF9FF48319F14445AE521B6150E3344A89CB50
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                                  • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                                  • API String ID: 2400214276-165278494
                                                                                                  • Opcode ID: 0ca7e99f69e3d63eceb5f735eeff798ddc5e65a30c9e68c8b6958062802dae7d
                                                                                                  • Instruction ID: cfe2be0ad640c0778e20a23b1b75ad81cbf6f3109631bb3a649a0a20749ee75a
                                                                                                  • Opcode Fuzzy Hash: 0ca7e99f69e3d63eceb5f735eeff798ddc5e65a30c9e68c8b6958062802dae7d
                                                                                                  • Instruction Fuzzy Hash: 2E618B72940208AFEF60AFA8DC45FEA77E9FF48310F144469F969D6161EB709950CF50
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$send$lstrlenrecv
                                                                                                  • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                                  • API String ID: 3650048968-4264063882
                                                                                                  • Opcode ID: 600cfb67b50098b9781646772a55edc1eb744a67691457cf97739894bfd36252
                                                                                                  • Instruction ID: 5e5beac83cc668fb8eb5f545d6001f405103a5fdfc12a924a0987293aa17c825
                                                                                                  • Opcode Fuzzy Hash: 600cfb67b50098b9781646772a55edc1eb744a67691457cf97739894bfd36252
                                                                                                  • Instruction Fuzzy Hash: 15A13C72944305ABEF20BE58DC85FBE3B6EFB40718F1C046BF906A6090EB719954CB55
                                                                                                  APIs
                                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0298139A
                                                                                                  • lstrlenW.KERNEL32(-00000003), ref: 02981571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExecuteShelllstrlen
                                                                                                  • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                                  • API String ID: 1628651668-3716895483
                                                                                                  • Opcode ID: 9ba539e906b801852da19f032eab469089411ef3c8ef903165106469d386731f
                                                                                                  • Instruction ID: 03a5ff2ff2db12c5c186e4e04e051d2a6df14779f937cee31496ccf4cb699816
                                                                                                  • Opcode Fuzzy Hash: 9ba539e906b801852da19f032eab469089411ef3c8ef903165106469d386731f
                                                                                                  • Instruction Fuzzy Hash: 4EF18CB5508341DFD720EF68C888B6BB7E9FB88314F084D1DF99A97280D7749845CB56
                                                                                                  APIs
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 02982A83
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 02982A86
                                                                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 02982AA0
                                                                                                  • htons.WS2_32(00000000), ref: 02982ADB
                                                                                                  • select.WS2_32 ref: 02982B28
                                                                                                  • recv.WS2_32(?,00000000,00001000,00000000), ref: 02982B4A
                                                                                                  • htons.WS2_32(?), ref: 02982B71
                                                                                                  • htons.WS2_32(?), ref: 02982B8C
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02982BFB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                                  • String ID:
                                                                                                  • API String ID: 1639031587-0
                                                                                                  • Opcode ID: 864df5cdae5595f36b06955c04aca44bd561bf0d769cddbeebf8d5393d553d5b
                                                                                                  • Instruction ID: da7fdab12cc7b307251bfcb8bde747ca895b4b5fa2e65b30c6052589a176117d
                                                                                                  • Opcode Fuzzy Hash: 864df5cdae5595f36b06955c04aca44bd561bf0d769cddbeebf8d5393d553d5b
                                                                                                  • Instruction Fuzzy Hash: 4B61C071D083459FD720AF69DC08B7ABBE8FF88755F080849FE5997180D7B4D8408BA2
                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 029870C2
                                                                                                  • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0298719E
                                                                                                  • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 029871B2
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 02987208
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 02987291
                                                                                                  • ___ascii_stricmp.LIBCMT ref: 029872C2
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 029872D0
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 02987314
                                                                                                  • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0298738D
                                                                                                  • RegCloseKey.ADVAPI32(75920F10), ref: 029873D8
                                                                                                    • Part of subcall function 0298F1A5: lstrlenA.KERNEL32(000000C8,000000E4,029922F8,000000C8,02987150,?), ref: 0298F1AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                                  • String ID: $"
                                                                                                  • API String ID: 4293430545-3817095088
                                                                                                  • Opcode ID: 6a3cc8b16f3d53ac443c21fa48f19dcd018412f9d080db564ccbcbb7357d7280
                                                                                                  • Instruction ID: f69ff347858e4ae3397e0a494bcb42deac3470c6db407947c0fb47d1c408b4b5
                                                                                                  • Opcode Fuzzy Hash: 6a3cc8b16f3d53ac443c21fa48f19dcd018412f9d080db564ccbcbb7357d7280
                                                                                                  • Instruction Fuzzy Hash: 91B1AD76D44209AEEF14BFA4EC44BEEB7BDEF44314F280466F511E6090EB319A84CB61
                                                                                                  APIs
                                                                                                  • GetLocalTime.KERNEL32(?), ref: 0298AD98
                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0298ADA6
                                                                                                    • Part of subcall function 0298AD08: gethostname.WS2_32(?,00000080), ref: 0298AD1C
                                                                                                    • Part of subcall function 0298AD08: lstrlenA.KERNEL32(?), ref: 0298AD60
                                                                                                    • Part of subcall function 0298AD08: lstrlenA.KERNEL32(?), ref: 0298AD69
                                                                                                    • Part of subcall function 0298AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 0298AD7F
                                                                                                    • Part of subcall function 029830B5: gethostname.WS2_32(?,00000080), ref: 029830D8
                                                                                                    • Part of subcall function 029830B5: gethostbyname.WS2_32(?), ref: 029830E2
                                                                                                  • wsprintfA.USER32 ref: 0298AEA5
                                                                                                    • Part of subcall function 0298A7A3: inet_ntoa.WS2_32(00000000), ref: 0298A7A9
                                                                                                  • wsprintfA.USER32 ref: 0298AE4F
                                                                                                  • wsprintfA.USER32 ref: 0298AE5E
                                                                                                    • Part of subcall function 0298EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0298EF92
                                                                                                    • Part of subcall function 0298EF7C: lstrlenA.KERNEL32(?), ref: 0298EF99
                                                                                                    • Part of subcall function 0298EF7C: lstrlenA.KERNEL32(00000000), ref: 0298EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                                  • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                                  • API String ID: 3631595830-1816598006
                                                                                                  • Opcode ID: c6f79fe8b12100e01a28c7bcf6ca37949981745c5965d19bb3afbd061f82e1b3
                                                                                                  • Instruction ID: ea1668d92175c980d9a1689207da1c170e667d4bc06697ebbd169413adeabbee
                                                                                                  • Opcode Fuzzy Hash: c6f79fe8b12100e01a28c7bcf6ca37949981745c5965d19bb3afbd061f82e1b3
                                                                                                  • Instruction Fuzzy Hash: C3410DB290024CABEF25BFA4DC45EEE3BADFF48310F18482AB92592151EA71D554CF50
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,02982F0F,?,029820FF,02992000), ref: 02982E01
                                                                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02982F0F,?,029820FF,02992000), ref: 02982E11
                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02982E2E
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02982F0F,?,029820FF,02992000), ref: 02982E4C
                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,02982F0F,?,029820FF,02992000), ref: 02982E4F
                                                                                                  • htons.WS2_32(00000035), ref: 02982E88
                                                                                                  • inet_addr.WS2_32(?), ref: 02982E93
                                                                                                  • gethostbyname.WS2_32(?), ref: 02982EA6
                                                                                                  • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02982F0F,?,029820FF,02992000), ref: 02982EE3
                                                                                                  • HeapFree.KERNEL32(00000000,?,00000000,02982F0F,?,029820FF,02992000), ref: 02982EE6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                                  • String ID: GetNetworkParams$iphlpapi.dll
                                                                                                  • API String ID: 929413710-2099955842
                                                                                                  • Opcode ID: 83cfeef8029747f91f625180915ad63496c035403207546f5bd015a9b24bc87b
                                                                                                  • Instruction ID: 2f9283dcfed3d1d152727a1846c94fa3b7fe92885d8bd5697cff245c0e583369
                                                                                                  • Opcode Fuzzy Hash: 83cfeef8029747f91f625180915ad63496c035403207546f5bd015a9b24bc87b
                                                                                                  • Instruction Fuzzy Hash: 1931B333D40349ABDB10ABBC9848B7E77BCAF04375F180555ED24E7291E730D5518B58
                                                                                                  APIs
                                                                                                  • GetVersionExA.KERNEL32(?,?,02989DD7,?,00000022,?,?,00000000,00000001), ref: 02989340
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02989DD7,?,00000022,?,?,00000000,00000001), ref: 0298936E
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,?,02989DD7,?,00000022,?,?,00000000,00000001), ref: 02989375
                                                                                                  • wsprintfA.USER32 ref: 029893CE
                                                                                                  • wsprintfA.USER32 ref: 0298940C
                                                                                                  • wsprintfA.USER32 ref: 0298948D
                                                                                                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 029894F1
                                                                                                  • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02989526
                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02989571
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                                  • String ID: runas
                                                                                                  • API String ID: 3696105349-4000483414
                                                                                                  • Opcode ID: 6dd8debf2bf3b94b825d281c97dcbb0e904b65bed47f6dd5ed4ba0457fb02a20
                                                                                                  • Instruction ID: e63155294a072fc058a01712c392b318d04f067c35c82c392eb7853f6ae47699
                                                                                                  • Opcode Fuzzy Hash: 6dd8debf2bf3b94b825d281c97dcbb0e904b65bed47f6dd5ed4ba0457fb02a20
                                                                                                  • Instruction Fuzzy Hash: F4A1ACB2940248AFFB21AFA4CC85FEE3BACEB44744F180426FA15A2251E771D554CFA0
                                                                                                  APIs
                                                                                                  • wsprintfA.USER32 ref: 0298B467
                                                                                                    • Part of subcall function 0298EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 0298EF92
                                                                                                    • Part of subcall function 0298EF7C: lstrlenA.KERNEL32(?), ref: 0298EF99
                                                                                                    • Part of subcall function 0298EF7C: lstrlenA.KERNEL32(00000000), ref: 0298EFA0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$wsprintf
                                                                                                  • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                                  • API String ID: 1220175532-2340906255
                                                                                                  • Opcode ID: bbdd9bdc395965efaa1a15606fde2dc933cca45606024e4b0e2c170e9faeb120
                                                                                                  • Instruction ID: b8ac6829424b5c9594f4159e703559917d757af3d09592f7cf60c1b3d6e5259c
                                                                                                  • Opcode Fuzzy Hash: bbdd9bdc395965efaa1a15606fde2dc933cca45606024e4b0e2c170e9faeb120
                                                                                                  • Instruction Fuzzy Hash: 2D4162B25401187EEF01BBA8CCC1CBF7B6DEF89658F184425F915A2040EB31AD18CBA5
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02982078
                                                                                                  • GetTickCount.KERNEL32 ref: 029820D4
                                                                                                  • GetTickCount.KERNEL32 ref: 029820DB
                                                                                                  • GetTickCount.KERNEL32 ref: 0298212B
                                                                                                  • GetTickCount.KERNEL32 ref: 02982132
                                                                                                  • GetTickCount.KERNEL32 ref: 02982142
                                                                                                    • Part of subcall function 0298F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0298E342,00000000,7508EA50,80000001,00000000,0298E513,?,00000000,00000000,?,000000E4), ref: 0298F089
                                                                                                    • Part of subcall function 0298F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0298E342,00000000,7508EA50,80000001,00000000,0298E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0298F093
                                                                                                    • Part of subcall function 0298E854: lstrcpyA.KERNEL32(00000001,?,?,0298D8DF,00000001,localcfg,except_info,00100000,02990264), ref: 0298E88B
                                                                                                    • Part of subcall function 0298E854: lstrlenA.KERNEL32(00000001,?,0298D8DF,00000001,localcfg,except_info,00100000,02990264), ref: 0298E899
                                                                                                    • Part of subcall function 02981C5F: wsprintfA.USER32 ref: 02981CE1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                                  • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                                  • API String ID: 3976553417-1522128867
                                                                                                  • Opcode ID: 95c181ebd357c59a878b97753adf2bb6ff407b48e5305ef37c2a83ac1c3654e4
                                                                                                  • Instruction ID: d8d399f81aec38e9c4eca2a1c71ca1d4ceb9a4945e31c66b1cf2e2cbafb96d1d
                                                                                                  • Opcode Fuzzy Hash: 95c181ebd357c59a878b97753adf2bb6ff407b48e5305ef37c2a83ac1c3654e4
                                                                                                  • Instruction Fuzzy Hash: 83512671D893856EE72CFF38ED45B7A3BD9AB50324F18081EEE45C6190DBB49098CA11
                                                                                                  APIs
                                                                                                    • Part of subcall function 0298A4C7: GetTickCount.KERNEL32 ref: 0298A4D1
                                                                                                    • Part of subcall function 0298A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0298A4FA
                                                                                                  • GetTickCount.KERNEL32 ref: 0298C31F
                                                                                                  • GetTickCount.KERNEL32 ref: 0298C32B
                                                                                                  • GetTickCount.KERNEL32 ref: 0298C363
                                                                                                  • GetTickCount.KERNEL32 ref: 0298C378
                                                                                                  • GetTickCount.KERNEL32 ref: 0298C44D
                                                                                                  • InterlockedIncrement.KERNEL32(0298C4E4), ref: 0298C4AE
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,0298B535,00000000,?,0298C4E0), ref: 0298C4C1
                                                                                                  • CloseHandle.KERNEL32(00000000,?,0298C4E0,02993588,02988810), ref: 0298C4CC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1553760989-1857712256
                                                                                                  • Opcode ID: e97baa20d7087d8eee990b1eac5fcf47180b6962d92b9750efe12e68c6b71df7
                                                                                                  • Instruction ID: be889bdb5fecf1f4952ab6d37b0989244427913977bdedd4b42c9053cfc610ef
                                                                                                  • Opcode Fuzzy Hash: e97baa20d7087d8eee990b1eac5fcf47180b6962d92b9750efe12e68c6b71df7
                                                                                                  • Instruction Fuzzy Hash: 4E515BB1A00B418FD728AF69C58462ABBE9FB48304B545D3FD18BC7A90D774F845CB24
                                                                                                  APIs
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0298BE4F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0298BE5B
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0298BE67
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0298BF6A
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0298BF7F
                                                                                                  • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0298BF94
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmpi
                                                                                                  • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                                  • API String ID: 1586166983-1625972887
                                                                                                  • Opcode ID: 4c7b3b75bcfde1625f2c8b240097050ca5865b4747d60f9bdce787cc0a9693a6
                                                                                                  • Instruction ID: 616b6b1ee470bb7049d39998575360a97f83b858843bedc1441bfeb243b0b54a
                                                                                                  • Opcode Fuzzy Hash: 4c7b3b75bcfde1625f2c8b240097050ca5865b4747d60f9bdce787cc0a9693a6
                                                                                                  • Instruction Fuzzy Hash: 61519031A0031AAFDF11BF68C860B6EBBA9AF4435CF0C4465E945DB251D730E941CF90
                                                                                                  APIs
                                                                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,02989A60,?,?,02989E9D), ref: 02986A7D
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(02989E9D,02989A60,?,?,?,029922F8,?,?,?,02989A60,?,?,02989E9D), ref: 02986ABB
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,02989A60,?,?,02989E9D), ref: 02986B40
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02989A60,?,?,02989E9D), ref: 02986B4E
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02989A60,?,?,02989E9D), ref: 02986B5F
                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,02989A60,?,?,02989E9D), ref: 02986B6F
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02989A60,?,?,02989E9D), ref: 02986B7D
                                                                                                  • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02989A60,?,?,02989E9D), ref: 02986B80
                                                                                                  • GetLastError.KERNEL32(?,?,?,02989A60,?,?,02989E9D,?,?,?,?,?,02989E9D,?,00000022,?), ref: 02986B96
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188212458-0
                                                                                                  • Opcode ID: b33e1173fd890baa466c6bd3926fb6b80cdc40c4bbae3ac588d9fcae1a3236b9
                                                                                                  • Instruction ID: b6d5d2f9b9fa1ae50041766b9cc9b1c9e1dc43fabeb79ed3f4e3e30fa0702b27
                                                                                                  • Opcode Fuzzy Hash: b33e1173fd890baa466c6bd3926fb6b80cdc40c4bbae3ac588d9fcae1a3236b9
                                                                                                  • Instruction Fuzzy Hash: A631B3B2D0814DBFDB11AFA88844EEE7B7DEF84324F18486AE661A7240D7309565CF61
                                                                                                  APIs
                                                                                                  • GetUserNameA.ADVAPI32(?,0298D7C3), ref: 02986F7A
                                                                                                  • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0298D7C3), ref: 02986FC1
                                                                                                  • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02986FE8
                                                                                                  • LocalFree.KERNEL32(00000120), ref: 0298701F
                                                                                                  • wsprintfA.USER32 ref: 02987036
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                                  • String ID: /%d$|
                                                                                                  • API String ID: 676856371-4124749705
                                                                                                  • Opcode ID: ec4edf8074ea342388521e44cfc66e16710256719b9e550ee8347654728e1fad
                                                                                                  • Instruction ID: 3af57424332e7bd61e8fe7591602dc3daebae6e38f27252797d5ddde0a02c44c
                                                                                                  • Opcode Fuzzy Hash: ec4edf8074ea342388521e44cfc66e16710256719b9e550ee8347654728e1fad
                                                                                                  • Instruction Fuzzy Hash: 31312B76904108AFDB01EFA8D848AEE7BBCEF04364F188166F859DB101EB35D618CB94
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,029922F8,000000E4,02986DDC,000000C8), ref: 02986CE7
                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 02986CEE
                                                                                                  • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02986D14
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02986D2B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                                  • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                                  • API String ID: 1082366364-3395550214
                                                                                                  • Opcode ID: 68b8eb4f023dc9f0eb4256fb96ee166212224fabfdf3b7420e9a78aded43e64a
                                                                                                  • Instruction ID: bb9cf705cbeba79d61de9913933046ec371d0ea483b8a1e52a4aaa5d6304a85f
                                                                                                  • Opcode Fuzzy Hash: 68b8eb4f023dc9f0eb4256fb96ee166212224fabfdf3b7420e9a78aded43e64a
                                                                                                  • Instruction Fuzzy Hash: C221F362EC924479FB32772A9CD9F7B3E8D8F82764F0C0444FC48AA181EB95844586A5
                                                                                                  APIs
                                                                                                  • CreateProcessA.KERNEL32(00000000,02989947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,029922F8), ref: 029897B1
                                                                                                  • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,029922F8), ref: 029897EB
                                                                                                  • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,029922F8), ref: 029897F9
                                                                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,029922F8), ref: 02989831
                                                                                                  • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,029922F8), ref: 0298984E
                                                                                                  • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,029922F8), ref: 0298985B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                                  • String ID: D
                                                                                                  • API String ID: 2981417381-2746444292
                                                                                                  • Opcode ID: bf645d114e75af52adfa44f80bad1042d11aec3142697071a13804ed051bc95b
                                                                                                  • Instruction ID: eec6b2dcbc1fdf6ac486ded460cd25d702b5e73e9ef381c08a0a23ab5ec05261
                                                                                                  • Opcode Fuzzy Hash: bf645d114e75af52adfa44f80bad1042d11aec3142697071a13804ed051bc95b
                                                                                                  • Instruction Fuzzy Hash: C0213D72D41119BBEB21AFA1DC49FFF7B7CEF09654F040461BA19E1150EB309654CEA0
                                                                                                  APIs
                                                                                                    • Part of subcall function 0298DD05: GetTickCount.KERNEL32 ref: 0298DD0F
                                                                                                    • Part of subcall function 0298DD05: InterlockedExchange.KERNEL32(029936B4,00000001), ref: 0298DD44
                                                                                                    • Part of subcall function 0298DD05: GetCurrentThreadId.KERNEL32 ref: 0298DD53
                                                                                                    • Part of subcall function 0298DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0298DDB5
                                                                                                  • lstrcpynA.KERNEL32(?,02981E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0298EAAA,?,?), ref: 0298E8DE
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0298EAAA,?,?,00000001,?,02981E84,?), ref: 0298E935
                                                                                                  • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0298EAAA,?,?,00000001,?,02981E84,?,0000000A), ref: 0298E93D
                                                                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0298EAAA,?,?,00000001,?,02981E84,?), ref: 0298E94F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                                  • String ID: flags_upd$localcfg
                                                                                                  • API String ID: 204374128-3505511081
                                                                                                  • Opcode ID: 5ee37d6ef2b31b77a968716b8758c8070f85a4bf36286de025ee690a24390b62
                                                                                                  • Instruction ID: 33cd7051682761a5dba5af30e4da69178928369ea9236188aa759e98254e8c30
                                                                                                  • Opcode Fuzzy Hash: 5ee37d6ef2b31b77a968716b8758c8070f85a4bf36286de025ee690a24390b62
                                                                                                  • Instruction Fuzzy Hash: EF512F72D0020AAFCB11EFA8C984DAEB7F9FF48304F18456AE445A7251E775EA14CF60
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Code
                                                                                                  • String ID:
                                                                                                  • API String ID: 3609698214-0
                                                                                                  • Opcode ID: c82145f6bcee0aee9c87d033f670d8d72289647bedb8eaf12786d2a948d8e25a
                                                                                                  • Instruction ID: 35bdf3b5f98bfbe35e8c60986a96b043bdaa2d53a743567c61492fac3a6e7dc9
                                                                                                  • Opcode Fuzzy Hash: c82145f6bcee0aee9c87d033f670d8d72289647bedb8eaf12786d2a948d8e25a
                                                                                                  • Instruction Fuzzy Hash: 3F218C76908115FFDB11ABA5ED89DAF3EADEB44364B144819F702E5080EB319A10DA74
                                                                                                  APIs
                                                                                                  • GetTempPathA.KERNEL32(00000400,?,00000000,029922F8), ref: 0298907B
                                                                                                  • wsprintfA.USER32 ref: 029890E9
                                                                                                  • CreateFileA.KERNEL32(029922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0298910E
                                                                                                  • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02989122
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0298912D
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 02989134
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 2439722600-0
                                                                                                  • Opcode ID: b86e7f9d5517d526b78b3fa44614f92f228e2f912f56c5177cd7599bcc1effb5
                                                                                                  • Instruction ID: e8f00ece64bcc86b675d10804696ba88ea4a870167a214534b8bcd413ab24978
                                                                                                  • Opcode Fuzzy Hash: b86e7f9d5517d526b78b3fa44614f92f228e2f912f56c5177cd7599bcc1effb5
                                                                                                  • Instruction Fuzzy Hash: 7E11B1F2A841147BFB257626DC09FBF3A6FDFC5B10F048465BB1AA1080EA704A118AA0
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0298DD0F
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0298DD20
                                                                                                  • GetTickCount.KERNEL32 ref: 0298DD2E
                                                                                                  • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0298E538,?,75920F10,?,00000000,?,0298A445), ref: 0298DD3B
                                                                                                  • InterlockedExchange.KERNEL32(029936B4,00000001), ref: 0298DD44
                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 0298DD53
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 3819781495-0
                                                                                                  • Opcode ID: 5fd9dc3f1e4cd301af3d9c7f2ff11a8f6de7a6072ff233cf2b83fa6c8ca31cbb
                                                                                                  • Instruction ID: 2c673a426178dcce9638fb9b269a202dd80fac9e4957a387a3b3babf4c3b5ebc
                                                                                                  • Opcode Fuzzy Hash: 5fd9dc3f1e4cd301af3d9c7f2ff11a8f6de7a6072ff233cf2b83fa6c8ca31cbb
                                                                                                  • Instruction Fuzzy Hash: 91F0827398C2049FDB806F7DA88AB397BB9FB45332F0C0855E509C2681D7205465CF76
                                                                                                  APIs
                                                                                                  • gethostname.WS2_32(?,00000080), ref: 0298AD1C
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0298AD60
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0298AD69
                                                                                                  • lstrcpyA.KERNEL32(?,LocalHost), ref: 0298AD7F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$gethostnamelstrcpy
                                                                                                  • String ID: LocalHost
                                                                                                  • API String ID: 3695455745-3154191806
                                                                                                  • Opcode ID: 9a71ec9bc8c1bee25e9633cf21f1ec124b9fd2b76f6ad9d1c278e3c6dd4665e6
                                                                                                  • Instruction ID: 0654e51395f8e5ed16c848431efea137499ff5ab3c6a35dad8e98768af35571e
                                                                                                  • Opcode Fuzzy Hash: 9a71ec9bc8c1bee25e9633cf21f1ec124b9fd2b76f6ad9d1c278e3c6dd4665e6
                                                                                                  • Instruction Fuzzy Hash: 9101F1208881895DDF316A3C9844BB93F6EAF8671AF5C105BE4D1DB126FF64848787A2
                                                                                                  APIs
                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,029898FD,00000001,00000100,029922F8,0298A3C7), ref: 02984290
                                                                                                  • CloseHandle.KERNEL32(0298A3C7), ref: 029843AB
                                                                                                  • CloseHandle.KERNEL32(00000001), ref: 029843AE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle$CreateEvent
                                                                                                  • String ID:
                                                                                                  • API String ID: 1371578007-0
                                                                                                  • Opcode ID: c4c0a98afea306878358fa25775cad91d0c20cd1562ab61ecff6cc07a27bb041
                                                                                                  • Instruction ID: 2c8fc8b07152da9c9fda838dc516a79fe1e082bad0544859f8d24c4f4ade70ac
                                                                                                  • Opcode Fuzzy Hash: c4c0a98afea306878358fa25775cad91d0c20cd1562ab61ecff6cc07a27bb041
                                                                                                  • Instruction Fuzzy Hash: 5D41A071C4420ABAEF11BBA5DD85FAFBFBDEF40324F145556F615A2180D7348650CBA0
                                                                                                  APIs
                                                                                                  • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,029864CF,00000000), ref: 0298609C
                                                                                                  • LoadLibraryA.KERNEL32(?,?,029864CF,00000000), ref: 029860C3
                                                                                                  • GetProcAddress.KERNEL32(?,00000014), ref: 0298614A
                                                                                                  • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0298619E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Read$AddressLibraryLoadProc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2438460464-0
                                                                                                  • Opcode ID: 5fa3683d4616fc047ebdf9cffb55b0aa49328193c6d1a520064c7fc9b7d5da3e
                                                                                                  • Instruction ID: 98968662be6ce6d5b5fa4d7013572350908336f6ec380b0527dcf10b8f8813e8
                                                                                                  • Opcode Fuzzy Hash: 5fa3683d4616fc047ebdf9cffb55b0aa49328193c6d1a520064c7fc9b7d5da3e
                                                                                                  • Instruction Fuzzy Hash: C4417E71E04109EFDB24EF59C884B79B7BDEF44358F188469E816DB292D734E950CB90
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d3728062559db4840f136a08c56b53f8b7d1a79a32d3b1e4fb2eadefdc67e1f8
                                                                                                  • Instruction ID: 4c84fd30b4a1a364b0751f9d0b56704a8e8287b864b9f9db8b37e2c166926222
                                                                                                  • Opcode Fuzzy Hash: d3728062559db4840f136a08c56b53f8b7d1a79a32d3b1e4fb2eadefdc67e1f8
                                                                                                  • Instruction Fuzzy Hash: 4431A072E00208ABDB20AFA9CC81BBEB7F4FF48701F144856E945E7281E374D641CB54
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0298272E
                                                                                                  • htons.WS2_32(00000001), ref: 02982752
                                                                                                  • htons.WS2_32(0000000F), ref: 029827D5
                                                                                                  • htons.WS2_32(00000001), ref: 029827E3
                                                                                                  • sendto.WS2_32(?,02992BF8,00000009,00000000,00000010,00000010), ref: 02982802
                                                                                                    • Part of subcall function 0298EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0298EBFE,7FFF0001,?,0298DB55,7FFF0001), ref: 0298EBD3
                                                                                                    • Part of subcall function 0298EBCC: RtlAllocateHeap.NTDLL(00000000,?,0298DB55,7FFF0001), ref: 0298EBDA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                                  • String ID:
                                                                                                  • API String ID: 1128258776-0
                                                                                                  • Opcode ID: 89d54c3fef006e3394b9061aa73029a4ae7c28a55129c832c09667fd19e139b9
                                                                                                  • Instruction ID: d1fa1bf18a1ad19b5a2ba172237eebdf5c29e451658ef353ceb9d742bcefa29e
                                                                                                  • Opcode Fuzzy Hash: 89d54c3fef006e3394b9061aa73029a4ae7c28a55129c832c09667fd19e139b9
                                                                                                  • Instruction Fuzzy Hash: 67314934E883C2AFD710AF79D890AB577A4EF5A338B1D485DEC658B312D632E452CB50
                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,029922F8), ref: 0298915F
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000), ref: 02989166
                                                                                                  • CharToOemA.USER32(?,?), ref: 02989174
                                                                                                  • wsprintfA.USER32 ref: 029891A9
                                                                                                    • Part of subcall function 02989064: GetTempPathA.KERNEL32(00000400,?,00000000,029922F8), ref: 0298907B
                                                                                                    • Part of subcall function 02989064: wsprintfA.USER32 ref: 029890E9
                                                                                                    • Part of subcall function 02989064: CreateFileA.KERNEL32(029922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0298910E
                                                                                                    • Part of subcall function 02989064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02989122
                                                                                                    • Part of subcall function 02989064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0298912D
                                                                                                    • Part of subcall function 02989064: CloseHandle.KERNEL32(00000000), ref: 02989134
                                                                                                  • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 029891E1
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 3857584221-0
                                                                                                  • Opcode ID: 2cdb1eb1ea8dcf2efdf2379827611e25c66c4879d567f1cdefb7302f3c8d9ba2
                                                                                                  • Instruction ID: 901dbe72341b6c9b5767287378a84d11068883f1f71bc5a74c0f8713ba817822
                                                                                                  • Opcode Fuzzy Hash: 2cdb1eb1ea8dcf2efdf2379827611e25c66c4879d567f1cdefb7302f3c8d9ba2
                                                                                                  • Instruction Fuzzy Hash: 5A0140F7D401587BEB30A6659D49FEF7B7CDB95711F000492BB59E2040D67096858F70
                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02982491,?,?,?,0298E844,-00000030,?,?,?,00000001), ref: 02982429
                                                                                                  • lstrlenA.KERNEL32(?,?,02982491,?,?,?,0298E844,-00000030,?,?,?,00000001,02981E3D,00000001,localcfg,lid_file_upd), ref: 0298243E
                                                                                                  • lstrcmpiA.KERNEL32(?,?), ref: 02982452
                                                                                                  • lstrlenA.KERNEL32(?,?,02982491,?,?,?,0298E844,-00000030,?,?,?,00000001,02981E3D,00000001,localcfg,lid_file_upd), ref: 02982467
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$lstrcmpi
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 1808961391-1857712256
                                                                                                  • Opcode ID: 900d1d854d3a778fae94e5cf357ae65f05967b529f5231865ae2a729b0b42adc
                                                                                                  • Instruction ID: b868c384639c7221f55ecf835addde8c2483f4eff724eb96a5f892c5192be25f
                                                                                                  • Opcode Fuzzy Hash: 900d1d854d3a778fae94e5cf357ae65f05967b529f5231865ae2a729b0b42adc
                                                                                                  • Instruction Fuzzy Hash: 12011A32A00259AFCF11EF79CC849DE7BA9EF44364B05C425EC6997200E330EA50CAA0
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: wsprintf
                                                                                                  • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                                  • API String ID: 2111968516-120809033
                                                                                                  • Opcode ID: ce752ee73540942926c2ba964dd2f768d1c1ed065f85ca07fc99cde822a45060
                                                                                                  • Instruction ID: dd7dc36e091d260688043740dcb3a0b35fae3f560e578abd227a755924341765
                                                                                                  • Opcode Fuzzy Hash: ce752ee73540942926c2ba964dd2f768d1c1ed065f85ca07fc99cde822a45060
                                                                                                  • Instruction Fuzzy Hash: 6F418B729042989FDB21EF798854BEE3BED9F49310F280056FDA4D3151E634DA05CBA0
                                                                                                  APIs
                                                                                                    • Part of subcall function 0298DD05: GetTickCount.KERNEL32 ref: 0298DD0F
                                                                                                    • Part of subcall function 0298DD05: InterlockedExchange.KERNEL32(029936B4,00000001), ref: 0298DD44
                                                                                                    • Part of subcall function 0298DD05: GetCurrentThreadId.KERNEL32 ref: 0298DD53
                                                                                                  • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,02985EC1), ref: 0298E693
                                                                                                  • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,02985EC1), ref: 0298E6E9
                                                                                                  • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,02985EC1), ref: 0298E722
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                                  • String ID: 89ABCDEF
                                                                                                  • API String ID: 3343386518-71641322
                                                                                                  • Opcode ID: 3822716137f28c9f16b86f6cd2bbff177d27619e76fb3c40fe98038e7aeeb558
                                                                                                  • Instruction ID: e7215228768b226cb7fda01995d2dd49c75b5ecccdeed25d4c674ab2ad1ba533
                                                                                                  • Opcode Fuzzy Hash: 3822716137f28c9f16b86f6cd2bbff177d27619e76fb3c40fe98038e7aeeb558
                                                                                                  • Instruction Fuzzy Hash: 1E31CF32A04705EBCF31EF64D894B6677E8BF01724F18492EF9958B552E770E884CB91
                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(80000001,0298E2A3,00000000,00000000,00000000,00020106,00000000,0298E2A3,00000000,000000E4), ref: 0298E0B2
                                                                                                  • RegSetValueExA.ADVAPI32(0298E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,029922F8), ref: 0298E127
                                                                                                  • RegDeleteValueA.ADVAPI32(0298E2A3,?,?,?,?,?,000000C8,029922F8), ref: 0298E158
                                                                                                  • RegCloseKey.ADVAPI32(0298E2A3,?,?,?,?,000000C8,029922F8,?,?,?,?,?,?,?,?,0298E2A3), ref: 0298E161
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Value$CloseCreateDelete
                                                                                                  • String ID:
                                                                                                  • API String ID: 2667537340-0
                                                                                                  • Opcode ID: 7b1d24ca4e95f8fc33dd0028f264cdaf2bfd381bef781ac35b11f31a1272703f
                                                                                                  • Instruction ID: 2ff643418d5301088489295ae3f45df01b676ff0beef753fede350b67e5734c8
                                                                                                  • Opcode Fuzzy Hash: 7b1d24ca4e95f8fc33dd0028f264cdaf2bfd381bef781ac35b11f31a1272703f
                                                                                                  • Instruction Fuzzy Hash: 2C216F72E00219BBDF21AEA8DC89EEE7FBDEF09760F044061F954E6150E7318A54CB90
                                                                                                  APIs
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,0298A3C7,00000000,00000000,000007D0,00000001), ref: 02983FB8
                                                                                                  • GetLastError.KERNEL32 ref: 02983FC2
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 02983FD3
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02983FE6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                                  • String ID:
                                                                                                  • API String ID: 888215731-0
                                                                                                  • Opcode ID: e2be7da79c143c14f16ad873def3d607c7e41f0fd7b01243a72982fc3beafcfb
                                                                                                  • Instruction ID: ec0d5c7c28ed342729b7b85e31268c2dc665daf1d8176df8cd26774399ce9c5f
                                                                                                  • Opcode Fuzzy Hash: e2be7da79c143c14f16ad873def3d607c7e41f0fd7b01243a72982fc3beafcfb
                                                                                                  • Instruction Fuzzy Hash: F401E97291011AABEF11EF94D945BEE7B7CEB04755F004461F902E2040DB71DA64CBB5
                                                                                                  APIs
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,0298A3C7,00000000,00000000,000007D0,00000001), ref: 02983F44
                                                                                                  • GetLastError.KERNEL32 ref: 02983F4E
                                                                                                  • WaitForSingleObject.KERNEL32(00000004,?), ref: 02983F5F
                                                                                                  • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02983F72
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3373104450-0
                                                                                                  • Opcode ID: 896e6892c3d7fcca3054333d2b65e48394d65d5a57223be458daaf83bf3be758
                                                                                                  • Instruction ID: f3f56d2aa9d2ad22743d450ef38f103371945d6fc9b9c1b5e70868dbe08c2bfc
                                                                                                  • Opcode Fuzzy Hash: 896e6892c3d7fcca3054333d2b65e48394d65d5a57223be458daaf83bf3be758
                                                                                                  • Instruction Fuzzy Hash: F2012272914119ABEF01EE94EE84BEF3BBCEB04766F004465FA11E2040D735DA20CBB6
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02984E9E
                                                                                                  • GetTickCount.KERNEL32 ref: 02984EAD
                                                                                                  • Sleep.KERNEL32(0000000A,?,00000001), ref: 02984EBA
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02984EC3
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: e608ae0bc58e49e101806d19b9211f310bc5b0932ca07edba1e8faa91d660adc
                                                                                                  • Instruction ID: 71c4997d9bdd6c78b7ce379258c1de3e3b8589670909f2561a9db43b52d6cdb6
                                                                                                  • Opcode Fuzzy Hash: e608ae0bc58e49e101806d19b9211f310bc5b0932ca07edba1e8faa91d660adc
                                                                                                  • Instruction Fuzzy Hash: 00E072337842066BDA0032BEEC84F7B738DAF86371F090932FB09C2181C696D82281F1
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0298A4D1
                                                                                                  • GetTickCount.KERNEL32 ref: 0298A4E4
                                                                                                  • Sleep.KERNEL32(00000000,?,0298C2E9,0298C4E0,00000000,localcfg,?,0298C4E0,02993588,02988810), ref: 0298A4F1
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 0298A4FA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: b4a2c9b23ce074555385204ceea8f0ab4a30cfc55c1cdbc184d17addca97ff68
                                                                                                  • Instruction ID: 382e739584065264eec29b1b30b24f1acf1aceab9490f15b7fe0788d5709024d
                                                                                                  • Opcode Fuzzy Hash: b4a2c9b23ce074555385204ceea8f0ab4a30cfc55c1cdbc184d17addca97ff68
                                                                                                  • Instruction Fuzzy Hash: B4E0263324420557CA0027B9AC84F7E3388AB49771F090422FA08D3140C61AA461C1B6
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02984BDD
                                                                                                  • GetTickCount.KERNEL32 ref: 02984BEC
                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,02E1B12C,029850F2), ref: 02984BF9
                                                                                                  • InterlockedExchange.KERNEL32(02E1B120,00000001), ref: 02984C02
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: e3f425bbcbdbac6787cc030fad38e61e74f019ca00c95d18ca923cc67cf2b970
                                                                                                  • Instruction ID: 8eb16641402f31eb48d2411c2b4a3c58dfa3b0ee668794a518fade14b0d8a78d
                                                                                                  • Opcode Fuzzy Hash: e3f425bbcbdbac6787cc030fad38e61e74f019ca00c95d18ca923cc67cf2b970
                                                                                                  • Instruction Fuzzy Hash: CCE0863768521657C61026AA5C84FAA779CAF45372F0A0876F718D2140C556945181B1
                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 02983103
                                                                                                  • GetTickCount.KERNEL32 ref: 0298310F
                                                                                                  • Sleep.KERNEL32(00000000), ref: 0298311C
                                                                                                  • InterlockedExchange.KERNEL32(?,00000001), ref: 02983128
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick$ExchangeInterlockedSleep
                                                                                                  • String ID:
                                                                                                  • API String ID: 2207858713-0
                                                                                                  • Opcode ID: 3fc7d31da78ecac0e3e130806c8d3e66b25d2a3e1681465cdbd65df84e6ef609
                                                                                                  • Instruction ID: dfc74fae373d92afaf8f5942feb552ba91af1299591343ed352d47ca85834992
                                                                                                  • Opcode Fuzzy Hash: 3fc7d31da78ecac0e3e130806c8d3e66b25d2a3e1681465cdbd65df84e6ef609
                                                                                                  • Instruction Fuzzy Hash: 10E0C231648215ABDB007B7AAD44B796A5EEF84F76F050871F215D3090C6504820C971
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTick
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 536389180-1857712256
                                                                                                  • Opcode ID: 4051a23ba4e7926efd7223aa245452e0d606fc42dacd1bb41edffda7675cdcdf
                                                                                                  • Instruction ID: d7c355de7e0d59479bf224ffd634bd0adced34130973928be4beb50df58d5758
                                                                                                  • Opcode Fuzzy Hash: 4051a23ba4e7926efd7223aa245452e0d606fc42dacd1bb41edffda7675cdcdf
                                                                                                  • Instruction Fuzzy Hash: C121D232A14119BFDB10AF68C881A6ABBBEFF60325BAD059AD401D7101EB30E950CB64
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0298C057
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CountTickwsprintf
                                                                                                  • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                                  • API String ID: 2424974917-1012700906
                                                                                                  • Opcode ID: 1db8102f23b5699fccab6a8c1303b965e0881c664e95e00c6fba191742424b61
                                                                                                  • Instruction ID: 3f7355bd9b74f132e2d3418d18045977e8d93701a543aa8a1c958c698a0ef04d
                                                                                                  • Opcode Fuzzy Hash: 1db8102f23b5699fccab6a8c1303b965e0881c664e95e00c6fba191742424b61
                                                                                                  • Instruction Fuzzy Hash: 61119772500100FFDB529AA9CD44E567FA6FF88329B34819CF6188E166D633D863EB50
                                                                                                  APIs
                                                                                                  • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 029826C3
                                                                                                  • inet_ntoa.WS2_32(?), ref: 029826E4
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: gethostbyaddrinet_ntoa
                                                                                                  • String ID: localcfg
                                                                                                  • API String ID: 2112563974-1857712256
                                                                                                  • Opcode ID: b1172ce32b2c5f76fbee694458154860ea609e3161ec4e6feb4d27de6480cf54
                                                                                                  • Instruction ID: e42136bccdc630e80e067da697e5781b0be1a68bfcc3affdcc24e6e7a6fd6ae0
                                                                                                  • Opcode Fuzzy Hash: b1172ce32b2c5f76fbee694458154860ea609e3161ec4e6feb4d27de6480cf54
                                                                                                  • Instruction Fuzzy Hash: F7F012775482096BEB007FA4EC05AAA379DDF05660F184426F918DA090DB71D950D798
                                                                                                  APIs
                                                                                                  • LoadLibraryA.KERNEL32(ntdll.dll,0298EB54,_alldiv,0298F0B7,80000001,00000000,00989680,00000000,?,?,?,0298E342,00000000,7508EA50,80000001,00000000), ref: 0298EAF2
                                                                                                  • GetProcAddress.KERNEL32(76E80000,00000000), ref: 0298EB07
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                  • String ID: ntdll.dll
                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                  • Opcode ID: c9a393d23b9cc60d50a0f1417554eea0a5e7158072ba2ce0999a9af712ac4f5c
                                                                                                  • Instruction ID: 9e9c481b6ea2cdafa26e198fd77e4697c8a2e0a70742bee19730eb8f60ac8bce
                                                                                                  • Opcode Fuzzy Hash: c9a393d23b9cc60d50a0f1417554eea0a5e7158072ba2ce0999a9af712ac4f5c
                                                                                                  • Instruction Fuzzy Hash: 1FD0C735A4430257DF115F6F951BA2676DC77507217404855F456D1100D730D414DA14
                                                                                                  APIs
                                                                                                    • Part of subcall function 02982D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02982F01,?,029820FF,02992000), ref: 02982D3A
                                                                                                    • Part of subcall function 02982D21: LoadLibraryA.KERNEL32(?), ref: 02982D4A
                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02982F73
                                                                                                  • HeapFree.KERNEL32(00000000), ref: 02982F7A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000014.00000002.3270381110.0000000002980000.00000040.00000400.00020000.00000000.sdmp, Offset: 02980000, based on PE: true
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_20_2_2980000_svchost.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 1017166417-0
                                                                                                  • Opcode ID: 36c308cf5b17b1944aff6a09ead436eeac0fa534b2e9ed4d6781454feeead00d
                                                                                                  • Instruction ID: 080dbdf16ff9c1208642f2392a2c6a21add233f9bd59d8ec110762ea53e23393
                                                                                                  • Opcode Fuzzy Hash: 36c308cf5b17b1944aff6a09ead436eeac0fa534b2e9ed4d6781454feeead00d
                                                                                                  • Instruction Fuzzy Hash: 0451807190024AAFDF01AF64D888AF9B7B9FF05304F1845A9EC96D7210E7329A19CF94