Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
foufdsk.exe

Overview

General Information

Sample name:foufdsk.exe
Analysis ID:1503655
MD5:3482cbbb23d7548633dde35f128ea40a
SHA1:b8cba7389b8e195b30ceb2e1a2b1d1fd6129adbd
SHA256:8777baf9f5a68be1faf17fa6f7c5ab3de0113392784cc150b822b7db5426e380
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses SMTP (mail sending)
Yara signature match

Classification

  • System is w10x64
  • foufdsk.exe (PID: 1908 cmdline: "C:\Users\user\Desktop\foufdsk.exe" MD5: 3482CBBB23D7548633DDE35F128EA40A)
    • cmd.exe (PID: 6136 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qruvscyd\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2588 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\zgjedxxr.exe" C:\Windows\SysWOW64\qruvscyd\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5700 cmdline: "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6940 cmdline: "C:\Windows\System32\sc.exe" description qruvscyd "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2120 cmdline: "C:\Windows\System32\sc.exe" start qruvscyd MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 3404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 5560 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • zgjedxxr.exe (PID: 1280 cmdline: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d"C:\Users\user\Desktop\foufdsk.exe" MD5: B0BAD557872E328489366B11673D2CBC)
    • svchost.exe (PID: 6664 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 3424 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      12.2.zgjedxxr.exe.ee0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      12.2.zgjedxxr.exe.ee0e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.zgjedxxr.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.zgjedxxr.exe.400000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.zgjedxxr.exe.400000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d"C:\Users\user\Desktop\foufdsk.exe", ParentImage: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe, ParentProcessId: 1280, ParentProcessName: zgjedxxr.exe, ProcessCommandLine: svchost.exe, ProcessId: 6664, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\foufdsk.exe", ParentImage: C:\Users\user\Desktop\foufdsk.exe, ParentProcessId: 1908, ParentProcessName: foufdsk.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 5700, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.40.26, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 6664, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49712
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d"C:\Users\user\Desktop\foufdsk.exe", ParentImage: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe, ParentProcessId: 1280, ParentProcessName: zgjedxxr.exe, ProcessCommandLine: svchost.exe, ProcessId: 6664, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6664, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qruvscyd
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\foufdsk.exe", ParentImage: C:\Users\user\Desktop\foufdsk.exe, ParentProcessId: 1908, ParentProcessName: foufdsk.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 5700, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 3424, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: 0.2.foufdsk.exe.780e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: foufdsk.exeReversingLabs: Detection: 39%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Source: C:\Users\user\AppData\Local\Temp\zgjedxxr.exeJoe Sandbox ML: detected
        Source: foufdsk.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\foufdsk.exeUnpacked PE file: 0.2.foufdsk.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeUnpacked PE file: 12.2.zgjedxxr.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\foufdsk.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\qruvscydJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 108.177.15.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.76 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.40.26 52.101.40.26
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 98.136.96.76 98.136.96.76
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: EUT-ASEUTIPNetworkRU EUT-ASEUTIPNetworkRU
        Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
        Source: global trafficTCP traffic: 192.168.2.6:49712 -> 52.101.40.26:25
        Source: global trafficTCP traffic: 192.168.2.6:49718 -> 98.136.96.76:25
        Source: global trafficTCP traffic: 192.168.2.6:55925 -> 108.177.15.26:25
        Source: global trafficTCP traffic: 192.168.2.6:55928 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55926
        Source: unknownNetwork traffic detected: HTTP traffic on port 55930 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55930
        Source: unknownNetwork traffic detected: HTTP traffic on port 55926 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.foufdsk.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.740000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.740000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.zgjedxxr.exe.f00000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.f40000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.f40000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.ee0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: foufdsk.exe PID: 1908, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: zgjedxxr.exe PID: 1280, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6664, type: MEMORYSTR

        System Summary

        barindex
        Source: 12.2.zgjedxxr.exe.ee0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.zgjedxxr.exe.ee0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.zgjedxxr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.zgjedxxr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.foufdsk.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.foufdsk.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.foufdsk.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.foufdsk.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 15.2.svchost.exe.740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 15.2.svchost.exe.740000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.zgjedxxr.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.zgjedxxr.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.zgjedxxr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.zgjedxxr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 15.2.svchost.exe.740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 15.2.svchost.exe.740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.zgjedxxr.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.zgjedxxr.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.zgjedxxr.exe.f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.zgjedxxr.exe.f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.foufdsk.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.foufdsk.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.foufdsk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.foufdsk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.foufdsk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.foufdsk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.zgjedxxr.exe.f40000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.zgjedxxr.exe.f40000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.zgjedxxr.exe.ee0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.zgjedxxr.exe.ee0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.foufdsk.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.foufdsk.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2154069469.0000000000632000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2153887061.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qruvscyd\Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_0074C91315_2_0074C913
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: String function: 007827AB appears 35 times
        Source: 12.2.zgjedxxr.exe.ee0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.zgjedxxr.exe.ee0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.zgjedxxr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.zgjedxxr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.foufdsk.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.foufdsk.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.foufdsk.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.foufdsk.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 15.2.svchost.exe.740000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 15.2.svchost.exe.740000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.zgjedxxr.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.zgjedxxr.exe.f00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.zgjedxxr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.zgjedxxr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 15.2.svchost.exe.740000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 15.2.svchost.exe.740000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.zgjedxxr.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.zgjedxxr.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.zgjedxxr.exe.f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.zgjedxxr.exe.f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.foufdsk.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.foufdsk.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.foufdsk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.foufdsk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.foufdsk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.foufdsk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.zgjedxxr.exe.f40000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.zgjedxxr.exe.f40000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.zgjedxxr.exe.ee0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.zgjedxxr.exe.ee0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.foufdsk.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.foufdsk.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2154069469.0000000000632000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2153887061.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: classification engineClassification label: mal100.troj.evad.winEXE@23/3@11/5
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00808DA8 CreateToolhelp32Snapshot,Module32First,0_2_00808DA8
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00749A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_00749A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5056:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3404:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2016:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03
        Source: C:\Users\user\Desktop\foufdsk.exeFile created: C:\Users\user\AppData\Local\Temp\zgjedxxr.exeJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: foufdsk.exeReversingLabs: Detection: 39%
        Source: C:\Users\user\Desktop\foufdsk.exeFile read: C:\Users\user\Desktop\foufdsk.exeJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-14763
        Source: C:\Users\user\Desktop\foufdsk.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14567
        Source: unknownProcess created: C:\Users\user\Desktop\foufdsk.exe "C:\Users\user\Desktop\foufdsk.exe"
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qruvscyd\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\zgjedxxr.exe" C:\Windows\SysWOW64\qruvscyd\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description qruvscyd "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qruvscyd
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d"C:\Users\user\Desktop\foufdsk.exe"
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qruvscyd\Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\zgjedxxr.exe" C:\Windows\SysWOW64\qruvscyd\Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description qruvscyd "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qruvscydJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: foufdsk.exeStatic file information: File size 11724288 > 1048576
        Source: C:\Users\user\Desktop\foufdsk.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\foufdsk.exeUnpacked PE file: 0.2.foufdsk.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeUnpacked PE file: 12.2.zgjedxxr.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\foufdsk.exeUnpacked PE file: 0.2.foufdsk.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeUnpacked PE file: 12.2.zgjedxxr.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe
        Source: C:\Users\user\Desktop\foufdsk.exeFile created: C:\Users\user\AppData\Local\Temp\zgjedxxr.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qruvscydJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\foufdsk.exeJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,15_2_0074199C
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-15177
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_15-7870
        Source: C:\Users\user\Desktop\foufdsk.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15035
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_15-6143
        Source: C:\Users\user\Desktop\foufdsk.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15002
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_15-6422
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15145
        Source: C:\Users\user\Desktop\foufdsk.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-14806
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_15-7434
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-14778
        Source: C:\Users\user\Desktop\foufdsk.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14583
        Source: C:\Users\user\Desktop\foufdsk.exeAPI coverage: 5.9 %
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeAPI coverage: 4.4 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 2032Thread sleep count: 36 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 2032Thread sleep time: -36000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000F.00000002.3357144475.0000000002E00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7Ds
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeAPI call chain: ExitProcess graph end nodegraph_12-15147

        Anti Debugging

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_15-7669
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_0078092B mov eax, dword ptr fs:[00000030h]0_2_0078092B
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00780D90 mov eax, dword ptr fs:[00000030h]0_2_00780D90
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00808685 push dword ptr fs:[00000030h]0_2_00808685
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeCode function: 12_2_00641DB5 push dword ptr fs:[00000030h]12_2_00641DB5
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeCode function: 12_2_00EE092B mov eax, dword ptr fs:[00000030h]12_2_00EE092B
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeCode function: 12_2_00EE0D90 mov eax, dword ptr fs:[00000030h]12_2_00EE0D90
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_00749A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_00749A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 108.177.15.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.76 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 740000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 740000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 740000Jump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BF6008Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qruvscyd\Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\zgjedxxr.exe" C:\Windows\SysWOW64\qruvscyd\Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description qruvscyd "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start qruvscydJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\foufdsk.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\foufdsk.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.foufdsk.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.740000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.740000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.zgjedxxr.exe.f00000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.f40000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.f40000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.ee0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: foufdsk.exe PID: 1908, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: zgjedxxr.exe PID: 1280, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6664, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.foufdsk.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.740000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.740000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.zgjedxxr.exe.f00000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.f40000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.foufdsk.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.f40000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.zgjedxxr.exe.ee0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: foufdsk.exe PID: 1908, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: zgjedxxr.exe PID: 1280, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6664, type: MEMORYSTR
        Source: C:\Users\user\Desktop\foufdsk.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_007488B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,15_2_007488B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        1
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        2
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503655 Sample: foufdsk.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 51 yahoo.com 2->51 53 vanaheim.cn 2->53 55 7 other IPs or domains 2->55 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 9 other signatures 2->71 8 zgjedxxr.exe 2->8         started        11 foufdsk.exe 2 2->11         started        14 svchost.exe 2->14         started        signatures3 process4 file5 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Writes to foreign memory regions 8->77 83 2 other signatures 8->83 16 svchost.exe 1 8->16         started        43 C:\Users\user\AppData\Local\...\zgjedxxr.exe, PE32 11->43 dropped 79 Uses netsh to modify the Windows network and firewall settings 11->79 81 Modifies the windows firewall 11->81 20 cmd.exe 1 11->20         started        23 netsh.exe 2 11->23         started        25 cmd.exe 2 11->25         started        27 3 other processes 11->27 signatures6 process7 dnsIp8 45 mta6.am0.yahoodns.net 98.136.96.76, 25 YAHOO-NE1US United States 16->45 47 microsoft-com.mail.protection.outlook.com 52.101.40.26, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->47 49 3 other IPs or domains 16->49 57 System process connects to network (likely due to code injection or exploit) 16->57 59 Found API chain indicative of debugger detection 16->59 61 Deletes itself after installation 16->61 63 Adds extensions / path to Windows Defender exclusion list (Registry) 16->63 41 C:\Windows\SysWOW64\...\zgjedxxr.exe (copy), PE32 20->41 dropped 29 conhost.exe 20->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        foufdsk.exe39%ReversingLabs
        foufdsk.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\zgjedxxr.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:443100%Avira URL Cloudphishing
        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        98.136.96.76
        truetrue
          unknown
          mxs.mail.ru
          217.69.139.150
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.40.26
            truetrue
              unknown
              vanaheim.cn
              77.232.41.29
              truetrue
                unknown
                smtp.google.com
                108.177.15.26
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        171.39.242.20.in-addr.arpa
                        unknown
                        unknowntrue
                          unknown
                          NameMaliciousAntivirus DetectionReputation
                          vanaheim.cn:443true
                          • Avira URL Cloud: phishing
                          unknown
                          jotunheim.name:443true
                          • Avira URL Cloud: malware
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          52.101.40.26
                          microsoft-com.mail.protection.outlook.comUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                          217.69.139.150
                          mxs.mail.ruRussian Federation
                          47764MAILRU-ASMailRuRUtrue
                          108.177.15.26
                          smtp.google.comUnited States
                          15169GOOGLEUSfalse
                          77.232.41.29
                          vanaheim.cnRussian Federation
                          28968EUT-ASEUTIPNetworkRUtrue
                          98.136.96.76
                          mta6.am0.yahoodns.netUnited States
                          36646YAHOO-NE1UStrue
                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1503655
                          Start date and time:2024-09-03 19:03:06 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 5m 11s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:21
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:foufdsk.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@23/3@11/5
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 68
                          • Number of non-executed functions: 258
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded IPs from analysis (whitelisted): 20.231.239.246, 20.70.246.20, 20.112.250.133, 20.236.44.162, 20.76.201.171
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: foufdsk.exe
                          TimeTypeDescription
                          13:04:44API Interceptor9x Sleep call for process: svchost.exe modified
                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          52.101.40.26UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                            igvdwmhd.exeGet hashmaliciousTofseeBrowse
                              .exeGet hashmaliciousUnknownBrowse
                                setup.exeGet hashmaliciousTofseeBrowse
                                  lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                      Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                        L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                          file.exeGet hashmaliciousTofseeBrowse
                                            U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                              217.69.139.150bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                  SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                    Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                      ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                        SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                            AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                              I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                  77.232.41.29UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                    bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                      98.136.96.76 .exeGet hashmaliciousUnknownBrowse
                                                                        setup.exeGet hashmaliciousTofseeBrowse
                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                            file.exeGet hashmaliciousPhorpiexBrowse
                                                                              gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                                    l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                                      Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                                                                        Update-KB5058-x86.exeGet hashmaliciousUnknownBrowse
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          mta6.am0.yahoodns.netUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.77
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.106
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.96.76
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.73
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.74
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.75
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.228.110
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.94
                                                                                          microsoft-com.mail.protection.outlook.comUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 52.101.40.26
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.8.49
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.42.0
                                                                                          vanaheim.cnUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 213.226.112.95
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 185.218.0.41
                                                                                          mxs.mail.ruUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          MAILRU-ASMailRuRUUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 5.181.61.0
                                                                                          tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 5.181.61.0
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
                                                                                          • 94.100.180.209
                                                                                          SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                          • 188.93.63.129
                                                                                          SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                          • 188.93.63.180
                                                                                          Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          YAHOO-NE1US .exeGet hashmaliciousUnknownBrowse
                                                                                          • 98.136.96.76
                                                                                          VvlYJBzLuW.elfGet hashmaliciousMiraiBrowse
                                                                                          • 216.252.107.64
                                                                                          rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.74
                                                                                          setup.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.76
                                                                                          botx.arm.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.138.56.151
                                                                                          SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.75
                                                                                          s4WsI8Qcm4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 98.139.105.91
                                                                                          NgAzrOQSgK.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.139.7.69
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          Pensacola Country Club.pdfGet hashmaliciousUnknownBrowse
                                                                                          • 52.108.66.1
                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.67
                                                                                          http://bestbuy.beautybyjoulexa.com.au/citrix/fxc/bWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 20.190.160.20
                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          http://www.harmonyhomesestateagency.comGet hashmaliciousUnknownBrowse
                                                                                          • 168.61.99.102
                                                                                          PossiblePhishing.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.246.60
                                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.60
                                                                                          https://bergtool-my.sharepoint.com/:f:/p/officemgr/EkAEY_TxWUpGjuhgV5jRSO8BD2acB1HjNb72Far_j2tXBg?e=T7fVyKGet hashmaliciousEvilProxyBrowse
                                                                                          • 20.42.73.31
                                                                                          https://1drv.ms/o/s!Anj1aub9f0oSf85OHsWb-1KGYts?e=cSo5yQGet hashmaliciousUnknownBrowse
                                                                                          • 40.126.32.68
                                                                                          EUT-ASEUTIPNetworkRUUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.41.29
                                                                                          Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          file.exeGet hashmaliciousCryptbot, NeoreklamiBrowse
                                                                                          • 77.232.42.234
                                                                                          fullsetup.exeGet hashmaliciousCryptbotBrowse
                                                                                          • 77.232.42.234
                                                                                          No context
                                                                                          No context
                                                                                          Process:C:\Users\user\Desktop\foufdsk.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11648512
                                                                                          Entropy (8bit):4.603757643109644
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:7c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:71OZDisvwdaxO0PuG1R4CWs
                                                                                          MD5:B0BAD557872E328489366B11673D2CBC
                                                                                          SHA1:B0B931004FB3108D10A0249EBBFA6C8A88E8F292
                                                                                          SHA-256:87E3B01668F7F0C1683CA2A4DC8BC57F5282DC4940B655C5E2C645506BE746CD
                                                                                          SHA-512:7DF9DFF086C64A61F0DFB3E40EE22FC1FBF3A8F1C4869AAD448ED752AF18030813D9902BF3CFADB5BED09E22A789714EFAAB29965B61B1EFD1909626C64DF34C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&.......H...v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11648512
                                                                                          Entropy (8bit):4.603757643109644
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:7c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:71OZDisvwdaxO0PuG1R4CWs
                                                                                          MD5:B0BAD557872E328489366B11673D2CBC
                                                                                          SHA1:B0B931004FB3108D10A0249EBBFA6C8A88E8F292
                                                                                          SHA-256:87E3B01668F7F0C1683CA2A4DC8BC57F5282DC4940B655C5E2C645506BE746CD
                                                                                          SHA-512:7DF9DFF086C64A61F0DFB3E40EE22FC1FBF3A8F1C4869AAD448ED752AF18030813D9902BF3CFADB5BED09E22A789714EFAAB29965B61B1EFD1909626C64DF34C
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&.......H...v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3773
                                                                                          Entropy (8bit):4.7109073551842435
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                          MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                          Malicious:false
                                                                                          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):4.603274561323683
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:foufdsk.exe
                                                                                          File size:11'724'288 bytes
                                                                                          MD5:3482cbbb23d7548633dde35f128ea40a
                                                                                          SHA1:b8cba7389b8e195b30ceb2e1a2b1d1fd6129adbd
                                                                                          SHA256:8777baf9f5a68be1faf17fa6f7c5ab3de0113392784cc150b822b7db5426e380
                                                                                          SHA512:db334c6aae52045ff3ce7597f172cce21f5a3a61a85b8dd4c5517eac649b60e429df968e1538c99080449d0ebfb5d8e917cb43bfa105e27d0a790ca2463748c7
                                                                                          SSDEEP:6144:Oc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:O1OZDisvwdaxO0PuG1R4CWs
                                                                                          TLSH:66C6537392E5BD54FA627A329E2FC6FC361EF951CD08379A2118BF0F2471162D1AA311
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e...................
                                                                                          Icon Hash:cd4d3d2e4e054d03
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 3, 2024 19:04:02.427700043 CEST4971225192.168.2.652.101.40.26
                                                                                          Sep 3, 2024 19:04:03.429572105 CEST4971225192.168.2.652.101.40.26
                                                                                          Sep 3, 2024 19:04:05.429625988 CEST4971225192.168.2.652.101.40.26
                                                                                          Sep 3, 2024 19:04:05.724097967 CEST49713443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:04:05.724140882 CEST4434971377.232.41.29192.168.2.6
                                                                                          Sep 3, 2024 19:04:05.724209070 CEST49713443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:04:09.429563999 CEST4971225192.168.2.652.101.40.26
                                                                                          Sep 3, 2024 19:04:17.429558039 CEST4971225192.168.2.652.101.40.26
                                                                                          Sep 3, 2024 19:04:22.431127071 CEST4971825192.168.2.698.136.96.76
                                                                                          Sep 3, 2024 19:04:23.445173979 CEST4971825192.168.2.698.136.96.76
                                                                                          Sep 3, 2024 19:04:25.445183992 CEST4971825192.168.2.698.136.96.76
                                                                                          Sep 3, 2024 19:04:29.445343018 CEST4971825192.168.2.698.136.96.76
                                                                                          Sep 3, 2024 19:04:37.445198059 CEST4971825192.168.2.698.136.96.76
                                                                                          Sep 3, 2024 19:04:42.472208023 CEST5592525192.168.2.6108.177.15.26
                                                                                          Sep 3, 2024 19:04:43.476475000 CEST5592525192.168.2.6108.177.15.26
                                                                                          Sep 3, 2024 19:04:45.492125034 CEST5592525192.168.2.6108.177.15.26
                                                                                          Sep 3, 2024 19:04:45.733012915 CEST49713443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:04:45.733095884 CEST4434971377.232.41.29192.168.2.6
                                                                                          Sep 3, 2024 19:04:45.733155012 CEST49713443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:04:46.195700884 CEST55926443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:04:46.195734024 CEST4435592677.232.41.29192.168.2.6
                                                                                          Sep 3, 2024 19:04:46.195796967 CEST55926443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:04:49.492738008 CEST5592525192.168.2.6108.177.15.26
                                                                                          Sep 3, 2024 19:04:57.492197990 CEST5592525192.168.2.6108.177.15.26
                                                                                          Sep 3, 2024 19:05:02.958292961 CEST5592825192.168.2.6217.69.139.150
                                                                                          Sep 3, 2024 19:05:03.961158037 CEST5592825192.168.2.6217.69.139.150
                                                                                          Sep 3, 2024 19:05:05.976747990 CEST5592825192.168.2.6217.69.139.150
                                                                                          Sep 3, 2024 19:05:09.976624012 CEST5592825192.168.2.6217.69.139.150
                                                                                          Sep 3, 2024 19:05:17.976545095 CEST5592825192.168.2.6217.69.139.150
                                                                                          Sep 3, 2024 19:05:26.195470095 CEST55926443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:05:26.195545912 CEST4435592677.232.41.29192.168.2.6
                                                                                          Sep 3, 2024 19:05:26.195605040 CEST55926443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:05:26.350827932 CEST55930443192.168.2.677.232.41.29
                                                                                          Sep 3, 2024 19:05:26.350898981 CEST4435593077.232.41.29192.168.2.6
                                                                                          Sep 3, 2024 19:05:26.351010084 CEST55930443192.168.2.677.232.41.29
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Sep 3, 2024 19:04:02.152719975 CEST5238553192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:04:02.426959038 CEST53523851.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:04:05.133573055 CEST6061053192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:04:05.723397970 CEST53606101.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:04:22.414789915 CEST6016653192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:04:22.421737909 CEST53601661.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:04:22.422749043 CEST5069853192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST53506981.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:04:26.907145023 CEST5351134162.159.36.2192.168.2.6
                                                                                          Sep 3, 2024 19:04:27.607842922 CEST5034053192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:04:27.617342949 CEST53503401.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:04:42.445689917 CEST5789353192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:04:42.453643084 CEST53578931.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:04:42.454282999 CEST5475453192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:04:42.471612930 CEST53547541.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:04:45.847589016 CEST5920653192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:04:46.195079088 CEST53592061.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:05:02.477102995 CEST6423853192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:05:02.940963030 CEST53642381.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:05:02.949403048 CEST5478053192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:05:02.957336903 CEST53547801.1.1.1192.168.2.6
                                                                                          Sep 3, 2024 19:06:01.914110899 CEST5039753192.168.2.61.1.1.1
                                                                                          Sep 3, 2024 19:06:01.944931984 CEST53503971.1.1.1192.168.2.6
                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Sep 3, 2024 19:04:02.152719975 CEST192.168.2.61.1.1.10x59edStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:05.133573055 CEST192.168.2.61.1.1.10x777bStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.414789915 CEST192.168.2.61.1.1.10x1082Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.422749043 CEST192.168.2.61.1.1.10xcc0eStandard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:27.607842922 CEST192.168.2.61.1.1.10x1163Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:42.445689917 CEST192.168.2.61.1.1.10xad73Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:42.454282999 CEST192.168.2.61.1.1.10x73deStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:45.847589016 CEST192.168.2.61.1.1.10x95fcStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:02.477102995 CEST192.168.2.61.1.1.10x8b2dStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:02.949403048 CEST192.168.2.61.1.1.10xcdc1Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:01.914110899 CEST192.168.2.61.1.1.10x5185Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Sep 3, 2024 19:04:02.426959038 CEST1.1.1.1192.168.2.60x59edNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:02.426959038 CEST1.1.1.1192.168.2.60x59edNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:02.426959038 CEST1.1.1.1192.168.2.60x59edNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:02.426959038 CEST1.1.1.1192.168.2.60x59edNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:05.723397970 CEST1.1.1.1192.168.2.60x777bNo error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.421737909 CEST1.1.1.1192.168.2.60x1082No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.421737909 CEST1.1.1.1192.168.2.60x1082No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.421737909 CEST1.1.1.1192.168.2.60x1082No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST1.1.1.1192.168.2.60xcc0eNo error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST1.1.1.1192.168.2.60xcc0eNo error (0)mta6.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST1.1.1.1192.168.2.60xcc0eNo error (0)mta6.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST1.1.1.1192.168.2.60xcc0eNo error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST1.1.1.1192.168.2.60xcc0eNo error (0)mta6.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST1.1.1.1192.168.2.60xcc0eNo error (0)mta6.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST1.1.1.1192.168.2.60xcc0eNo error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:22.430627108 CEST1.1.1.1192.168.2.60xcc0eNo error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:27.617342949 CEST1.1.1.1192.168.2.60x1163Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:42.453643084 CEST1.1.1.1192.168.2.60xad73No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:42.471612930 CEST1.1.1.1192.168.2.60x73deNo error (0)smtp.google.com108.177.15.26A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:42.471612930 CEST1.1.1.1192.168.2.60x73deNo error (0)smtp.google.com108.177.15.27A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:42.471612930 CEST1.1.1.1192.168.2.60x73deNo error (0)smtp.google.com74.125.133.27A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:42.471612930 CEST1.1.1.1192.168.2.60x73deNo error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:42.471612930 CEST1.1.1.1192.168.2.60x73deNo error (0)smtp.google.com173.194.76.27A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:04:46.195079088 CEST1.1.1.1192.168.2.60x95fcNo error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:02.940963030 CEST1.1.1.1192.168.2.60x8b2dNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:02.957336903 CEST1.1.1.1192.168.2.60xcdc1No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:05:02.957336903 CEST1.1.1.1192.168.2.60xcdc1No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:01.944931984 CEST1.1.1.1192.168.2.60x5185No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:01.944931984 CEST1.1.1.1192.168.2.60x5185No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:01.944931984 CEST1.1.1.1192.168.2.60x5185No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                          Sep 3, 2024 19:06:01.944931984 CEST1.1.1.1192.168.2.60x5185No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false

                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:13:03:55
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Users\user\Desktop\foufdsk.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\foufdsk.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:11'724'288 bytes
                                                                                          MD5 hash:3482CBBB23D7548633DDE35F128EA40A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2117687382.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2153887061.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:2
                                                                                          Start time:13:03:57
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qruvscyd\
                                                                                          Imagebase:0x1c0000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:3
                                                                                          Start time:13:03:57
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:4
                                                                                          Start time:13:03:57
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\zgjedxxr.exe" C:\Windows\SysWOW64\qruvscyd\
                                                                                          Imagebase:0x1c0000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:5
                                                                                          Start time:13:03:57
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:6
                                                                                          Start time:13:03:58
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" create qruvscyd binPath= "C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d\"C:\Users\user\Desktop\foufdsk.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                          Imagebase:0xce0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:7
                                                                                          Start time:13:03:58
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:8
                                                                                          Start time:13:03:58
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" description qruvscyd "wifi internet conection"
                                                                                          Imagebase:0xce0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:9
                                                                                          Start time:13:03:58
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:10
                                                                                          Start time:13:03:59
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" start qruvscyd
                                                                                          Imagebase:0xce0000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          Target ID:11
                                                                                          Start time:13:03:59
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:12
                                                                                          Start time:13:03:59
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe /d"C:\Users\user\Desktop\foufdsk.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:11'648'512 bytes
                                                                                          MD5 hash:B0BAD557872E328489366B11673D2CBC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2152903144.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2154069469.0000000000632000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2154225288.0000000000F40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:13
                                                                                          Start time:13:03:59
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                          Imagebase:0xa60000
                                                                                          File size:82'432 bytes
                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:14
                                                                                          Start time:13:03:59
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:15
                                                                                          Start time:13:04:00
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:svchost.exe
                                                                                          Imagebase:0x930000
                                                                                          File size:46'504 bytes
                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Has exited:false

                                                                                          Target ID:20
                                                                                          Start time:13:04:40
                                                                                          Start date:03/09/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                          Imagebase:0x7ff7403e0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.9%
                                                                                            Dynamic/Decrypted Code Coverage:30.2%
                                                                                            Signature Coverage:27.3%
                                                                                            Total number of Nodes:1592
                                                                                            Total number of Limit Nodes:19
                                                                                            execution_graph 14551 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14669 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14551->14669 14553 409a95 14554 409aa3 GetModuleHandleA GetModuleFileNameA 14553->14554 14559 40a3c7 14553->14559 14566 409ac4 14554->14566 14555 40a41c CreateThread WSAStartup 14838 40e52e 14555->14838 15717 40405e CreateEventA 14555->15717 14556 40a406 DeleteFileA 14556->14559 14560 40a40d 14556->14560 14558 409afd GetCommandLineA 14567 409b22 14558->14567 14559->14555 14559->14556 14559->14560 14562 40a3ed GetLastError 14559->14562 14560->14555 14561 40a445 14857 40eaaf 14561->14857 14562->14560 14564 40a3f8 Sleep 14562->14564 14564->14556 14565 40a44d 14861 401d96 14565->14861 14566->14558 14571 409c0c 14567->14571 14578 409b47 14567->14578 14569 40a457 14909 4080c9 14569->14909 14670 4096aa 14571->14670 14582 409b96 lstrlenA 14578->14582 14588 409b58 14578->14588 14579 40a1d2 14584 40a1e3 GetCommandLineA 14579->14584 14580 409c39 14583 40a167 GetModuleHandleA GetModuleFileNameA 14580->14583 14676 404280 CreateEventA 14580->14676 14582->14588 14586 409c05 ExitProcess 14583->14586 14587 40a189 14583->14587 14610 40a205 14584->14610 14587->14586 14595 40a1b2 GetDriveTypeA 14587->14595 14588->14586 14593 40675c 21 API calls 14588->14593 14596 409be3 14593->14596 14595->14586 14598 40a1c5 14595->14598 14596->14586 14775 406a60 CreateFileA 14596->14775 14597 40a491 14605 40a49f GetTickCount 14597->14605 14607 40a4be Sleep 14597->14607 14614 40a4b7 GetTickCount 14597->14614 14955 40c913 14597->14955 14819 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14598->14819 14605->14597 14605->14607 14606 409ca0 GetTempPathA 14609 409cba 14606->14609 14613 409e3e 14606->14613 14607->14597 14731 4099d2 lstrcpyA 14609->14731 14615 40a285 lstrlenA 14610->14615 14625 40a239 14610->14625 14618 409e6b GetEnvironmentVariableA 14613->14618 14647 409e04 14613->14647 14614->14607 14615->14625 14619 409e7d 14618->14619 14618->14647 14620 4099d2 16 API calls 14619->14620 14622 409e9d 14620->14622 14627 409eb0 lstrcpyA lstrlenA 14622->14627 14622->14647 14623 409d5f 14794 406cc9 14623->14794 14827 406ec3 14625->14827 14626 40a3c2 14831 4098f2 14626->14831 14628 409ef4 14627->14628 14632 406dc2 6 API calls 14628->14632 14635 409f03 14628->14635 14631 40a35f 14631->14626 14631->14631 14637 40a37b 14631->14637 14632->14635 14633 40a39d StartServiceCtrlDispatcherA 14633->14626 14636 409f32 RegOpenKeyExA 14635->14636 14638 409f48 RegSetValueExA RegCloseKey 14636->14638 14642 409f70 14636->14642 14637->14633 14638->14642 14639 409cf6 14738 409326 14639->14738 14649 409f9d GetModuleHandleA GetModuleFileNameA 14642->14649 14643 409e0c DeleteFileA 14643->14613 14644 409dde GetFileAttributesExA 14644->14643 14645 409df7 14644->14645 14645->14647 14648 409dff 14645->14648 14814 40ec2e 14647->14814 14804 4096ff 14648->14804 14651 409fc2 14649->14651 14652 40a093 14649->14652 14651->14652 14658 409ff1 GetDriveTypeA 14651->14658 14653 40a103 CreateProcessA 14652->14653 14654 40a0a4 wsprintfA 14652->14654 14655 40a13a 14653->14655 14656 40a12a DeleteFileA 14653->14656 14810 402544 14654->14810 14655->14647 14662 4096ff 3 API calls 14655->14662 14656->14655 14658->14652 14660 40a00d 14658->14660 14664 40a02d lstrcatA 14660->14664 14662->14647 14665 40a046 14664->14665 14666 40a052 lstrcatA 14665->14666 14667 40a064 lstrcatA 14665->14667 14666->14667 14667->14652 14668 40a081 lstrcatA 14667->14668 14668->14652 14669->14553 14671 4096b9 14670->14671 15058 4073ff 14671->15058 14673 4096e2 14674 4096f7 14673->14674 15078 40704c 14673->15078 14674->14579 14674->14580 14677 4042a5 14676->14677 14678 40429d 14676->14678 15103 403ecd 14677->15103 14678->14583 14703 40675c 14678->14703 14680 4042b0 15107 404000 14680->15107 14683 4043c1 CloseHandle 14683->14678 14684 4042ce 15113 403f18 WriteFile 14684->15113 14689 4043ba CloseHandle 14689->14683 14690 404318 14691 403f18 4 API calls 14690->14691 14692 404331 14691->14692 14693 403f18 4 API calls 14692->14693 14694 40434a 14693->14694 15121 40ebcc GetProcessHeap RtlAllocateHeap 14694->15121 14697 403f18 4 API calls 14698 404389 14697->14698 14699 40ec2e codecvt 4 API calls 14698->14699 14700 40438f 14699->14700 14701 403f8c 4 API calls 14700->14701 14702 40439f CloseHandle CloseHandle 14701->14702 14702->14678 14704 406784 CreateFileA 14703->14704 14705 40677a SetFileAttributesA 14703->14705 14706 4067a4 CreateFileA 14704->14706 14707 4067b5 14704->14707 14705->14704 14706->14707 14708 4067c5 14707->14708 14709 4067ba SetFileAttributesA 14707->14709 14710 406977 14708->14710 14711 4067cf GetFileSize 14708->14711 14709->14708 14710->14583 14710->14606 14710->14613 14712 4067e5 14711->14712 14713 406965 14711->14713 14712->14713 14715 4067ed ReadFile 14712->14715 14714 40696e FindCloseChangeNotification 14713->14714 14714->14710 14715->14713 14716 406811 SetFilePointer 14715->14716 14716->14713 14717 40682a ReadFile 14716->14717 14717->14713 14718 406848 SetFilePointer 14717->14718 14718->14713 14719 406867 14718->14719 14720 4068d5 14719->14720 14721 406878 ReadFile 14719->14721 14720->14714 14723 40ebcc 4 API calls 14720->14723 14722 4068d0 14721->14722 14724 406891 14721->14724 14722->14720 14725 4068f8 14723->14725 14724->14721 14724->14722 14725->14713 14726 406900 SetFilePointer 14725->14726 14727 40695a 14726->14727 14728 40690d ReadFile 14726->14728 14729 40ec2e codecvt 4 API calls 14727->14729 14728->14727 14730 406922 14728->14730 14729->14713 14730->14714 14732 4099eb 14731->14732 14733 409a2f lstrcatA 14732->14733 14734 40ee2a 14733->14734 14735 409a4b lstrcatA 14734->14735 14736 406a60 13 API calls 14735->14736 14737 409a60 14736->14737 14737->14613 14737->14639 14788 406dc2 14737->14788 15127 401910 14738->15127 14741 40934a GetModuleHandleA GetModuleFileNameA 14743 40937f 14741->14743 14744 4093a4 14743->14744 14745 4093d9 14743->14745 14746 4093c3 wsprintfA 14744->14746 14747 409401 wsprintfA 14745->14747 14748 409415 14746->14748 14747->14748 14750 406cc9 5 API calls 14748->14750 14771 4094a0 14748->14771 14757 409439 14750->14757 14751 4094ac 14752 40962f 14751->14752 14753 4094e8 RegOpenKeyExA 14751->14753 14758 409646 14752->14758 15157 401820 14752->15157 14755 409502 14753->14755 14756 4094fb 14753->14756 14760 40951f RegQueryValueExA 14755->14760 14756->14752 14762 40958a 14756->14762 15142 40ef1e lstrlenA 14757->15142 14773 4095d6 14758->14773 15137 4091eb 14758->15137 14764 409539 14760->14764 14770 409530 14760->14770 14762->14758 14766 409593 14762->14766 14763 40956e RegCloseKey 14763->14756 14767 409556 RegQueryValueExA 14764->14767 14765 409462 14768 40947e wsprintfA 14765->14768 14766->14773 15144 40f0e4 14766->15144 14767->14763 14767->14770 14768->14771 14770->14763 15129 406edd 14771->15129 14772 4095bb 14772->14773 15151 4018e0 14772->15151 14773->14643 14773->14644 14776 406b8c GetLastError 14775->14776 14777 406a8f GetDiskFreeSpaceA 14775->14777 14778 406b86 14776->14778 14779 406ac5 14777->14779 14787 406ad7 14777->14787 14778->14586 15206 40eb0e 14779->15206 14783 406b56 FindCloseChangeNotification 14783->14778 14785 406b65 GetLastError CloseHandle 14783->14785 14784 406b36 GetLastError CloseHandle 14786 406b7f DeleteFileA 14784->14786 14785->14786 14786->14778 15200 406987 14787->15200 14789 406dd7 14788->14789 14793 406e24 14788->14793 14790 406cc9 5 API calls 14789->14790 14791 406ddc 14790->14791 14791->14791 14792 406e02 GetVolumeInformationA 14791->14792 14791->14793 14792->14793 14793->14623 14795 406cdc GetModuleHandleA GetProcAddress 14794->14795 14796 406dbe lstrcpyA lstrcatA lstrcatA 14794->14796 14797 406d12 GetSystemDirectoryA 14795->14797 14800 406cfd 14795->14800 14796->14639 14798 406d27 GetWindowsDirectoryA 14797->14798 14799 406d1e 14797->14799 14801 406d42 14798->14801 14799->14798 14803 406d8b 14799->14803 14800->14797 14800->14803 14802 40ef1e lstrlenA 14801->14802 14802->14803 14803->14796 14805 402544 14804->14805 14806 40972d RegOpenKeyExA 14805->14806 14807 409740 14806->14807 14808 409765 14806->14808 14809 40974f RegDeleteValueA RegCloseKey 14807->14809 14808->14647 14809->14808 14811 402554 lstrcatA 14810->14811 14812 40ee2a 14811->14812 14813 40a0ec lstrcatA 14812->14813 14813->14653 14815 40ec37 14814->14815 14816 40a15d 14814->14816 15214 40eba0 14815->15214 14816->14583 14816->14586 14820 402544 14819->14820 14821 40919e wsprintfA 14820->14821 14822 4091bb 14821->14822 15217 409064 GetTempPathA 14822->15217 14825 4091d5 ShellExecuteA 14826 4091e7 14825->14826 14826->14586 14828 406ed5 14827->14828 14829 406ecc 14827->14829 14828->14631 14830 406e36 2 API calls 14829->14830 14830->14828 14832 4098f6 14831->14832 14833 404280 30 API calls 14832->14833 14834 409904 Sleep 14832->14834 14836 409915 14832->14836 14833->14832 14834->14832 14834->14836 14835 409947 14835->14559 14836->14835 15224 40977c 14836->15224 15246 40dd05 GetTickCount 14838->15246 14840 40e538 15253 40dbcf 14840->15253 14842 40e544 14843 40e555 GetFileSize 14842->14843 14847 40e5b8 14842->14847 14844 40e5b1 CloseHandle 14843->14844 14845 40e566 14843->14845 14844->14847 15263 40db2e 14845->15263 15272 40e3ca RegOpenKeyExA 14847->15272 14849 40e576 ReadFile 14849->14844 14851 40e58d 14849->14851 15267 40e332 14851->15267 14853 40e5f2 14855 40e3ca 19 API calls 14853->14855 14856 40e629 14853->14856 14855->14856 14856->14561 14858 40eabe 14857->14858 14860 40eaba 14857->14860 14859 40dd05 6 API calls 14858->14859 14858->14860 14859->14860 14860->14565 14862 40ee2a 14861->14862 14863 401db4 GetVersionExA 14862->14863 14864 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14863->14864 14866 401e24 14864->14866 14867 401e16 GetCurrentProcess 14864->14867 15325 40e819 14866->15325 14867->14866 14869 401e3d 14870 40e819 11 API calls 14869->14870 14871 401e4e 14870->14871 14872 401e77 14871->14872 15332 40df70 14871->15332 15341 40ea84 14872->15341 14875 401e6c 14877 40df70 12 API calls 14875->14877 14877->14872 14878 40e819 11 API calls 14879 401e93 14878->14879 15345 40199c inet_addr LoadLibraryA 14879->15345 14882 40e819 11 API calls 14883 401eb9 14882->14883 14884 401ed8 14883->14884 14885 40f04e 4 API calls 14883->14885 14886 40e819 11 API calls 14884->14886 14887 401ec9 14885->14887 14888 401eee 14886->14888 14889 40ea84 30 API calls 14887->14889 14890 401f0a 14888->14890 15358 401b71 14888->15358 14889->14884 14891 40e819 11 API calls 14890->14891 14893 401f23 14891->14893 14895 401f3f 14893->14895 15362 401bdf 14893->15362 14894 401efd 14896 40ea84 30 API calls 14894->14896 14898 40e819 11 API calls 14895->14898 14896->14890 14900 401f5e 14898->14900 14902 401f77 14900->14902 14904 40ea84 30 API calls 14900->14904 14901 40ea84 30 API calls 14901->14895 15369 4030b5 14902->15369 14904->14902 14906 401f8e GetTickCount 14906->14569 14907 406ec3 2 API calls 14907->14906 14910 406ec3 2 API calls 14909->14910 14911 4080eb 14910->14911 14912 4080f9 14911->14912 14913 4080ef 14911->14913 14915 40704c 16 API calls 14912->14915 15417 407ee6 14913->15417 14917 408110 14915->14917 14916 408269 CreateThread 14934 405e6c 14916->14934 15746 40877e 14916->15746 14919 408156 RegOpenKeyExA 14917->14919 14920 4080f4 14917->14920 14918 40675c 21 API calls 14925 408244 14918->14925 14919->14920 14921 40816d RegQueryValueExA 14919->14921 14920->14916 14920->14918 14922 4081f7 14921->14922 14923 40818d 14921->14923 14924 40820d RegCloseKey 14922->14924 14927 40ec2e codecvt 4 API calls 14922->14927 14923->14922 14928 40ebcc 4 API calls 14923->14928 14924->14920 14925->14916 14926 40ec2e codecvt 4 API calls 14925->14926 14926->14916 14933 4081dd 14927->14933 14929 4081a0 14928->14929 14929->14924 14930 4081aa RegQueryValueExA 14929->14930 14930->14922 14931 4081c4 14930->14931 14932 40ebcc 4 API calls 14931->14932 14932->14933 14933->14924 15485 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14934->15485 14937 405e71 15486 40e654 14937->15486 14938 405ec1 14939 403132 14938->14939 14940 40df70 12 API calls 14939->14940 14941 40313b 14940->14941 14942 40c125 14941->14942 15497 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14942->15497 14944 40c12d 14945 40e654 13 API calls 14944->14945 14946 40c2bd 14945->14946 14947 40e654 13 API calls 14946->14947 14948 40c2c9 14947->14948 14949 40e654 13 API calls 14948->14949 14950 40a47a 14949->14950 14951 408db1 14950->14951 14952 408dbc 14951->14952 14953 40e654 13 API calls 14952->14953 14954 408dec Sleep 14953->14954 14954->14597 14956 40c92f 14955->14956 14957 40c93c 14956->14957 15498 40c517 14956->15498 14959 40ca2b 14957->14959 14960 40e819 11 API calls 14957->14960 14959->14597 14961 40c96a 14960->14961 14962 40e819 11 API calls 14961->14962 14963 40c97d 14962->14963 14964 40e819 11 API calls 14963->14964 14965 40c990 14964->14965 14966 40c9aa 14965->14966 14967 40ebcc 4 API calls 14965->14967 14966->14959 15515 402684 14966->15515 14967->14966 14972 40ca26 15522 40c8aa 14972->15522 14975 40ca44 14976 40ca4b closesocket 14975->14976 14977 40ca83 14975->14977 14976->14972 14978 40ea84 30 API calls 14977->14978 14979 40caac 14978->14979 14980 40f04e 4 API calls 14979->14980 14981 40cab2 14980->14981 14982 40ea84 30 API calls 14981->14982 14983 40caca 14982->14983 14984 40ea84 30 API calls 14983->14984 14985 40cad9 14984->14985 15530 40c65c 14985->15530 14988 40cb60 closesocket 14988->14959 14990 40dad2 closesocket 14991 40e318 23 API calls 14990->14991 14991->14959 14992 40df4c 20 API calls 15029 40cb70 14992->15029 14997 40e654 13 API calls 14997->15029 15000 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15000->15029 15002 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15002->15029 15005 40cc1c GetTempPathA 15005->15029 15006 40ea84 30 API calls 15006->15029 15007 40d569 closesocket Sleep 15577 40e318 15007->15577 15008 40d815 wsprintfA 15008->15029 15009 40c517 23 API calls 15009->15029 15011 40e8a1 30 API calls 15011->15029 15012 40d582 ExitProcess 15013 40cfe3 GetSystemDirectoryA 15013->15029 15014 40d027 GetSystemDirectoryA 15014->15029 15015 40cfad GetEnvironmentVariableA 15015->15029 15016 40675c 21 API calls 15016->15029 15017 40d105 lstrcatA 15017->15029 15018 40ef1e lstrlenA 15018->15029 15019 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15019->15029 15020 40cc9f CreateFileA 15022 40ccc6 WriteFile 15020->15022 15020->15029 15021 40d15b CreateFileA 15024 40d182 WriteFile CloseHandle 15021->15024 15021->15029 15025 40cdcc CloseHandle 15022->15025 15026 40cced CloseHandle 15022->15026 15023 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15023->15029 15024->15029 15025->15029 15032 40cd2f 15026->15032 15027 40d149 SetFileAttributesA 15027->15021 15028 40cd16 wsprintfA 15028->15032 15029->14990 15029->14992 15029->14997 15029->15000 15029->15002 15029->15005 15029->15006 15029->15007 15029->15008 15029->15009 15029->15011 15029->15013 15029->15014 15029->15015 15029->15016 15029->15017 15029->15018 15029->15019 15029->15020 15029->15021 15029->15023 15029->15027 15030 40d36e GetEnvironmentVariableA 15029->15030 15031 40d1bf SetFileAttributesA 15029->15031 15033 407ead 6 API calls 15029->15033 15034 40d22d GetEnvironmentVariableA 15029->15034 15035 40d3af lstrcatA 15029->15035 15037 407fcf 64 API calls 15029->15037 15038 40d3f2 CreateFileA 15029->15038 15046 40d4b1 CreateProcessA 15029->15046 15047 40d3e0 SetFileAttributesA 15029->15047 15048 40d26e lstrcatA 15029->15048 15050 40d2b1 CreateFileA 15029->15050 15051 407ee6 64 API calls 15029->15051 15052 40d452 SetFileAttributesA 15029->15052 15055 40d29f SetFileAttributesA 15029->15055 15057 40d31d SetFileAttributesA 15029->15057 15538 40c75d 15029->15538 15550 407e2f 15029->15550 15572 407ead 15029->15572 15582 4031d0 15029->15582 15599 403c09 15029->15599 15609 403a00 15029->15609 15613 40e7b4 15029->15613 15616 40c06c 15029->15616 15622 406f5f GetUserNameA 15029->15622 15633 40e854 15029->15633 15643 407dd6 15029->15643 15030->15029 15031->15029 15032->15028 15559 407fcf 15032->15559 15033->15029 15034->15029 15035->15029 15035->15038 15037->15029 15038->15029 15040 40d415 WriteFile CloseHandle 15038->15040 15040->15029 15041 40cd81 WaitForSingleObject CloseHandle CloseHandle 15043 40f04e 4 API calls 15041->15043 15042 40cda5 15044 407ee6 64 API calls 15042->15044 15043->15042 15045 40cdbd DeleteFileA 15044->15045 15045->15029 15046->15029 15049 40d4e8 CloseHandle CloseHandle 15046->15049 15047->15038 15048->15029 15048->15050 15049->15029 15050->15029 15053 40d2d8 WriteFile CloseHandle 15050->15053 15051->15029 15052->15029 15053->15029 15055->15050 15057->15029 15059 40741b 15058->15059 15060 406dc2 6 API calls 15059->15060 15061 40743f 15060->15061 15062 407469 RegOpenKeyExA 15061->15062 15064 4077f9 15062->15064 15073 407487 ___ascii_stricmp 15062->15073 15063 407703 RegEnumKeyA 15065 407714 RegCloseKey 15063->15065 15063->15073 15064->14673 15065->15064 15066 4074d2 RegOpenKeyExA 15066->15073 15067 40772c 15069 407742 RegCloseKey 15067->15069 15070 40774b 15067->15070 15068 407521 RegQueryValueExA 15068->15073 15069->15070 15071 4077ec RegCloseKey 15070->15071 15071->15064 15072 4076e4 RegCloseKey 15072->15073 15073->15063 15073->15066 15073->15067 15073->15068 15073->15072 15075 40f1a5 lstrlenA 15073->15075 15076 40777e GetFileAttributesExA 15073->15076 15077 407769 15073->15077 15074 4077e3 RegCloseKey 15074->15071 15075->15073 15076->15077 15077->15074 15079 407073 15078->15079 15080 4070b9 RegOpenKeyExA 15079->15080 15081 4070d0 15080->15081 15082 4071b8 15080->15082 15083 406dc2 6 API calls 15081->15083 15082->14674 15084 4070d5 15083->15084 15085 40719b RegEnumValueA 15084->15085 15088 4071d0 15084->15088 15101 40f1a5 lstrlenA 15084->15101 15085->15084 15086 4071af RegCloseKey 15085->15086 15086->15082 15089 407205 RegCloseKey 15088->15089 15090 407227 15088->15090 15089->15082 15091 4072b8 ___ascii_stricmp 15090->15091 15092 40728e RegCloseKey 15090->15092 15093 4072cd RegCloseKey 15091->15093 15094 4072dd 15091->15094 15092->15082 15093->15082 15095 407311 RegCloseKey 15094->15095 15097 407335 15094->15097 15095->15082 15096 4073d5 RegCloseKey 15098 4073e4 15096->15098 15097->15096 15099 40737e GetFileAttributesExA 15097->15099 15100 407397 15097->15100 15099->15100 15100->15096 15102 40f1c3 15101->15102 15102->15084 15104 403ee2 15103->15104 15105 403edc 15103->15105 15104->14680 15106 406dc2 6 API calls 15105->15106 15106->15104 15108 40400b CreateFileA 15107->15108 15109 40402c GetLastError 15108->15109 15110 404052 15108->15110 15109->15110 15111 404037 15109->15111 15110->14678 15110->14683 15110->14684 15111->15110 15112 404041 Sleep 15111->15112 15112->15108 15112->15110 15114 403f7c 15113->15114 15115 403f4e GetLastError 15113->15115 15117 403f8c ReadFile 15114->15117 15115->15114 15116 403f5b WaitForSingleObject GetOverlappedResult 15115->15116 15116->15114 15118 403ff0 15117->15118 15119 403fc2 GetLastError 15117->15119 15118->14689 15118->14690 15119->15118 15120 403fcf WaitForSingleObject GetOverlappedResult 15119->15120 15120->15118 15124 40eb74 15121->15124 15125 40eb7b GetProcessHeap HeapSize 15124->15125 15126 404350 15124->15126 15125->15126 15126->14697 15128 401924 GetVersionExA 15127->15128 15128->14741 15130 406f55 15129->15130 15131 406eef AllocateAndInitializeSid 15129->15131 15130->14751 15132 406f44 15131->15132 15133 406f1c CheckTokenMembership 15131->15133 15132->15130 15163 406e36 GetUserNameW 15132->15163 15134 406f3b FreeSid 15133->15134 15135 406f2e 15133->15135 15134->15132 15135->15134 15138 40920e 15137->15138 15141 409308 15137->15141 15139 4092f1 Sleep 15138->15139 15140 4092bf ShellExecuteA 15138->15140 15138->15141 15139->15138 15140->15138 15140->15141 15141->14773 15143 40ef32 15142->15143 15143->14765 15145 40f0f1 15144->15145 15146 40f0ed 15144->15146 15147 40f119 15145->15147 15148 40f0fa lstrlenA SysAllocStringByteLen 15145->15148 15146->14772 15150 40f11c MultiByteToWideChar 15147->15150 15149 40f117 15148->15149 15148->15150 15149->14772 15150->15149 15152 401820 17 API calls 15151->15152 15153 4018f2 15152->15153 15154 4018f9 15153->15154 15166 401280 15153->15166 15154->14773 15156 401908 15156->14773 15179 401000 15157->15179 15159 401839 15160 401851 GetCurrentProcess 15159->15160 15161 40183d 15159->15161 15162 401864 15160->15162 15161->14758 15162->14758 15164 406e97 15163->15164 15165 406e5f LookupAccountNameW 15163->15165 15164->15130 15165->15164 15170 4012e1 ShellExecuteExW 15166->15170 15168 4016f9 GetLastError 15171 401699 15168->15171 15169 4013a8 15169->15171 15172 401570 lstrlenW 15169->15172 15173 4015be GetStartupInfoW 15169->15173 15174 4015ff CreateProcessWithLogonW 15169->15174 15178 401668 CloseHandle 15169->15178 15170->15168 15170->15169 15171->15156 15172->15169 15173->15169 15175 4016bf GetLastError 15174->15175 15176 40163f WaitForSingleObject 15174->15176 15175->15171 15176->15169 15177 401659 CloseHandle 15176->15177 15177->15169 15178->15169 15180 40100d LoadLibraryA 15179->15180 15190 401023 15179->15190 15181 401021 15180->15181 15180->15190 15181->15159 15182 4010b5 GetProcAddress 15183 4010d1 GetProcAddress 15182->15183 15184 40127b 15182->15184 15183->15184 15185 4010f0 GetProcAddress 15183->15185 15184->15159 15185->15184 15186 401110 GetProcAddress 15185->15186 15186->15184 15187 401130 GetProcAddress 15186->15187 15187->15184 15188 40114f GetProcAddress 15187->15188 15188->15184 15189 40116f GetProcAddress 15188->15189 15189->15184 15191 40118f GetProcAddress 15189->15191 15190->15182 15199 4010ae 15190->15199 15191->15184 15192 4011ae GetProcAddress 15191->15192 15192->15184 15193 4011ce GetProcAddress 15192->15193 15193->15184 15194 4011ee GetProcAddress 15193->15194 15194->15184 15195 401209 GetProcAddress 15194->15195 15195->15184 15196 401225 GetProcAddress 15195->15196 15196->15184 15197 401241 GetProcAddress 15196->15197 15197->15184 15198 40125c GetProcAddress 15197->15198 15198->15184 15199->15159 15202 4069b9 WriteFile 15200->15202 15203 406a3c 15202->15203 15205 4069ff 15202->15205 15203->14783 15203->14784 15204 406a10 WriteFile 15204->15203 15204->15205 15205->15203 15205->15204 15207 40eb17 15206->15207 15208 40eb21 15206->15208 15210 40eae4 15207->15210 15208->14787 15211 40eb02 GetProcAddress 15210->15211 15212 40eaed LoadLibraryA 15210->15212 15211->15208 15212->15211 15213 40eb01 15212->15213 15213->15208 15215 40eba7 GetProcessHeap HeapSize 15214->15215 15216 40ebbf GetProcessHeap HeapFree 15214->15216 15215->15216 15216->14816 15218 40908d 15217->15218 15219 4090e2 wsprintfA 15218->15219 15220 40ee2a 15219->15220 15221 4090fd CreateFileA 15220->15221 15222 40911a lstrlenA WriteFile CloseHandle 15221->15222 15223 40913f 15221->15223 15222->15223 15223->14825 15223->14826 15225 40ee2a 15224->15225 15226 409794 CreateProcessA 15225->15226 15227 4097bb 15226->15227 15228 4097c2 15226->15228 15227->14835 15229 4097d4 GetThreadContext 15228->15229 15230 409801 15229->15230 15231 4097f5 15229->15231 15238 40637c 15230->15238 15232 4097f6 TerminateProcess 15231->15232 15232->15227 15234 409816 15234->15232 15235 40981e WriteProcessMemory 15234->15235 15235->15231 15236 40983b SetThreadContext 15235->15236 15236->15231 15237 409858 ResumeThread 15236->15237 15237->15227 15239 406386 15238->15239 15240 40638a GetModuleHandleA VirtualAlloc 15238->15240 15239->15234 15241 4063f5 15240->15241 15242 4063b6 15240->15242 15241->15234 15243 4063be VirtualAllocEx 15242->15243 15243->15241 15244 4063d6 15243->15244 15245 4063df WriteProcessMemory 15244->15245 15245->15241 15247 40dd41 InterlockedExchange 15246->15247 15248 40dd20 GetCurrentThreadId 15247->15248 15252 40dd4a 15247->15252 15249 40dd53 GetCurrentThreadId 15248->15249 15250 40dd2e GetTickCount 15248->15250 15249->14840 15251 40dd39 Sleep 15250->15251 15250->15252 15251->15247 15252->15249 15254 40dbf0 15253->15254 15286 40db67 GetEnvironmentVariableA 15254->15286 15256 40dc19 15257 40dcda 15256->15257 15258 40db67 3 API calls 15256->15258 15257->14842 15259 40dc5c 15258->15259 15259->15257 15260 40db67 3 API calls 15259->15260 15261 40dc9b 15260->15261 15261->15257 15262 40db67 3 API calls 15261->15262 15262->15257 15264 40db55 15263->15264 15265 40db3a 15263->15265 15264->14844 15264->14849 15290 40ebed 15265->15290 15299 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15267->15299 15269 40e3be 15269->14844 15270 40e342 15270->15269 15302 40de24 15270->15302 15273 40e528 15272->15273 15274 40e3f4 15272->15274 15273->14853 15275 40e434 RegQueryValueExA 15274->15275 15276 40e458 15275->15276 15277 40e51d RegCloseKey 15275->15277 15278 40e46e RegQueryValueExA 15276->15278 15277->15273 15278->15276 15279 40e488 15278->15279 15279->15277 15280 40db2e 8 API calls 15279->15280 15281 40e499 15280->15281 15281->15277 15282 40e4b9 RegQueryValueExA 15281->15282 15283 40e4e8 15281->15283 15282->15281 15282->15283 15283->15277 15284 40e332 14 API calls 15283->15284 15285 40e513 15284->15285 15285->15277 15287 40db89 lstrcpyA CreateFileA 15286->15287 15288 40dbca 15286->15288 15287->15256 15288->15256 15291 40ec01 15290->15291 15292 40ebf6 15290->15292 15294 40eba0 codecvt 2 API calls 15291->15294 15293 40ebcc 4 API calls 15292->15293 15295 40ebfe 15293->15295 15296 40ec0a GetProcessHeap HeapReAlloc 15294->15296 15295->15264 15297 40eb74 2 API calls 15296->15297 15298 40ec28 15297->15298 15298->15264 15313 40eb41 15299->15313 15303 40de3a 15302->15303 15309 40de4e 15303->15309 15317 40dd84 15303->15317 15306 40de9e 15307 40ebed 8 API calls 15306->15307 15306->15309 15311 40def6 15307->15311 15308 40de76 15321 40ddcf 15308->15321 15309->15270 15311->15309 15312 40ddcf lstrcmpA 15311->15312 15312->15309 15314 40eb54 15313->15314 15315 40eb4a 15313->15315 15314->15270 15316 40eae4 2 API calls 15315->15316 15316->15314 15318 40dd96 15317->15318 15319 40ddc5 15317->15319 15318->15319 15320 40ddad lstrcmpiA 15318->15320 15319->15306 15319->15308 15320->15318 15320->15319 15322 40dddd 15321->15322 15324 40de20 15321->15324 15323 40ddfa lstrcmpA 15322->15323 15322->15324 15323->15322 15324->15309 15326 40dd05 6 API calls 15325->15326 15327 40e821 15326->15327 15328 40dd84 lstrcmpiA 15327->15328 15329 40e82c 15328->15329 15330 40e844 15329->15330 15373 402480 15329->15373 15330->14869 15333 40dd05 6 API calls 15332->15333 15334 40df7c 15333->15334 15335 40dd84 lstrcmpiA 15334->15335 15339 40df89 15335->15339 15336 40dfc4 15336->14875 15337 40ddcf lstrcmpA 15337->15339 15338 40ec2e codecvt 4 API calls 15338->15339 15339->15336 15339->15337 15339->15338 15340 40dd84 lstrcmpiA 15339->15340 15340->15339 15342 40ea98 15341->15342 15382 40e8a1 15342->15382 15344 401e84 15344->14878 15346 4019d5 GetProcAddress GetProcAddress GetProcAddress 15345->15346 15349 4019ce 15345->15349 15347 401ab3 FreeLibrary 15346->15347 15348 401a04 15346->15348 15347->15349 15348->15347 15350 401a14 GetProcessHeap 15348->15350 15349->14882 15350->15349 15352 401a2e HeapAlloc 15350->15352 15352->15349 15353 401a42 15352->15353 15354 401a52 HeapReAlloc 15353->15354 15356 401a62 15353->15356 15354->15356 15355 401aa1 FreeLibrary 15355->15349 15356->15355 15357 401a96 HeapFree 15356->15357 15357->15355 15410 401ac3 LoadLibraryA 15358->15410 15361 401bcf 15361->14894 15363 401ac3 12 API calls 15362->15363 15364 401c09 15363->15364 15365 401c41 15364->15365 15366 401c0d GetComputerNameA 15364->15366 15365->14901 15367 401c45 GetVolumeInformationA 15366->15367 15368 401c1f 15366->15368 15367->15365 15368->15365 15368->15367 15370 40ee2a 15369->15370 15371 4030d0 gethostname gethostbyname 15370->15371 15372 401f82 15371->15372 15372->14906 15372->14907 15376 402419 lstrlenA 15373->15376 15375 402491 15375->15330 15377 402474 15376->15377 15378 40243d lstrlenA 15376->15378 15377->15375 15379 402464 lstrlenA 15378->15379 15380 40244e lstrcmpiA 15378->15380 15379->15377 15379->15378 15380->15379 15381 40245c 15380->15381 15381->15377 15381->15379 15383 40dd05 6 API calls 15382->15383 15384 40e8b4 15383->15384 15385 40dd84 lstrcmpiA 15384->15385 15386 40e8c0 15385->15386 15387 40e90a 15386->15387 15388 40e8c8 lstrcpynA 15386->15388 15390 402419 4 API calls 15387->15390 15398 40ea27 15387->15398 15389 40e8f5 15388->15389 15403 40df4c 15389->15403 15391 40e926 lstrlenA lstrlenA 15390->15391 15393 40e96a 15391->15393 15394 40e94c lstrlenA 15391->15394 15397 40ebcc 4 API calls 15393->15397 15393->15398 15394->15393 15395 40e901 15396 40dd84 lstrcmpiA 15395->15396 15396->15387 15399 40e98f 15397->15399 15398->15344 15399->15398 15400 40df4c 20 API calls 15399->15400 15401 40ea1e 15400->15401 15402 40ec2e codecvt 4 API calls 15401->15402 15402->15398 15404 40dd05 6 API calls 15403->15404 15405 40df51 15404->15405 15406 40f04e 4 API calls 15405->15406 15407 40df58 15406->15407 15408 40de24 10 API calls 15407->15408 15409 40df63 15408->15409 15409->15395 15411 401ae2 GetProcAddress 15410->15411 15416 401b68 GetComputerNameA GetVolumeInformationA 15410->15416 15412 401af5 15411->15412 15411->15416 15413 40ebed 8 API calls 15412->15413 15414 401b29 15412->15414 15413->15412 15414->15414 15415 40ec2e codecvt 4 API calls 15414->15415 15414->15416 15415->15416 15416->15361 15418 406ec3 2 API calls 15417->15418 15419 407ef4 15418->15419 15420 4073ff 17 API calls 15419->15420 15429 407fc9 15419->15429 15421 407f16 15420->15421 15421->15429 15430 407809 GetUserNameA 15421->15430 15423 407f63 15424 40ef1e lstrlenA 15423->15424 15423->15429 15425 407fa6 15424->15425 15426 40ef1e lstrlenA 15425->15426 15427 407fb7 15426->15427 15454 407a95 RegOpenKeyExA 15427->15454 15429->14920 15431 40783d LookupAccountNameA 15430->15431 15432 407a8d 15430->15432 15431->15432 15433 407874 GetLengthSid GetFileSecurityA 15431->15433 15432->15423 15433->15432 15434 4078a8 GetSecurityDescriptorOwner 15433->15434 15435 4078c5 EqualSid 15434->15435 15436 40791d GetSecurityDescriptorDacl 15434->15436 15435->15436 15437 4078dc LocalAlloc 15435->15437 15436->15432 15446 407941 15436->15446 15437->15436 15438 4078ef InitializeSecurityDescriptor 15437->15438 15439 407916 LocalFree 15438->15439 15440 4078fb SetSecurityDescriptorOwner 15438->15440 15439->15436 15440->15439 15442 40790b SetFileSecurityA 15440->15442 15441 40795b GetAce 15441->15446 15442->15439 15443 407980 EqualSid 15443->15446 15444 407a3d 15444->15432 15448 407a43 LocalAlloc 15444->15448 15445 4079be EqualSid 15445->15446 15446->15432 15446->15441 15446->15443 15446->15444 15446->15445 15447 40799d DeleteAce 15446->15447 15447->15446 15448->15432 15449 407a56 InitializeSecurityDescriptor 15448->15449 15450 407a62 SetSecurityDescriptorDacl 15449->15450 15451 407a86 LocalFree 15449->15451 15450->15451 15452 407a73 SetFileSecurityA 15450->15452 15451->15432 15452->15451 15453 407a83 15452->15453 15453->15451 15455 407ac4 15454->15455 15456 407acb GetUserNameA 15454->15456 15455->15429 15457 407da7 RegCloseKey 15456->15457 15458 407aed LookupAccountNameA 15456->15458 15457->15455 15458->15457 15459 407b24 RegGetKeySecurity 15458->15459 15459->15457 15460 407b49 GetSecurityDescriptorOwner 15459->15460 15461 407b63 EqualSid 15460->15461 15462 407bb8 GetSecurityDescriptorDacl 15460->15462 15461->15462 15464 407b74 LocalAlloc 15461->15464 15463 407da6 15462->15463 15471 407bdc 15462->15471 15463->15457 15464->15462 15465 407b8a InitializeSecurityDescriptor 15464->15465 15466 407bb1 LocalFree 15465->15466 15467 407b96 SetSecurityDescriptorOwner 15465->15467 15466->15462 15467->15466 15469 407ba6 RegSetKeySecurity 15467->15469 15468 407bf8 GetAce 15468->15471 15469->15466 15470 407c1d EqualSid 15470->15471 15471->15463 15471->15468 15471->15470 15472 407cd9 15471->15472 15473 407c5f EqualSid 15471->15473 15474 407c3a DeleteAce 15471->15474 15472->15463 15475 407d5a LocalAlloc 15472->15475 15477 407cf2 RegOpenKeyExA 15472->15477 15473->15471 15474->15471 15475->15463 15476 407d70 InitializeSecurityDescriptor 15475->15476 15478 407d7c SetSecurityDescriptorDacl 15476->15478 15479 407d9f LocalFree 15476->15479 15477->15475 15482 407d0f 15477->15482 15478->15479 15480 407d8c RegSetKeySecurity 15478->15480 15479->15463 15480->15479 15481 407d9c 15480->15481 15481->15479 15483 407d43 RegSetValueExA 15482->15483 15483->15475 15484 407d54 15483->15484 15484->15475 15485->14937 15487 40dd05 6 API calls 15486->15487 15490 40e65f 15487->15490 15488 40e6a5 15489 40ebcc 4 API calls 15488->15489 15493 40e6f5 15488->15493 15492 40e6b0 15489->15492 15490->15488 15491 40e68c lstrcmpA 15490->15491 15491->15490 15492->15493 15495 40e6b7 15492->15495 15496 40e6e0 lstrcpynA 15492->15496 15494 40e71d lstrcmpA 15493->15494 15493->15495 15494->15493 15495->14938 15496->15493 15497->14944 15499 40c525 15498->15499 15500 40c532 15498->15500 15499->15500 15502 40ec2e codecvt 4 API calls 15499->15502 15501 40c548 15500->15501 15650 40e7ff 15500->15650 15504 40e7ff lstrcmpiA 15501->15504 15512 40c54f 15501->15512 15502->15500 15505 40c615 15504->15505 15506 40ebcc 4 API calls 15505->15506 15505->15512 15506->15512 15507 40c5d1 15510 40ebcc 4 API calls 15507->15510 15509 40e819 11 API calls 15511 40c5b7 15509->15511 15510->15512 15513 40f04e 4 API calls 15511->15513 15512->14957 15514 40c5bf 15513->15514 15514->15501 15514->15507 15516 402692 inet_addr 15515->15516 15517 40268e 15515->15517 15516->15517 15518 40269e gethostbyname 15516->15518 15519 40f428 15517->15519 15518->15517 15653 40f315 15519->15653 15524 40c8d2 15522->15524 15523 40c907 15523->14959 15524->15523 15525 40c517 23 API calls 15524->15525 15525->15523 15526 40f43e 15527 40f473 recv 15526->15527 15528 40f47c 15527->15528 15529 40f458 15527->15529 15528->14975 15529->15527 15529->15528 15531 40c670 15530->15531 15532 40c67d 15530->15532 15533 40ebcc 4 API calls 15531->15533 15534 40ebcc 4 API calls 15532->15534 15535 40c699 15532->15535 15533->15532 15534->15535 15536 40c6f3 15535->15536 15537 40c73c send 15535->15537 15536->14988 15536->15029 15537->15536 15539 40c770 15538->15539 15540 40c77d 15538->15540 15541 40ebcc 4 API calls 15539->15541 15542 40c799 15540->15542 15543 40ebcc 4 API calls 15540->15543 15541->15540 15544 40c7b5 15542->15544 15546 40ebcc 4 API calls 15542->15546 15543->15542 15545 40f43e recv 15544->15545 15547 40c7cb 15545->15547 15546->15544 15548 40c7d3 15547->15548 15549 40f43e recv 15547->15549 15548->15029 15549->15548 15666 407db7 15550->15666 15553 40f04e 4 API calls 15555 407e4c 15553->15555 15554 40f04e 4 API calls 15556 407e96 15554->15556 15557 40f04e 4 API calls 15555->15557 15558 407e70 15555->15558 15556->15029 15557->15558 15558->15554 15558->15556 15560 406ec3 2 API calls 15559->15560 15561 407fdd 15560->15561 15562 4073ff 17 API calls 15561->15562 15571 4080c2 CreateProcessA 15561->15571 15563 407fff 15562->15563 15564 407809 21 API calls 15563->15564 15563->15571 15565 40804d 15564->15565 15566 40ef1e lstrlenA 15565->15566 15565->15571 15567 40809e 15566->15567 15568 40ef1e lstrlenA 15567->15568 15569 4080af 15568->15569 15570 407a95 24 API calls 15569->15570 15570->15571 15571->15041 15571->15042 15573 407db7 2 API calls 15572->15573 15574 407eb8 15573->15574 15575 40f04e 4 API calls 15574->15575 15576 407ece DeleteFileA 15575->15576 15576->15029 15578 40dd05 6 API calls 15577->15578 15579 40e31d 15578->15579 15670 40e177 15579->15670 15581 40e326 15581->15012 15583 4031f3 15582->15583 15593 4031ec 15582->15593 15584 40ebcc 4 API calls 15583->15584 15598 4031fc 15584->15598 15585 40344b 15586 403459 15585->15586 15587 40349d 15585->15587 15588 40f04e 4 API calls 15586->15588 15589 40ec2e codecvt 4 API calls 15587->15589 15590 40345f 15588->15590 15589->15593 15591 4030fa 4 API calls 15590->15591 15591->15593 15592 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15592->15598 15593->15029 15594 40344d 15595 40ec2e codecvt 4 API calls 15594->15595 15595->15585 15597 403141 lstrcmpiA 15597->15598 15598->15585 15598->15592 15598->15593 15598->15594 15598->15597 15696 4030fa GetTickCount 15598->15696 15600 4030fa 4 API calls 15599->15600 15601 403c1a 15600->15601 15602 403ce6 15601->15602 15701 403a72 15601->15701 15602->15029 15605 403a72 9 API calls 15607 403c5e 15605->15607 15606 403a72 9 API calls 15606->15607 15607->15602 15607->15606 15608 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15607->15608 15608->15607 15610 403a10 15609->15610 15611 4030fa 4 API calls 15610->15611 15612 403a1a 15611->15612 15612->15029 15614 40dd05 6 API calls 15613->15614 15615 40e7be 15614->15615 15615->15029 15617 40c07e wsprintfA 15616->15617 15621 40c105 15616->15621 15710 40bfce GetTickCount wsprintfA 15617->15710 15619 40c0ef 15711 40bfce GetTickCount wsprintfA 15619->15711 15621->15029 15623 407047 15622->15623 15624 406f88 LookupAccountNameA 15622->15624 15623->15029 15626 407025 15624->15626 15627 406fcb 15624->15627 15628 406edd 5 API calls 15626->15628 15629 406fdb ConvertSidToStringSidA 15627->15629 15630 40702a wsprintfA 15628->15630 15629->15626 15631 406ff1 15629->15631 15630->15623 15632 407013 LocalFree 15631->15632 15632->15626 15634 40dd05 6 API calls 15633->15634 15635 40e85c 15634->15635 15636 40dd84 lstrcmpiA 15635->15636 15637 40e867 15636->15637 15638 40e885 lstrcpyA 15637->15638 15712 4024a5 15637->15712 15715 40dd69 15638->15715 15644 407db7 2 API calls 15643->15644 15645 407de1 15644->15645 15646 407e16 15645->15646 15647 40f04e 4 API calls 15645->15647 15646->15029 15648 407df2 15647->15648 15648->15646 15649 40f04e 4 API calls 15648->15649 15649->15646 15651 40dd84 lstrcmpiA 15650->15651 15652 40c58e 15651->15652 15652->15501 15652->15507 15652->15509 15654 40ca1d 15653->15654 15655 40f33b 15653->15655 15654->14972 15654->15526 15656 40f347 htons socket 15655->15656 15657 40f382 ioctlsocket 15656->15657 15658 40f374 closesocket 15656->15658 15659 40f3aa connect select 15657->15659 15660 40f39d 15657->15660 15658->15654 15659->15654 15662 40f3f2 __WSAFDIsSet 15659->15662 15661 40f39f closesocket 15660->15661 15661->15654 15662->15661 15663 40f403 ioctlsocket 15662->15663 15665 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15663->15665 15665->15654 15667 407dc8 InterlockedExchange 15666->15667 15668 407dc0 Sleep 15667->15668 15669 407dd4 15667->15669 15668->15667 15669->15553 15669->15558 15671 40e184 15670->15671 15672 40e2e4 15671->15672 15673 40e223 15671->15673 15686 40dfe2 15671->15686 15672->15581 15673->15672 15675 40dfe2 8 API calls 15673->15675 15679 40e23c 15675->15679 15676 40e1be 15676->15673 15677 40dbcf 3 API calls 15676->15677 15680 40e1d6 15677->15680 15678 40e21a CloseHandle 15678->15673 15679->15672 15690 40e095 RegCreateKeyExA 15679->15690 15680->15673 15680->15678 15681 40e1f9 WriteFile 15680->15681 15681->15678 15682 40e213 15681->15682 15682->15678 15684 40e2a3 15684->15672 15685 40e095 4 API calls 15684->15685 15685->15672 15687 40dffc 15686->15687 15689 40e024 15686->15689 15688 40db2e 8 API calls 15687->15688 15687->15689 15688->15689 15689->15676 15691 40e172 15690->15691 15693 40e0c0 15690->15693 15691->15684 15692 40e13d 15694 40e14e RegDeleteValueA RegCloseKey 15692->15694 15693->15692 15695 40e115 RegSetValueExA 15693->15695 15694->15691 15695->15692 15695->15693 15697 403122 InterlockedExchange 15696->15697 15698 40312e 15697->15698 15699 40310f GetTickCount 15697->15699 15698->15598 15699->15698 15700 40311a Sleep 15699->15700 15700->15697 15702 40f04e 4 API calls 15701->15702 15709 403a83 15702->15709 15703 403be6 15706 40ec2e codecvt 4 API calls 15703->15706 15704 403bc0 15704->15703 15707 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15704->15707 15705 403ac1 15705->15602 15705->15605 15706->15705 15707->15704 15708 403b66 lstrlenA 15708->15705 15708->15709 15709->15704 15709->15705 15709->15708 15710->15619 15711->15621 15713 402419 4 API calls 15712->15713 15714 4024b6 15713->15714 15714->15638 15716 40dd79 lstrlenA 15715->15716 15716->15029 15718 404084 15717->15718 15719 40407d 15717->15719 15720 403ecd 6 API calls 15718->15720 15721 40408f 15720->15721 15722 404000 3 API calls 15721->15722 15724 404095 15722->15724 15723 404130 15725 403ecd 6 API calls 15723->15725 15724->15723 15729 403f18 4 API calls 15724->15729 15726 404159 CreateNamedPipeA 15725->15726 15727 404167 Sleep 15726->15727 15728 404188 ConnectNamedPipe 15726->15728 15727->15723 15730 404176 CloseHandle 15727->15730 15732 404195 GetLastError 15728->15732 15739 4041ab 15728->15739 15731 4040da 15729->15731 15730->15728 15733 403f8c 4 API calls 15731->15733 15734 40425e DisconnectNamedPipe 15732->15734 15732->15739 15735 4040ec 15733->15735 15734->15728 15736 404127 CloseHandle 15735->15736 15737 404101 15735->15737 15736->15723 15740 403f18 4 API calls 15737->15740 15738 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15738->15739 15739->15728 15739->15734 15739->15738 15742 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15739->15742 15743 40426a CloseHandle CloseHandle 15739->15743 15741 40411c ExitProcess 15740->15741 15742->15739 15744 40e318 23 API calls 15743->15744 15745 40427b 15744->15745 15745->15745 15747 408791 15746->15747 15748 40879f 15746->15748 15749 40f04e 4 API calls 15747->15749 15750 4087bc 15748->15750 15751 40f04e 4 API calls 15748->15751 15749->15748 15752 40e819 11 API calls 15750->15752 15751->15750 15753 4087d7 15752->15753 15760 408803 15753->15760 15768 4026b2 gethostbyaddr 15753->15768 15756 4087eb 15758 40e8a1 30 API calls 15756->15758 15756->15760 15758->15760 15762 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15760->15762 15763 40e819 11 API calls 15760->15763 15764 4088a0 Sleep 15760->15764 15765 4026b2 2 API calls 15760->15765 15767 40e8a1 30 API calls 15760->15767 15773 408cee 15760->15773 15781 40c4d6 15760->15781 15784 40c4e2 15760->15784 15787 402011 15760->15787 15822 408328 15760->15822 15762->15760 15763->15760 15764->15760 15765->15760 15767->15760 15769 4026fb 15768->15769 15770 4026cd 15768->15770 15769->15756 15771 4026e1 inet_ntoa 15770->15771 15772 4026de 15770->15772 15771->15772 15772->15756 15774 408d02 GetTickCount 15773->15774 15775 408dae 15773->15775 15774->15775 15776 408d19 15774->15776 15775->15760 15777 408da1 GetTickCount 15776->15777 15780 408d89 15776->15780 15874 40a677 15776->15874 15877 40a688 15776->15877 15777->15775 15780->15777 15885 40c2dc 15781->15885 15785 40c2dc 142 API calls 15784->15785 15786 40c4ec 15785->15786 15786->15760 15788 402020 15787->15788 15789 40202e 15787->15789 15790 40f04e 4 API calls 15788->15790 15791 40f04e 4 API calls 15789->15791 15794 40204b 15789->15794 15790->15789 15791->15794 15792 40206e GetTickCount 15793 4020db GetTickCount 15792->15793 15804 402090 15792->15804 15797 402132 GetTickCount GetTickCount 15793->15797 15806 4020e7 15793->15806 15794->15792 15795 40f04e 4 API calls 15794->15795 15798 402068 15795->15798 15796 4020d4 GetTickCount 15796->15793 15799 40f04e 4 API calls 15797->15799 15798->15792 15802 402159 15799->15802 15800 40212b GetTickCount 15800->15797 15801 402684 2 API calls 15801->15804 15805 4021b4 15802->15805 15808 40e854 13 API calls 15802->15808 15804->15796 15804->15801 15811 4020ce 15804->15811 16214 401978 15804->16214 15807 40f04e 4 API calls 15805->15807 15806->15800 15814 401978 15 API calls 15806->15814 15815 402125 15806->15815 16219 402ef8 15806->16219 15810 4021d1 15807->15810 15812 40218e 15808->15812 15816 4021f2 15810->15816 15818 40ea84 30 API calls 15810->15818 15811->15796 15813 40e819 11 API calls 15812->15813 15817 40219c 15813->15817 15814->15806 15815->15800 15816->15760 15817->15805 16227 401c5f 15817->16227 15819 4021ec 15818->15819 15820 40f04e 4 API calls 15819->15820 15820->15816 15823 407dd6 6 API calls 15822->15823 15824 40833c 15823->15824 15825 406ec3 2 API calls 15824->15825 15851 408340 15824->15851 15826 40834f 15825->15826 15827 40835c 15826->15827 15833 40846b 15826->15833 15828 4073ff 17 API calls 15827->15828 15852 408373 15828->15852 15829 4085df 15830 408626 GetTempPathA 15829->15830 15831 408638 15829->15831 15841 408762 15829->15841 15830->15831 16299 406ba7 IsBadCodePtr 15831->16299 15832 40675c 21 API calls 15832->15829 15835 4084a7 RegOpenKeyExA 15833->15835 15848 408450 15833->15848 15836 4084c0 RegQueryValueExA 15835->15836 15837 40852f 15835->15837 15839 408521 RegCloseKey 15836->15839 15840 4084dd 15836->15840 15842 408564 RegOpenKeyExA 15837->15842 15855 4085a5 15837->15855 15838 4086ad 15838->15841 15843 407e2f 6 API calls 15838->15843 15839->15837 15840->15839 15845 40ebcc 4 API calls 15840->15845 15847 40ec2e codecvt 4 API calls 15841->15847 15841->15851 15844 408573 RegSetValueExA RegCloseKey 15842->15844 15842->15855 15856 4086bb 15843->15856 15844->15855 15850 4084f0 15845->15850 15846 40875b DeleteFileA 15846->15841 15847->15851 15848->15829 15848->15832 15850->15839 15854 4084f8 RegQueryValueExA 15850->15854 15851->15760 15852->15848 15852->15851 15853 4083ea RegOpenKeyExA 15852->15853 15853->15848 15857 4083fd RegQueryValueExA 15853->15857 15854->15839 15858 408515 15854->15858 15855->15848 15859 40ec2e codecvt 4 API calls 15855->15859 15856->15846 15863 4086e0 lstrcpyA lstrlenA 15856->15863 15860 40842d RegSetValueExA 15857->15860 15861 40841e 15857->15861 15862 40ec2e codecvt 4 API calls 15858->15862 15859->15848 15864 408447 RegCloseKey 15860->15864 15861->15860 15861->15864 15865 40851d 15862->15865 15866 407fcf 64 API calls 15863->15866 15864->15848 15865->15839 15867 408719 CreateProcessA 15866->15867 15868 40873d CloseHandle CloseHandle 15867->15868 15869 40874f 15867->15869 15868->15841 15870 407ee6 64 API calls 15869->15870 15871 408754 15870->15871 15872 407ead 6 API calls 15871->15872 15873 40875a 15872->15873 15873->15846 15880 40a63d 15874->15880 15876 40a685 15876->15776 15878 40a63d GetTickCount 15877->15878 15879 40a696 15878->15879 15879->15776 15881 40a645 15880->15881 15882 40a64d 15880->15882 15881->15876 15883 40a66e 15882->15883 15884 40a65e GetTickCount 15882->15884 15883->15876 15884->15883 15901 40a4c7 GetTickCount 15885->15901 15888 40c300 GetTickCount 15890 40c337 15888->15890 15889 40c326 15889->15890 15891 40c32b GetTickCount 15889->15891 15894 40c363 GetTickCount 15890->15894 15900 40c45e 15890->15900 15891->15890 15892 40c4d2 15892->15760 15893 40c4ab InterlockedIncrement CreateThread 15893->15892 15895 40c4cb CloseHandle 15893->15895 15906 40b535 15893->15906 15896 40c373 15894->15896 15894->15900 15895->15892 15897 40c378 GetTickCount 15896->15897 15898 40c37f 15896->15898 15897->15898 15899 40c43b GetTickCount 15898->15899 15899->15900 15900->15892 15900->15893 15902 40a4f7 InterlockedExchange 15901->15902 15903 40a500 15902->15903 15904 40a4e4 GetTickCount 15902->15904 15903->15888 15903->15889 15903->15900 15904->15903 15905 40a4ef Sleep 15904->15905 15905->15902 15907 40b566 15906->15907 15908 40ebcc 4 API calls 15907->15908 15909 40b587 15908->15909 15910 40ebcc 4 API calls 15909->15910 15930 40b590 15910->15930 15911 40bdcd InterlockedDecrement 15912 40bde2 15911->15912 15914 40ec2e codecvt 4 API calls 15912->15914 15915 40bdea 15914->15915 15917 40ec2e codecvt 4 API calls 15915->15917 15916 40bdb7 Sleep 15916->15930 15918 40bdf2 15917->15918 15919 40be05 15918->15919 15921 40ec2e codecvt 4 API calls 15918->15921 15920 40bdcc 15920->15911 15921->15919 15922 40ebed 8 API calls 15922->15930 15925 40b6b6 lstrlenA 15925->15930 15926 4030b5 2 API calls 15926->15930 15927 40e819 11 API calls 15927->15930 15928 40b6ed lstrcpyA 15981 405ce1 15928->15981 15930->15911 15930->15916 15930->15920 15930->15922 15930->15925 15930->15926 15930->15927 15930->15928 15932 40b731 lstrlenA 15930->15932 15933 40b71f lstrcmpA 15930->15933 15934 40b772 GetTickCount 15930->15934 15935 40bd49 InterlockedIncrement 15930->15935 15937 40ab81 lstrcpynA InterlockedIncrement 15930->15937 15939 40b7ce InterlockedIncrement 15930->15939 15940 40bc5b InterlockedIncrement 15930->15940 15943 40b912 GetTickCount 15930->15943 15944 40b932 GetTickCount 15930->15944 15945 40bcdc closesocket 15930->15945 15946 40b826 InterlockedIncrement 15930->15946 15948 4038f0 6 API calls 15930->15948 15950 40bba6 InterlockedIncrement 15930->15950 15953 40bc4c closesocket 15930->15953 15954 40a7c1 22 API calls 15930->15954 15956 40ba71 wsprintfA 15930->15956 15957 405ded 12 API calls 15930->15957 15959 405ce1 23 API calls 15930->15959 15961 40ef1e lstrlenA 15930->15961 15962 40a688 GetTickCount 15930->15962 15963 403e10 15930->15963 15966 403e4f 15930->15966 15969 40384f 15930->15969 15989 40a7a3 inet_ntoa 15930->15989 15996 40abee 15930->15996 16008 401feb GetTickCount 15930->16008 16029 403cfb 15930->16029 16032 40b3c5 15930->16032 16063 40ab81 15930->16063 15932->15930 15933->15930 15933->15932 15934->15930 16075 40a628 15935->16075 15937->15930 15991 40acd7 15939->15991 15940->15930 15943->15930 15944->15930 15947 40bc6d InterlockedIncrement 15944->15947 15945->15930 15946->15934 15947->15930 15948->15930 15950->15930 15953->15930 15954->15930 16009 40a7c1 15956->16009 15957->15930 15959->15930 15961->15930 15962->15930 15964 4030fa 4 API calls 15963->15964 15965 403e1d 15964->15965 15965->15930 15967 4030fa 4 API calls 15966->15967 15968 403e5c 15967->15968 15968->15930 15970 4030fa 4 API calls 15969->15970 15971 403863 15970->15971 15972 4038b9 15971->15972 15973 403889 15971->15973 15980 4038b2 15971->15980 16084 4035f9 15972->16084 16078 403718 15973->16078 15978 403718 6 API calls 15978->15980 15979 4035f9 6 API calls 15979->15980 15980->15930 15982 405cf4 15981->15982 15983 405cec 15981->15983 15985 404bd1 4 API calls 15982->15985 16090 404bd1 GetTickCount 15983->16090 15986 405d02 15985->15986 16095 405472 15986->16095 15990 40a7b9 15989->15990 15990->15930 15992 40f315 14 API calls 15991->15992 15993 40aceb 15992->15993 15994 40acff 15993->15994 15995 40f315 14 API calls 15993->15995 15994->15930 15995->15994 15997 40abfb 15996->15997 16000 40ac65 15997->16000 16160 402f22 15997->16160 15999 40f315 14 API calls 15999->16000 16000->15999 16001 40ac6f 16000->16001 16002 40ac8a 16000->16002 16004 40ab81 2 API calls 16001->16004 16002->15930 16003 40ac23 16003->16000 16006 402684 2 API calls 16003->16006 16005 40ac81 16004->16005 16168 4038f0 16005->16168 16006->16003 16008->15930 16010 40a87d lstrlenA send 16009->16010 16011 40a7df 16009->16011 16012 40a899 16010->16012 16013 40a8bf 16010->16013 16011->16010 16017 40a7fa wsprintfA 16011->16017 16020 40a80a 16011->16020 16021 40a8f2 16011->16021 16014 40a8a5 wsprintfA 16012->16014 16022 40a89e 16012->16022 16015 40a8c4 send 16013->16015 16013->16021 16014->16022 16018 40a8d8 wsprintfA 16015->16018 16015->16021 16016 40a978 recv 16016->16021 16023 40a982 16016->16023 16017->16020 16018->16022 16019 40a9b0 wsprintfA 16019->16022 16020->16010 16021->16016 16021->16019 16021->16023 16022->15930 16023->16022 16024 4030b5 2 API calls 16023->16024 16025 40ab05 16024->16025 16026 40e819 11 API calls 16025->16026 16027 40ab17 16026->16027 16028 40a7a3 inet_ntoa 16027->16028 16028->16022 16030 4030fa 4 API calls 16029->16030 16031 403d0b 16030->16031 16031->15930 16033 405ce1 23 API calls 16032->16033 16034 40b3e6 16033->16034 16035 405ce1 23 API calls 16034->16035 16037 40b404 16035->16037 16036 40b440 16038 40ef7c 3 API calls 16036->16038 16037->16036 16039 40ef7c 3 API calls 16037->16039 16040 40b458 wsprintfA 16038->16040 16041 40b42b 16039->16041 16043 40ef7c 3 API calls 16040->16043 16042 40ef7c 3 API calls 16041->16042 16042->16036 16044 40b480 16043->16044 16045 40ef7c 3 API calls 16044->16045 16046 40b493 16045->16046 16047 40ef7c 3 API calls 16046->16047 16048 40b4bb 16047->16048 16182 40ad89 GetLocalTime SystemTimeToFileTime 16048->16182 16052 40b4cc 16053 40ef7c 3 API calls 16052->16053 16054 40b4dd 16053->16054 16055 40b211 7 API calls 16054->16055 16056 40b4ec 16055->16056 16057 40ef7c 3 API calls 16056->16057 16058 40b4fd 16057->16058 16059 40b211 7 API calls 16058->16059 16060 40b509 16059->16060 16061 40ef7c 3 API calls 16060->16061 16062 40b51a 16061->16062 16062->15930 16064 40abe9 GetTickCount 16063->16064 16066 40ab8c 16063->16066 16068 40a51d 16064->16068 16065 40aba8 lstrcpynA 16065->16066 16066->16064 16066->16065 16067 40abe1 InterlockedIncrement 16066->16067 16067->16066 16069 40a4c7 4 API calls 16068->16069 16070 40a52c 16069->16070 16071 40a542 GetTickCount 16070->16071 16073 40a539 GetTickCount 16070->16073 16071->16073 16074 40a56c 16073->16074 16074->15930 16076 40a4c7 4 API calls 16075->16076 16077 40a633 16076->16077 16077->15930 16079 40f04e 4 API calls 16078->16079 16081 40372a 16079->16081 16080 403847 16080->15978 16080->15980 16081->16080 16082 4037b3 GetCurrentThreadId 16081->16082 16082->16081 16083 4037c8 GetCurrentThreadId 16082->16083 16083->16081 16085 40f04e 4 API calls 16084->16085 16086 40360c 16085->16086 16087 4036da GetCurrentThreadId 16086->16087 16088 4036f1 16086->16088 16087->16088 16089 4036e5 GetCurrentThreadId 16087->16089 16088->15979 16088->15980 16089->16088 16091 404bff InterlockedExchange 16090->16091 16092 404c08 16091->16092 16093 404bec GetTickCount 16091->16093 16092->15982 16093->16092 16094 404bf7 Sleep 16093->16094 16094->16091 16116 404763 16095->16116 16097 405b58 16126 404699 16097->16126 16100 404763 lstrlenA 16101 405b6e 16100->16101 16147 404f9f 16101->16147 16103 405b79 16103->15930 16105 405549 lstrlenA 16115 40548a 16105->16115 16106 404ae6 8 API calls 16106->16115 16108 40558d lstrcpynA 16108->16115 16109 405a9f lstrcpyA 16109->16115 16110 405935 lstrcpynA 16110->16115 16111 404ae6 8 API calls 16112 405643 LoadLibraryW 16111->16112 16112->16115 16113 405472 13 API calls 16113->16115 16114 4058e7 lstrcpyA 16114->16115 16115->16097 16115->16106 16115->16108 16115->16109 16115->16110 16115->16111 16115->16113 16115->16114 16120 404ae6 16115->16120 16124 40ef7c lstrlenA lstrlenA lstrlenA 16115->16124 16118 40477a 16116->16118 16117 404859 16117->16115 16118->16117 16119 40480d lstrlenA 16118->16119 16119->16118 16121 404af3 16120->16121 16123 404b03 16120->16123 16122 40ebed 8 API calls 16121->16122 16122->16123 16123->16105 16125 40efb4 16124->16125 16125->16115 16152 4045b3 16126->16152 16129 4045b3 7 API calls 16130 4046c6 16129->16130 16131 4045b3 7 API calls 16130->16131 16132 4046d8 16131->16132 16133 4045b3 7 API calls 16132->16133 16134 4046ea 16133->16134 16135 4045b3 7 API calls 16134->16135 16136 4046ff 16135->16136 16137 4045b3 7 API calls 16136->16137 16138 404711 16137->16138 16139 4045b3 7 API calls 16138->16139 16140 404723 16139->16140 16141 40ef7c 3 API calls 16140->16141 16142 404735 16141->16142 16143 40ef7c 3 API calls 16142->16143 16144 40474a 16143->16144 16145 40ef7c 3 API calls 16144->16145 16146 40475c 16145->16146 16146->16100 16148 404fac 16147->16148 16151 404fb0 16147->16151 16148->16103 16149 404ffd 16149->16103 16150 404fd5 IsBadCodePtr 16150->16151 16151->16149 16151->16150 16153 4045c1 16152->16153 16154 4045c8 16152->16154 16155 40ebcc 4 API calls 16153->16155 16156 40ebcc 4 API calls 16154->16156 16158 4045e1 16154->16158 16155->16154 16156->16158 16157 404691 16157->16129 16158->16157 16159 40ef7c 3 API calls 16158->16159 16159->16158 16175 402d21 GetModuleHandleA 16160->16175 16163 402fcf GetProcessHeap HeapFree 16167 402f44 16163->16167 16164 402f4f 16166 402f6b GetProcessHeap HeapFree 16164->16166 16165 402f85 16165->16163 16166->16167 16167->16003 16169 403900 16168->16169 16170 403980 16168->16170 16171 4030fa 4 API calls 16169->16171 16170->16002 16174 40390a 16171->16174 16172 40391b GetCurrentThreadId 16172->16174 16173 403939 GetCurrentThreadId 16173->16174 16174->16170 16174->16172 16174->16173 16176 402d46 LoadLibraryA 16175->16176 16177 402d5b GetProcAddress 16175->16177 16176->16177 16180 402d54 16176->16180 16178 402d6b 16177->16178 16177->16180 16179 402d97 GetProcessHeap HeapAlloc 16178->16179 16178->16180 16181 402db5 lstrcpynA 16178->16181 16179->16178 16179->16180 16180->16164 16180->16165 16180->16167 16181->16178 16183 40adbf 16182->16183 16207 40ad08 gethostname 16183->16207 16186 4030b5 2 API calls 16187 40add3 16186->16187 16188 40a7a3 inet_ntoa 16187->16188 16195 40ade4 16187->16195 16188->16195 16189 40ae85 wsprintfA 16190 40ef7c 3 API calls 16189->16190 16192 40aebb 16190->16192 16191 40ae36 wsprintfA wsprintfA 16193 40ef7c 3 API calls 16191->16193 16194 40ef7c 3 API calls 16192->16194 16193->16195 16196 40aed2 16194->16196 16195->16189 16195->16191 16197 40b211 16196->16197 16198 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16197->16198 16199 40b2af GetLocalTime 16197->16199 16200 40b2d2 16198->16200 16199->16200 16201 40b2d9 SystemTimeToFileTime 16200->16201 16202 40b31c GetTimeZoneInformation 16200->16202 16203 40b2ec 16201->16203 16204 40b33a wsprintfA 16202->16204 16205 40b312 FileTimeToSystemTime 16203->16205 16204->16052 16205->16202 16208 40ad71 16207->16208 16213 40ad26 lstrlenA 16207->16213 16210 40ad85 16208->16210 16211 40ad79 lstrcpyA 16208->16211 16210->16186 16211->16210 16212 40ad68 lstrlenA 16212->16208 16213->16208 16213->16212 16215 40f428 14 API calls 16214->16215 16216 40198a 16215->16216 16217 401990 closesocket 16216->16217 16218 401998 16216->16218 16217->16218 16218->15804 16220 402d21 6 API calls 16219->16220 16221 402f01 16220->16221 16222 402f0f 16221->16222 16235 402df2 GetModuleHandleA 16221->16235 16224 402684 2 API calls 16222->16224 16226 402f1f 16222->16226 16225 402f1d 16224->16225 16225->15806 16226->15806 16228 401c80 16227->16228 16229 401d1c 16228->16229 16230 401cc2 wsprintfA 16228->16230 16233 401d79 16228->16233 16229->16229 16232 401d47 wsprintfA 16229->16232 16231 402684 2 API calls 16230->16231 16231->16228 16234 402684 2 API calls 16232->16234 16233->15805 16234->16233 16236 402e10 LoadLibraryA 16235->16236 16237 402e0b 16235->16237 16238 402e17 16236->16238 16237->16236 16237->16238 16239 402ef1 16238->16239 16240 402e28 GetProcAddress 16238->16240 16239->16222 16240->16239 16241 402e3e GetProcessHeap HeapAlloc 16240->16241 16245 402e62 16241->16245 16242 402ede GetProcessHeap HeapFree 16242->16239 16243 402e7f htons inet_addr 16244 402ea5 gethostbyname 16243->16244 16243->16245 16244->16245 16245->16239 16245->16242 16245->16243 16245->16244 16247 402ceb 16245->16247 16248 402cf2 16247->16248 16250 402d1c 16248->16250 16251 402d0e Sleep 16248->16251 16252 402a62 GetProcessHeap HeapAlloc 16248->16252 16250->16245 16251->16248 16251->16250 16253 402a92 16252->16253 16254 402a99 socket 16252->16254 16253->16248 16255 402cd3 GetProcessHeap HeapFree 16254->16255 16256 402ab4 16254->16256 16255->16253 16256->16255 16270 402abd 16256->16270 16257 402adb htons 16272 4026ff 16257->16272 16259 402b04 select 16259->16270 16260 402ca4 16261 402cb3 GetProcessHeap HeapFree closesocket 16260->16261 16261->16253 16262 402b3f recv 16262->16270 16263 402b66 htons 16263->16260 16263->16270 16264 402b87 htons 16264->16260 16264->16270 16266 402bf3 GetProcessHeap HeapAlloc 16266->16270 16268 402c17 htons 16287 402871 16268->16287 16270->16257 16270->16259 16270->16260 16270->16261 16270->16262 16270->16263 16270->16264 16270->16266 16270->16268 16271 402c4d GetProcessHeap HeapFree 16270->16271 16279 402923 16270->16279 16291 402904 16270->16291 16271->16270 16273 40271d 16272->16273 16274 402717 16272->16274 16276 40272b GetTickCount htons 16273->16276 16275 40ebcc 4 API calls 16274->16275 16275->16273 16277 4027cc htons htons sendto 16276->16277 16278 40278a 16276->16278 16277->16270 16278->16277 16280 402944 16279->16280 16283 40293d 16279->16283 16295 402816 htons 16280->16295 16282 402950 16282->16283 16284 402871 htons 16282->16284 16285 4029bd htons htons htons 16282->16285 16283->16270 16284->16282 16285->16283 16286 4029f6 GetProcessHeap HeapAlloc 16285->16286 16286->16282 16286->16283 16288 4028e3 16287->16288 16290 402889 16287->16290 16288->16270 16289 4028c3 htons 16289->16288 16289->16290 16290->16288 16290->16289 16292 402921 16291->16292 16293 402908 16291->16293 16292->16270 16294 402909 GetProcessHeap HeapFree 16293->16294 16294->16292 16294->16294 16296 40286b 16295->16296 16297 402836 16295->16297 16296->16282 16297->16296 16298 40285c htons 16297->16298 16298->16296 16298->16297 16300 406bc0 16299->16300 16301 406bbc 16299->16301 16302 40ebcc 4 API calls 16300->16302 16312 406bd4 16300->16312 16301->15838 16303 406be4 16302->16303 16304 406c07 CreateFileA 16303->16304 16305 406bfc 16303->16305 16303->16312 16307 406c34 WriteFile 16304->16307 16308 406c2a 16304->16308 16306 40ec2e codecvt 4 API calls 16305->16306 16306->16312 16310 406c49 CloseHandle DeleteFileA 16307->16310 16311 406c5a CloseHandle 16307->16311 16309 40ec2e codecvt 4 API calls 16308->16309 16309->16312 16310->16308 16313 40ec2e codecvt 4 API calls 16311->16313 16312->15838 16313->16312 14550 780920 TerminateProcess 16314 780005 16319 78092b GetPEB 16314->16319 16316 780030 16321 78003c 16316->16321 16320 780972 16319->16320 16320->16316 16322 780049 16321->16322 16336 780e0f SetErrorMode SetErrorMode 16322->16336 16327 780265 16328 7802ce VirtualProtect 16327->16328 16329 78030b 16328->16329 16330 780439 VirtualFree 16329->16330 16334 7804be 16330->16334 16335 7805f4 LoadLibraryA 16330->16335 16331 7804e3 LoadLibraryA 16331->16334 16333 7808c7 16334->16331 16334->16335 16335->16333 16337 780223 16336->16337 16338 780d90 16337->16338 16339 780dad 16338->16339 16340 780dbb GetPEB 16339->16340 16341 780238 VirtualAlloc 16339->16341 16340->16341 16341->16327 14535 808608 14536 808617 14535->14536 14539 808da8 14536->14539 14540 808dc3 14539->14540 14541 808dcc CreateToolhelp32Snapshot 14540->14541 14542 808de8 Module32First 14540->14542 14541->14540 14541->14542 14543 808df7 14542->14543 14544 808620 14542->14544 14546 808a67 14543->14546 14547 808a92 14546->14547 14548 808aa3 VirtualAlloc 14547->14548 14549 808adb 14547->14549 14548->14549 14549->14549 14504 407a95 RegOpenKeyExA 14505 407ac4 14504->14505 14506 407acb GetUserNameA 14504->14506 14507 407da7 RegCloseKey 14506->14507 14508 407aed LookupAccountNameA 14506->14508 14507->14505 14508->14507 14509 407b24 RegGetKeySecurity 14508->14509 14509->14507 14510 407b49 GetSecurityDescriptorOwner 14509->14510 14511 407b63 EqualSid 14510->14511 14512 407bb8 GetSecurityDescriptorDacl 14510->14512 14511->14512 14514 407b74 LocalAlloc 14511->14514 14513 407da6 14512->14513 14521 407bdc 14512->14521 14513->14507 14514->14512 14515 407b8a InitializeSecurityDescriptor 14514->14515 14516 407bb1 LocalFree 14515->14516 14517 407b96 SetSecurityDescriptorOwner 14515->14517 14516->14512 14517->14516 14519 407ba6 RegSetKeySecurity 14517->14519 14518 407bf8 GetAce 14518->14521 14519->14516 14520 407c1d EqualSid 14520->14521 14521->14513 14521->14518 14521->14520 14522 407cd9 14521->14522 14523 407c5f EqualSid 14521->14523 14524 407c3a DeleteAce 14521->14524 14522->14513 14525 407d5a LocalAlloc 14522->14525 14527 407cf2 RegOpenKeyExA 14522->14527 14523->14521 14524->14521 14525->14513 14526 407d70 InitializeSecurityDescriptor 14525->14526 14528 407d7c SetSecurityDescriptorDacl 14526->14528 14529 407d9f LocalFree 14526->14529 14527->14525 14532 407d0f 14527->14532 14528->14529 14530 407d8c RegSetKeySecurity 14528->14530 14529->14513 14530->14529 14531 407d9c 14530->14531 14531->14529 14533 407d43 RegSetValueExA 14532->14533 14533->14525 14534 407d54 14533->14534 14534->14525
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                            • API String ID: 2089075347-2824936573
                                                                                            • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 267 407db4-407db6 265->267 268 407da7-407db3 RegCloseKey 266->268 269 407aed-407b1e LookupAccountNameA 266->269 268->267 269->268 270 407b24-407b43 RegGetKeySecurity 269->270 270->268 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 276 407b74-407b88 LocalAlloc 272->276 274 407da6 273->274 275 407bdc-407be1 273->275 274->268 275->274 277 407be7-407bf2 275->277 276->273 278 407b8a-407b94 InitializeSecurityDescriptor 276->278 277->274 281 407bf8-407c08 GetAce 277->281 279 407bb1-407bb2 LocalFree 278->279 280 407b96-407ba4 SetSecurityDescriptorOwner 278->280 279->273 280->279 282 407ba6-407bab RegSetKeySecurity 280->282 283 407cc6 281->283 284 407c0e-407c1b 281->284 282->279 285 407cc9-407cd3 283->285 286 407c1d-407c2f EqualSid 284->286 287 407c4f-407c52 284->287 285->281 288 407cd9-407cdc 285->288 289 407c31-407c34 286->289 290 407c36-407c38 286->290 291 407c54-407c5e 287->291 292 407c5f-407c71 EqualSid 287->292 288->274 293 407ce2-407ce8 288->293 289->286 289->290 290->287 294 407c3a-407c4d DeleteAce 290->294 291->292 295 407c73-407c84 292->295 296 407c86 292->296 298 407d5a-407d6e LocalAlloc 293->298 299 407cea-407cf0 293->299 294->285 297 407c8b-407c8e 295->297 296->297 300 407c90-407c96 297->300 301 407c9d-407c9f 297->301 298->274 302 407d70-407d7a InitializeSecurityDescriptor 298->302 299->298 303 407cf2-407d0d RegOpenKeyExA 299->303 300->301 304 407ca1-407ca5 301->304 305 407ca7-407cc3 301->305 306 407d7c-407d8a SetSecurityDescriptorDacl 302->306 307 407d9f-407da0 LocalFree 302->307 303->298 308 407d0f-407d16 303->308 304->283 304->305 305->283 306->307 309 407d8c-407d9a RegSetKeySecurity 306->309 307->274 310 407d19-407d1e 308->310 309->307 311 407d9c 309->311 310->310 312 407d20-407d52 call 402544 RegSetValueExA 310->312 311->307 312->298 315 407d54 312->315 315->298
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 549 409326-409348 call 401910 GetVersionExA 552 409358-40935c 549->552 553 40934a-409356 549->553 554 409360-40937d GetModuleHandleA GetModuleFileNameA 552->554 553->554 555 409385-4093a2 554->555 556 40937f 554->556 557 4093a4-4093d7 call 402544 wsprintfA 555->557 558 4093d9-409412 call 402544 wsprintfA 555->558 556->555 563 409415-40942c call 40ee2a 557->563 558->563 566 4094a3-4094b3 call 406edd 563->566 567 40942e-409432 563->567 572 4094b9-4094f9 call 402544 RegOpenKeyExA 566->572 573 40962f-409632 566->573 567->566 568 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 567->568 568->566 583 409502-40952e call 402544 RegQueryValueExA 572->583 584 4094fb-409500 572->584 577 409634-409637 573->577 578 409639-40964a call 401820 577->578 579 40967b-409682 577->579 592 40964c-409662 578->592 593 40966d-409679 578->593 586 409683 call 4091eb 579->586 602 409530-409537 583->602 603 409539-409565 call 402544 RegQueryValueExA 583->603 588 40957a-40957f 584->588 596 409688-409690 586->596 597 409581-409584 588->597 598 40958a-40958d 588->598 600 409664-40966b 592->600 601 40962b-40962d 592->601 593->586 605 409692 596->605 606 409698-4096a0 596->606 597->577 597->598 598->579 599 409593-40959a 598->599 607 40961a-40961f 599->607 608 40959c-4095a1 599->608 600->601 612 4096a2-4096a9 601->612 609 40956e-409577 RegCloseKey 602->609 603->609 618 409567 603->618 605->606 606->612 616 409625 607->616 608->607 613 4095a3-4095c0 call 40f0e4 608->613 609->588 622 4095c2-4095db call 4018e0 613->622 623 40960c-409618 613->623 616->601 618->609 622->612 626 4095e1-4095f9 622->626 623->616 626->612 627 4095ff-409607 626->627 627->612
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop$runas
                                                                                            • API String ID: 3696105349-2220793183
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 666 406a60-406a89 CreateFileA 667 406b8c-406ba1 GetLastError 666->667 668 406a8f-406ac3 GetDiskFreeSpaceA 666->668 669 406ba3-406ba6 667->669 670 406ac5-406adc call 40eb0e 668->670 671 406b1d-406b34 call 406987 668->671 670->671 676 406ade 670->676 677 406b56-406b63 FindCloseChangeNotification 671->677 678 406b36-406b54 GetLastError CloseHandle 671->678 681 406ae0-406ae5 676->681 682 406ae7-406afb call 40eca5 676->682 679 406b65-406b7d GetLastError CloseHandle 677->679 680 406b86-406b8a 677->680 683 406b7f-406b80 DeleteFileA 678->683 679->683 680->669 681->682 684 406afd-406aff 681->684 682->671 683->680 684->671 687 406b01 684->687 688 406b03-406b08 687->688 689 406b0a-406b17 call 40eca5 687->689 688->671 688->689 689->671
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1251348514-2980165447
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 821 78092b-780970 GetPEB 822 780972-780978 821->822 823 78097a-78098a call 780d35 822->823 824 78098c-78098e 822->824 823->824 829 780992-780994 823->829 824->822 825 780990 824->825 828 780996-780998 825->828 830 780a3b-780a3e 828->830 829->828 831 78099d-7809d3 829->831 832 7809dc-7809ee call 780d0c 831->832 835 7809f0-780a3a 832->835 836 7809d5-7809d8 832->836 835->830 836->832
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$GetProcAddress.$l
                                                                                            • API String ID: 0-2784972518
                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction ID: 1050865b8f551beb30e40799f8e93d2cdd75059be690525d97bedd8af62775e7
                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction Fuzzy Hash: 83318AB6900609CFDB10DF99C884AAEBBF9FF08324F25404AD841A7311D775EA49CBA4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 880 808da8-808dc1 881 808dc3-808dc5 880->881 882 808dc7 881->882 883 808dcc-808dd8 CreateToolhelp32Snapshot 881->883 882->883 884 808de8-808df5 Module32First 883->884 885 808dda-808de0 883->885 886 808df7-808df8 call 808a67 884->886 887 808dfe-808e06 884->887 885->884 890 808de2-808de6 885->890 891 808dfd 886->891 890->881 890->884 891->887
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00808DD0
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00808DF0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153887061.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F9000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7f9000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: f5c55ee62bc6f3558d2c7a84d26d6fb7d6caea480ad635b9da42aecfa52d3268
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 04F09631200715AFD7603BF99C8DB6E76E8FF59764F100629EA86D24C0DF70EC854661
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 335 407703-40770e RegEnumKeyA 329->335 336 407801 330->336 337 4074a2-4074b1 call 406cad 335->337 338 407714-40771d RegCloseKey 335->338 339 407804-407808 336->339 342 4074b7-4074cc call 40f1a5 337->342 343 4076ed-407700 337->343 338->336 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->335 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 357 407536-40753c 348->357 358 4076df-4076e2 349->358 359 407742-407745 RegCloseKey 350->359 360 40774b-40774e 350->360 361 40753f-407544 357->361 358->343 364 4076e4-4076e7 RegCloseKey 358->364 359->360 363 4077ec-4077f7 RegCloseKey 360->363 361->361 362 407546-40754b 361->362 362->349 365 407551-40756b call 40ee95 362->365 363->339 364->343 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 381 4075d8-4075da 375->381 376->381 383 4075dc 381->383 384 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 381->384 383->384 394 407626-40762b 384->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 404 407769-40777c call 40ef00 398->404 405 407680 399->405 406 407675-40767e 399->406 411 4077e3-4077e6 RegCloseKey 404->411 408 407683-40768e call 406cad 405->408 406->408 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 411->363 415 4076dd 413->415 420 4076c1-4076c7 414->420 421 4076d8 414->421 415->358 420->421 422 4076c9-4076d2 420->422 421->415 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 430 4077d7-4077dc 428->430 431 4077ca-4077d6 call 40ef00 428->431 429->428 434 4077e0-4077e2 430->434 435 4077de 430->435 431->430 434->411 435->434
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 438 40704c-407071 439 407073 438->439 440 407075-40707a 438->440 439->440 441 40707c 440->441 442 40707e-407083 440->442 441->442 443 407085 442->443 444 407087-40708c 442->444 443->444 445 407090-4070ca call 402544 RegOpenKeyExA 444->445 446 40708e 444->446 449 4070d0-4070f6 call 406dc2 445->449 450 4071b8-4071c8 call 40ee2a 445->450 446->445 456 40719b-4071a9 RegEnumValueA 449->456 455 4071cb-4071cf 450->455 457 4070fb-4070fd 456->457 458 4071af-4071b2 RegCloseKey 456->458 459 40716e-407194 457->459 460 4070ff-407102 457->460 458->450 459->456 460->459 461 407104-407107 460->461 461->459 462 407109-40710d 461->462 462->459 463 40710f-407133 call 402544 call 40eed1 462->463 468 4071d0-407203 call 402544 call 40ee95 call 40ee2a 463->468 469 407139-407145 call 406cad 463->469 484 407205-407212 RegCloseKey 468->484 485 407227-40722e 468->485 475 407147-40715c call 40f1a5 469->475 476 40715e-40716b call 40ee2a 469->476 475->468 475->476 476->459 486 407222-407225 484->486 487 407214-407221 call 40ef00 484->487 488 407230-407256 call 40ef00 call 40ed23 485->488 489 40725b-40728c call 402544 call 40ee95 call 40ee2a 485->489 486->455 487->486 488->489 500 407258 488->500 503 4072b8-4072cb call 40ed77 489->503 504 40728e-40729a RegCloseKey 489->504 500->489 510 4072dd-4072f4 call 40ed23 503->510 511 4072cd-4072d8 RegCloseKey 503->511 506 4072aa-4072b3 504->506 507 40729c-4072a9 call 40ef00 504->507 506->455 507->506 515 407301 510->515 516 4072f6-4072ff 510->516 511->455 517 407304-40730f call 406cad 515->517 516->517 520 407311-40731d RegCloseKey 517->520 521 407335-40735d call 406c96 517->521 523 40732d-407330 520->523 524 40731f-40732c call 40ef00 520->524 527 4073d5-4073e2 RegCloseKey 521->527 528 40735f-407365 521->528 523->506 524->523 531 4073f2-4073f7 527->531 532 4073e4-4073f1 call 40ef00 527->532 528->527 530 407367-407370 528->530 530->527 533 407372-40737c 530->533 532->531 535 40739d-4073a2 533->535 536 40737e-407395 GetFileAttributesExA 533->536 539 4073a4 535->539 540 4073a6-4073a9 535->540 536->535 538 407397 536->538 538->535 539->540 541 4073b9-4073bc 540->541 542 4073ab-4073b8 call 40ef00 540->542 543 4073cb-4073cd 541->543 544 4073be-4073ca call 40ef00 541->544 542->541 543->527 544->543
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.KERNELBASE(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.KERNELBASE(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"$PromptOnSecureDesktop
                                                                                            • API String ID: 4293430545-98143240
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 628 40675c-406778 629 406784-4067a2 CreateFileA 628->629 630 40677a-40677e SetFileAttributesA 628->630 631 4067a4-4067b2 CreateFileA 629->631 632 4067b5-4067b8 629->632 630->629 631->632 633 4067c5-4067c9 632->633 634 4067ba-4067bf SetFileAttributesA 632->634 635 406977-406986 633->635 636 4067cf-4067df GetFileSize 633->636 634->633 637 4067e5-4067e7 636->637 638 40696b 636->638 637->638 640 4067ed-40680b ReadFile 637->640 639 40696e-406971 FindCloseChangeNotification 638->639 639->635 640->638 641 406811-406824 SetFilePointer 640->641 641->638 642 40682a-406842 ReadFile 641->642 642->638 643 406848-406861 SetFilePointer 642->643 643->638 644 406867-406876 643->644 645 4068d5-4068df 644->645 646 406878-40688f ReadFile 644->646 645->639 647 4068e5-4068eb 645->647 648 406891-40689e 646->648 649 4068d2 646->649 650 4068f0-4068fe call 40ebcc 647->650 651 4068ed 647->651 652 4068a0-4068b5 648->652 653 4068b7-4068ba 648->653 649->645 650->638 660 406900-40690b SetFilePointer 650->660 651->650 654 4068bd-4068c3 652->654 653->654 656 4068c5 654->656 657 4068c8-4068ce 654->657 656->657 657->646 659 4068d0 657->659 659->645 661 40695a-406969 call 40ec2e 660->661 662 40690d-406920 ReadFile 660->662 661->639 662->661 664 406922-406958 662->664 664->639
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,76230F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 692 78003c-780047 693 780049 692->693 694 78004c-780263 call 780a3f call 780e0f call 780d90 VirtualAlloc 692->694 693->694 709 78028b-780292 694->709 710 780265-780289 call 780a69 694->710 712 7802a1-7802b0 709->712 714 7802ce-7803c2 VirtualProtect call 780cce call 780ce7 710->714 712->714 715 7802b2-7802cc 712->715 721 7803d1-7803e0 714->721 715->712 722 780439-7804b8 VirtualFree 721->722 723 7803e2-780437 call 780ce7 721->723 725 7804be-7804cd 722->725 726 7805f4-7805fe 722->726 723->721 728 7804d3-7804dd 725->728 729 78077f-780789 726->729 730 780604-78060d 726->730 728->726 734 7804e3-780505 LoadLibraryA 728->734 732 78078b-7807a3 729->732 733 7807a6-7807b0 729->733 730->729 735 780613-780637 730->735 732->733 736 78086e-7808be LoadLibraryA 733->736 737 7807b6-7807cb 733->737 738 780517-780520 734->738 739 780507-780515 734->739 740 78063e-780648 735->740 744 7808c7-7808f9 736->744 741 7807d2-7807d5 737->741 742 780526-780547 738->742 739->742 740->729 743 78064e-78065a 740->743 745 780824-780833 741->745 746 7807d7-7807e0 741->746 747 78054d-780550 742->747 743->729 748 780660-78066a 743->748 749 7808fb-780901 744->749 750 780902-78091d 744->750 756 780839-78083c 745->756 751 7807e2 746->751 752 7807e4-780822 746->752 753 7805e0-7805ef 747->753 754 780556-78056b 747->754 755 78067a-780689 748->755 749->750 751->745 752->741 753->728 757 78056d 754->757 758 78056f-78057a 754->758 759 78068f-7806b2 755->759 760 780750-78077a 755->760 756->736 761 78083e-780847 756->761 757->753 767 78059b-7805bb 758->767 768 78057c-780599 758->768 762 7806ef-7806fc 759->762 763 7806b4-7806ed 759->763 760->740 764 780849 761->764 765 78084b-78086c 761->765 769 78074b 762->769 770 7806fe-780748 762->770 763->762 764->736 765->756 775 7805bd-7805db 767->775 768->775 769->755 770->769 775->747
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0078024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 11e41495bae7d7e4d724454cbfe7a509fbcdab37b2827ee2bc84ff87f4a961b5
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: 19527974A01229DFDBA4CF58C984BA8BBB1BF09304F1480D9E50DAB351DB34AE99DF54

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4131120076-2980165447
                                                                                            • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                            • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 404000-404008 792 40400b-40402a CreateFileA 791->792 793 404057 792->793 794 40402c-404035 GetLastError 792->794 797 404059-40405c 793->797 795 404052 794->795 796 404037-40403a 794->796 799 404054-404056 795->799 796->795 798 40403c-40403f 796->798 797->799 798->797 800 404041-404050 Sleep 798->800 800->792 800->795
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 408151869-2980165447
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 801 406987-4069b7 802 4069e0 801->802 803 4069b9-4069be 801->803 804 4069e4-4069fd WriteFile 802->804 803->802 805 4069c0-4069d0 803->805 806 406a4d-406a51 804->806 807 4069ff-406a02 804->807 808 4069d2 805->808 809 4069d5-4069de 805->809 811 406a53-406a56 806->811 812 406a59 806->812 807->806 810 406a04-406a08 807->810 808->809 809->804 813 406a0a-406a0d 810->813 814 406a3c-406a3e 810->814 811->812 815 406a5b-406a5f 812->815 816 406a10-406a2e WriteFile 813->816 814->815 817 406a40-406a4b 816->817 818 406a30-406a33 816->818 817->815 818->817 819 406a35-406a3a 818->819 819->814 819->816
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 838 4091eb-409208 839 409308 838->839 840 40920e-40921c call 40ed03 838->840 842 40930b-40930f 839->842 844 40921e-40922c call 40ed03 840->844 845 40923f-409249 840->845 844->845 852 40922e-409230 844->852 847 409250-409270 call 40ee08 845->847 848 40924b 845->848 853 409272-40927f 847->853 854 4092dd-4092e1 847->854 848->847 855 409233-409238 852->855 856 409281-409285 853->856 857 40929b-40929e 853->857 858 4092e3-4092e5 854->858 859 4092e7-4092e8 854->859 855->855 860 40923a-40923c 855->860 856->856 861 409287 856->861 863 4092a0 857->863 864 40928e-409293 857->864 858->859 862 4092ea-4092ef 858->862 859->854 860->845 861->857 867 4092f1-4092f6 Sleep 862->867 868 4092fc-409302 862->868 869 4092a8-4092ab 863->869 865 409295-409298 864->865 866 409289-40928c 864->866 865->869 870 40929a 865->870 866->864 866->870 867->868 868->839 868->840 871 4092a2-4092a5 869->871 872 4092ad-4092b0 869->872 870->857 873 4092b2 871->873 875 4092a7 871->875 872->873 874 4092bd 872->874 876 4092b5-4092b9 873->876 877 4092bf-4092db ShellExecuteA 874->877 875->869 876->876 878 4092bb 876->878 877->854 879 409310-409324 877->879 878->877 879->842
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                            • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-0
                                                                                            • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                            • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 893 780e0f-780e24 SetErrorMode * 2 894 780e2b-780e2c 893->894 895 780e26 893->895 895->894
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,00780223,?,?), ref: 00780E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,00780223,?,?), ref: 00780E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: c37cf524c63f5757edd935c017db940ef546b67fe649cc31a07347fd0354d86c
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 77D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DD9080C774994047E5
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                            APIs
                                                                                            • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00780929
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 560597551-0
                                                                                            • Opcode ID: 9604ea1dcd4f22a8949a886f7bdec1d118a5d81d9110c455f59b90acc83c70ce
                                                                                            • Instruction ID: e1e1a94a0531323669c5b18f76ad3daf4669449f0ff4b443a9781655a3b09211
                                                                                            • Opcode Fuzzy Hash: 9604ea1dcd4f22a8949a886f7bdec1d118a5d81d9110c455f59b90acc83c70ce
                                                                                            • Instruction Fuzzy Hash: C09004307441501DDC7035DD0C01F4500013741731F3347107530FD1F0C4415F104555
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00808AB8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153887061.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F9000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7f9000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 0feb9d8b6ea6cab5f3d7fc7031fd311e3c44f384b114865b3ec3f65ba062b03d
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: 1D112D79A00208EFDB01DF98C985E99BBF5EF08351F058095F9489B362D771EA90DB81
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-3791576231
                                                                                            • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                            • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-1839596206
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2404124870-2980165447
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 007865F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00786610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00786631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00786652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 9e22945f9bed584e372acad72256f75da19f8ea1f3e967655bd5b861a3def70b
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 4E11A3B1740258BFDB21AF65DC0AF9B3FA8EB047A5F104024F908E7251E7B5DD0087A4
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                            • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                              • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                              • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3754425949-0
                                                                                            • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                            • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                            • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153887061.00000000007F9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007F9000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7f9000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction ID: d044aedf20cf4846c6a60c565d087f6e3cb2cbfa0b4fb3e87f946551bb65e4b5
                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction Fuzzy Hash: D0117072340200DFD784DE59DC95EA673EAFB99320B298055E944CB355DA76E841CB60
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction ID: c137a415cd33a37c16b2a2ea5c25f585a778bfd2a950d56cefb96e01b2f897f6
                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction Fuzzy Hash: 0C01F272B406008FDF61EF60C805BAB33E5FB86306F0544A4D90A97282E378A8498BD0
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 00789E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00789FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 00789FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0078A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0078A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0078A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0078A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 0078A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 0078A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00789F13
                                                                                              • Part of subcall function 00787029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00787081
                                                                                              • Part of subcall function 00786F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\efijgqmr,00787043), ref: 00786F4E
                                                                                              • Part of subcall function 00786F30: GetProcAddress.KERNEL32(00000000), ref: 00786F55
                                                                                              • Part of subcall function 00786F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00786F7B
                                                                                              • Part of subcall function 00786F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00786F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0078A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0078A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0078A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0078A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0078A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0078A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0078A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0078A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0078A2F4
                                                                                            • wsprintfA.USER32 ref: 0078A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0078A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 0078A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0078A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0078A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0078A1D1
                                                                                              • Part of subcall function 00789966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0078999D
                                                                                              • Part of subcall function 00789966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007899BD
                                                                                              • Part of subcall function 00789966: RegCloseKey.ADVAPI32(?), ref: 007899C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0078A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0078A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0078A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: fcd6cfc1229646f162688ada09cd9548fc519c1614a6a490e657c959ea0a90b0
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: F1F112B1D80259FFDF11EBA09C49EEF7BBCAB08300F1444A6F605E2141E7799A858F65
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00787D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00787D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00787DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00787DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00787DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00787E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00787E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00787E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00787E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 5d765d5f1e80701d1017c59c09a3c21054aebdb72f923c3248f286917c5cb4fc
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: B1A15C71940219AFDB11DFA1DD88FEEBBB9FB08300F148069F616E2150DB79CA85CB64
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00787A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00787ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00787B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00787B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00787B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00787B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00787B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00787B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00787B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 00787BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00787BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 00787C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00787C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00787CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00787CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00787CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: e90db8605f24c7f4b8cdea20a8669ae03bab4930f35680131aa2d7c0f7e4d63d
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: A1815C71944219AFDB11DFA4DD88FEEBBBCAF08340F24806AE506E7150D779CA41CB64
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: PromptOnSecureDesktop$localcfg
                                                                                            • API String ID: 237177642-1678164370
                                                                                            • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0078865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0078867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007886A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007886B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 237177642-3108538426
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: e7fd308d00a54076d95c34a6a741fe4ef1c2517d2ffb4fe337ea5a89d3a2103d
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 13C1A0B1980108FEEB51BBA4DD89EEF7BBDEB04300F544076F605E6051EB784E948B66
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00781601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 007817D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: 56effd8c578fc6a756252e3c3c41c79e8ba6b0f8186d24e4f90db8795d4cfe5d
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 2AF19EB15483419FD720EF64C888BABB7E8FB88300F90892DF596D7290D7B8D945CB56
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007876D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00787757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0078778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 007878B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0078794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0078796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0078797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 007879AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00787A56
                                                                                              • Part of subcall function 0078F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0078772A,?), ref: 0078F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007879F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00787A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 052c9d4e6bbc6744200fa5f9b792f86a5469912d2ebfa4157b534f51d5ec58c3
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: EFC1C172984209EFDB15ABA4DC49FEE7BB9EF45310F2040A1F505E6191EB79DA80CB60
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00782CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00782D07
                                                                                            • htons.WS2_32(00000000), ref: 00782D42
                                                                                            • select.WS2_32 ref: 00782D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00782DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00782E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: e9ea1ebc2f37348c9937cc14dcfa3e73d43684d78d6910b0c3dceb79edd0491d
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: 2C61C071544305AFC720BF64DC0CB6BBBF8EB48752F144819F98497152D7B9D882CBAA
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 007895A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007895D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 007895DC
                                                                                            • wsprintfA.USER32 ref: 00789635
                                                                                            • wsprintfA.USER32 ref: 00789673
                                                                                            • wsprintfA.USER32 ref: 007896F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00789758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0078978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007897D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3696105349-2980165447
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: 42de77b672943b115824066a523765a322ec8d48bec6b8c15357696fcfb44a13
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: 3BA182B198020CEFEB11EFA1CC49FEA3BACEB04741F144026FA15D6152E779D984CBA4
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-142018493
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 0078202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 0078204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0078206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00782071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00782082
                                                                                            • GetTickCount.KERNEL32 ref: 00782230
                                                                                              • Part of subcall function 00781E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00781E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: d5b8558eb34075505483270bd57c79bd25e7b725cbd892d881ef42fa46da7711
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: D351B3B0980348AFE330BF758C8AF67BAECEB55704F00492DF99682143D7BDA9458765
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00783068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00783078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 00783095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 007830B6
                                                                                            • htons.WS2_32(00000035), ref: 007830EF
                                                                                            • inet_addr.WS2_32(?), ref: 007830FA
                                                                                            • gethostbyname.WS2_32(?), ref: 0078310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 0078314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 3bab4b7665f45b89bfc39abb1b2f357255c2d1f5fbfa5cb918e228851aa91b29
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 31318731E4060AABDB11ABBCDC4CAAE7778AF04F61F144125E518E7290DB7CDE418B54
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                            • API String ID: 1082366364-2834986871
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2981417381-1403908072
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007867C3
                                                                                            • htonl.WS2_32(?), ref: 007867DF
                                                                                            • htonl.WS2_32(?), ref: 007867EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007868F1
                                                                                            • ExitProcess.KERNEL32 ref: 007869BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: e23bd7f508c8abb35fba742c0d6c65c3467317decb6e1f62545f3f6089b4f3d8
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: EC615071940208EFDB60AFB4DC45FEA77E9FB08300F148069F96DD2161DB7599948F54
                                                                                            APIs
                                                                                            • htons.WS2_32(0078CC84), ref: 0078F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0078F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 0078F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 601d0fa4c20371f1001b25fb6555c543218af509c7ea1819fd7a83ef71eb4bb1
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: F6315A72A40118ABDB10EFA5DC89DEE7BBCEF88310F104566F915E3150E7749A818BA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 00782FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00782FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00782FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00783000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00783007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00783032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 6bd1a1b5ec82ea021da7d592a4b532bfc52a074098fa33ec8d8d825599d49567
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 6021A471980625BBCB21AB98DC489EEBBBDEF08B11F104421F901E7141D7B89E81C7D4
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3609698214-2980165447
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\efijgqmr,00787043), ref: 00786F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00786F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00786F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00786F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\efijgqmr
                                                                                            • API String ID: 1082366364-2175600393
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: 12a4025699fa090bce9363291915759317fb4ead2325f3cccc56c05a67a05c0c
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: 5A21C2617C5344B9F7227331AC8DFBB2A4C8B52711F2840A5F644A5192DADDC8D6C36D
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 007892E2
                                                                                            • wsprintfA.USER32 ref: 00789350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00789375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 00789389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 00789394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0078939B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: a677a98da3d9aee16c71f691049b3079da5b76deedd8fde0d690a343223b0933
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: 071157B5780114BBE7607772EC0EFEF3A6DDBC5B11F008065BB09E5091EBB84A558764
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00789A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 00789A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00789A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00789A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 00789AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 00789AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: b15de8dc03c43e32fa077fe81270d95784aaea7327ae09b2603fa0f470c7e840
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: FB213BB1A41219BBDB11ABA1DC09EEF7BBCEF04750F448061FA19E1150E7798A44CBA5
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 00781C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 00781C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 00781C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00781C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00781CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 00781D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 00781D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: ad3110e32fe948610cd97040d80640b7f0850246609407a004ae0c5a5fe2ee87
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: 8C314F32E40219BFCB11AFE4DC889FEBBB9EB45711B64447AE501A2110D7B94E81DBA4
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1586453840-2980165447
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1371578007-2980165447
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00786CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00786D22
                                                                                            • GetLastError.KERNEL32 ref: 00786DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 00786DB5
                                                                                            • GetLastError.KERNEL32 ref: 00786DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 00786DE7
                                                                                            • GetLastError.KERNEL32 ref: 00786DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: 63c244b3ab6a512c6fa3a06b18b7d64518628dcb37c5937cf447235420ea8759
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 2331FE76A40249BFCF01EFA49D48ADEBFB9EB48300F148466E211E3212D7748A858B61
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0078E50A,00000000,00000000,00000000,00020106,00000000,0078E50A,00000000,000000E4), ref: 0078E319
                                                                                            • RegSetValueExA.ADVAPI32(0078E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0078E38E
                                                                                            • RegDeleteValueA.ADVAPI32(0078E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dx), ref: 0078E3BF
                                                                                            • RegCloseKey.ADVAPI32(0078E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dx,0078E50A), ref: 0078E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop$Dx
                                                                                            • API String ID: 2667537340-1154937498
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: b9a742336527e5f60ba28222633e1201b5f99b874b97378a97f56ae149f20ed2
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: CE213C71A4021DBBDF20AFA5EC89EEE7F79EF08750F048061F904E6161E7758A54D7A0
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007893C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 007893CD
                                                                                            • CharToOemA.USER32(?,?), ref: 007893DB
                                                                                            • wsprintfA.USER32 ref: 00789410
                                                                                              • Part of subcall function 007892CB: GetTempPathA.KERNEL32(00000400,?), ref: 007892E2
                                                                                              • Part of subcall function 007892CB: wsprintfA.USER32 ref: 00789350
                                                                                              • Part of subcall function 007892CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00789375
                                                                                              • Part of subcall function 007892CB: lstrlen.KERNEL32(?,?,00000000), ref: 00789389
                                                                                              • Part of subcall function 007892CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00789394
                                                                                              • Part of subcall function 007892CB: CloseHandle.KERNEL32(00000000), ref: 0078939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00789448
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: cf521343015178553c3a1d2a393e6272c0b3de614ed31637e5ba322bc01a90f9
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: B80152F6940158BBD721A7619D4DEDF377CDB95701F0040A1BB49E2080DAB897C58F75
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: 8d1d207496ef616f35eceff2fca501376c02336d8d0640fbf19d9aaf779e6c9f
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: 3D7109B1AC4304BAFF21BB54DC85FEE3B699B00715F244077F904E6091DA6E9D848767
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 0078DF6C: GetCurrentThreadId.KERNEL32 ref: 0078DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0078E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00786128), ref: 0078E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0078E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: f3a78f06b441fe478f93ed133a6f2ae6492b7247684b4874492198e029fca0dd
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 05319031640705DBDB71AF24C888BAA7BE8EB15720F10852AE55587551D3B8FC80CB82
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: ad91502c918df71d043ef53d816e9cc1f178552f3268e5d244bc5e88c32108aa
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: A5213876244219FFEB10ABA4EC49EDF3EADEB49760B208425F602D1091EB789A409774
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0078C6B4
                                                                                            • InterlockedIncrement.KERNEL32(0078C74B), ref: 0078C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0078C747), ref: 0078C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,0078C747,00413588,00788A77), ref: 0078C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 1e6f1576e2e50f53fadbf419bc5d0a0ece3ed34da1cb4f80c9286cd8a0785033
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: FE5151B1A41B418FD7359F69C5C5526BBE9FB48300B50593EE18BC7A90E778F844CB20
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 124786226-2980165447
                                                                                            • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 007871E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 00787286
                                                                                            • wsprintfA.USER32 ref: 0078729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 69799ed38631098953583dc070a86043a87f163e39c50755d062a3815318b6fd
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 32311C72944208FFDB01EFA4DC49ADA7BBCEF04314F148066F959DB101EA79D648CB94
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0078B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0078B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0078B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0078B590
                                                                                            • wsprintfA.USER32 ref: 0078B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 335107ad3a58f150b19d811438a85d641bde38f5779872bf26dfccb59482764b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 3F5100B1D4021DAACF14DFD5D8895EEBBB9BF48304F10816AF505B6150E7B84AC9CF98
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00786303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0078632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 007863B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00786405
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 0c689eb95139ecdefd35ad0e3403977c96828d2c5fd596ff35aa5357045fabaf
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: A64168B1A40209FFDB14EF58C884AADB7B8FF04314F288069E909D7690E739EE40CB50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,Dx,00000000,00000000,00000000), ref: 0078E470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0078E484
                                                                                              • Part of subcall function 0078E2FC: RegCreateKeyExA.ADVAPI32(80000001,0078E50A,00000000,00000000,00000000,00020106,00000000,0078E50A,00000000,000000E4), ref: 0078E319
                                                                                              • Part of subcall function 0078E2FC: RegSetValueExA.ADVAPI32(0078E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0078E38E
                                                                                              • Part of subcall function 0078E2FC: RegDeleteValueA.ADVAPI32(0078E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dx), ref: 0078E3BF
                                                                                              • Part of subcall function 0078E2FC: RegCloseKey.ADVAPI32(0078E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dx,0078E50A), ref: 0078E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop$Dx
                                                                                            • API String ID: 4151426672-1154937498
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: 62fbe1fc4a2e4788591fbd1af2e110fab4b62fc7066f466e4188aaaa918b071b
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: 9F4198B1980214FAEB207B528C4AFEB3B6CEB14765F148035FE0D94192E7B98A50D7B5
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3683885500-2980165447
                                                                                            • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                            • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                            APIs
                                                                                              • Part of subcall function 0078DF6C: GetCurrentThreadId.KERNEL32 ref: 0078DFBA
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0078A6AC), ref: 0078E7BF
                                                                                            • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0078A6AC), ref: 0078E7EA
                                                                                            • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0078A6AC), ref: 0078E819
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1396056608-2980165447
                                                                                            • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction ID: 3f9aba68736be6a9c1243481fc4e1dbd19a1d4730d4f98026fa4cc0a6f74dc65
                                                                                            • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction Fuzzy Hash: A621B7B1A80300BAE22077629C4FFEB3E5CDB65B61F100025FB0AA51D3FA9D995183B5
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007876D9
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0078796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0078797E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1332880857-2980165447
                                                                                            • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction ID: 92098ff4450d991af6ce170486f9acc9a2d205519aabb7bda53b365209264477
                                                                                            • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction Fuzzy Hash: 0811DC70A44109AFDB12AFA9DC49FAFBF78EB91310F244161F512E6291E2B8CD40CB60
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                            • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                            • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                            • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0078999D
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000), ref: 007899BD
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 007899C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction ID: 54024b693421c58b2c84714dde59e94a8845f57556cf8652eac554d587a6f4d2
                                                                                            • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction Fuzzy Hash: A9F0C2B2680208BBF7107B51AC0BFDB3A2CDB94B15F100060FB05B5082F6E99A9183B9
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: f54e17db91bb3e2e18ff366680972cfd35442e7a55dfa0556563681848d8bc3e
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9BE0C2306041119FCB00AB2CF848AC537E4EF0A331F008180F040D31A1C738DCC29740
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 007869E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00786A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00786A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00786BD8
                                                                                              • Part of subcall function 0078EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00781DCF,?), ref: 0078EEA8
                                                                                              • Part of subcall function 0078EE95: HeapFree.KERNEL32(00000000), ref: 0078EEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: 98284cedbb5e0bdd830b2312c414fc7784c5483ff006d889c06aaf1529bf7221
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: 167136B194021DFFDB10AFA4CC85AEEBBB9FB04314F20456AE515E6190D7389E92DB60
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007841AB
                                                                                            • GetLastError.KERNEL32 ref: 007841B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 007841C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007841D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 0e4109f3f68f01feb6924853711e7862713e3c47d7cb17c4899ed68bdf49b805
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: A001A97691110EABDF01EF91ED88BEE7B6CEB18355F104061F901E2050D7B49A948BB9
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0078421F
                                                                                            • GetLastError.KERNEL32 ref: 00784229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0078423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0078424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 349961e146e23fbe600ff5eecd25aa1a6ec98d1e63e6c483878e9f51718b02eb
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: 5A01A57255510AABDF01EF90ED84BEE7BACFB08355F108461F901E2050D7B49A549BB6
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0078E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 0c6a11cff764635da061b8444645764357d3c6bfcf441a47ddffcdc2cfb15445
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: ADF06D322007169BCB20DF65DC84A92B7E9FB09321B648A2AE158D3060D3B9E898CB55
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                              • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                              • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                              • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                            • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007883C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00788477
                                                                                              • Part of subcall function 007869C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007869E5
                                                                                              • Part of subcall function 007869C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00786A26
                                                                                              • Part of subcall function 007869C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00786A3A
                                                                                              • Part of subcall function 0078EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00781DCF,?), ref: 0078EEA8
                                                                                              • Part of subcall function 0078EE95: HeapFree.KERNEL32(00000000), ref: 0078EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 359188348-2980165447
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: c9cf97f7ebe9aef36ac5b16251964888eef20f1adb5550a99368ffa7c3806934
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 4E4172B298014EBFEB50FFA09D85DFF776CEB04340F5444AAF509D6011FAB85A948B61
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0078E859,00000000,00020119,0078E859,PromptOnSecureDesktop), ref: 0078E64D
                                                                                            • RegCloseKey.ADVAPI32(0078E859,?,?,?,?,000000C8,000000E4), ref: 0078E787
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 47109696-2980165447
                                                                                            • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction ID: 7b8bdda5a7e4c4cf9f806ea7de3298b2719806932731a7afd300b02ae19375ba
                                                                                            • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction Fuzzy Hash: E14133B2D4021DFFDF11AFA8DC85DEEBBB9FB18304F104466EA00A6160E3759A158B60
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0078AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0078B00D
                                                                                              • Part of subcall function 0078AF6F: gethostname.WS2_32(?,00000080), ref: 0078AF83
                                                                                              • Part of subcall function 0078AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0078AFE6
                                                                                              • Part of subcall function 0078331C: gethostname.WS2_32(?,00000080), ref: 0078333F
                                                                                              • Part of subcall function 0078331C: gethostbyname.WS2_32(?), ref: 00783349
                                                                                              • Part of subcall function 0078AA0A: inet_ntoa.WS2_32(00000000), ref: 0078AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: a5081ab1866e201947f4913d7becc379667e44a1ac24d862e467f7019fe34b7f
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: D041007294024CEBDB25EFA0DC4AEEF3B6CFB08304F144426F92592152EB79D6548B55
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00789536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 0078955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 1c6550bddf4d4fdf82d514ccb3f21c13f3bb6e3bcb39c457d093c96d3ab24ce8
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 604109B19843846EEB77BB64D88C7F63BE49B02310F2C01A5D686971E2E67C4D918711
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0078B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0078BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0078BA94
                                                                                            • GetTickCount.KERNEL32 ref: 0078BB79
                                                                                            • GetTickCount.KERNEL32 ref: 0078BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0078BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 0078BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 7c4d418ef009b8906e25c177d85b854f1ef8557d33eca62f119affb04f18dcf2
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: E5317F71580248EFDF25EFA4DC89AEE77B8EB48700F204056FA2492161EB79DA85CF54
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 007870BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007870F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 07a87876702d130a63a1f1e3756ed7e6a6f820ffd8e55d68b8fb3d18a6f09ab7
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 2F113C72D4411CEBDF55DFD4DC88ADEB7BCAB44301F2441A6E512E6090E674DB88CBA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150644409.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150644409.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                            APIs
                                                                                              • Part of subcall function 00782F88: GetModuleHandleA.KERNEL32(?), ref: 00782FA1
                                                                                              • Part of subcall function 00782F88: LoadLibraryA.KERNEL32(?), ref: 00782FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007831DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 007831E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2153450328.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_780000_foufdsk.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: b1b0c1146997e16d652d6cf526e355ffa6fc717f626ca4eab37d9ecdda0bd4a0
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 4D519A3194020AEFCF01AF68D8889FAB775FF15705F244169EC96C7211E73ADA19CB90

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.1%
                                                                                            Dynamic/Decrypted Code Coverage:29.7%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:1607
                                                                                            Total number of Limit Nodes:15
                                                                                            execution_graph 14593 409961 RegisterServiceCtrlHandlerA 14594 40997d 14593->14594 14595 4099cb 14593->14595 14603 409892 14594->14603 14597 40999a 14598 4099ba 14597->14598 14599 409892 SetServiceStatus 14597->14599 14598->14595 14601 409892 SetServiceStatus 14598->14601 14600 4099aa 14599->14600 14600->14598 14606 4098f2 14600->14606 14601->14595 14604 4098c2 SetServiceStatus 14603->14604 14604->14597 14607 4098f6 14606->14607 14609 409904 Sleep 14607->14609 14612 409917 14607->14612 14614 404280 CreateEventA 14607->14614 14609->14607 14610 409915 14609->14610 14610->14612 14611 409947 14611->14598 14612->14611 14641 40977c 14612->14641 14615 4042a5 14614->14615 14617 40429d 14614->14617 14655 403ecd 14615->14655 14617->14607 14618 4042b0 14659 404000 14618->14659 14621 4043c1 FindCloseChangeNotification 14621->14617 14622 4042ce 14665 403f18 WriteFile 14622->14665 14627 4043ba CloseHandle 14627->14621 14628 404318 14629 403f18 4 API calls 14628->14629 14630 404331 14629->14630 14631 403f18 4 API calls 14630->14631 14632 40434a 14631->14632 14673 40ebcc GetProcessHeap HeapAlloc 14632->14673 14635 403f18 4 API calls 14636 404389 14635->14636 14676 40ec2e 14636->14676 14639 403f8c 4 API calls 14640 40439f CloseHandle CloseHandle 14639->14640 14640->14617 14705 40ee2a 14641->14705 14644 4097bb 14644->14611 14645 4097c2 14646 4097d4 Wow64GetThreadContext 14645->14646 14647 409801 14646->14647 14648 4097f5 14646->14648 14707 40637c 14647->14707 14649 4097f6 TerminateProcess 14648->14649 14649->14644 14651 409816 14651->14649 14652 40981e WriteProcessMemory 14651->14652 14652->14648 14653 40983b Wow64SetThreadContext 14652->14653 14653->14648 14654 409858 ResumeThread 14653->14654 14654->14644 14656 403edc 14655->14656 14658 403ee2 14655->14658 14681 406dc2 14656->14681 14658->14618 14660 40400b CreateFileA 14659->14660 14661 40402c GetLastError 14660->14661 14662 404052 14660->14662 14661->14662 14663 404037 14661->14663 14662->14617 14662->14621 14662->14622 14663->14662 14664 404041 Sleep 14663->14664 14664->14660 14664->14662 14666 403f7c 14665->14666 14667 403f4e GetLastError 14665->14667 14669 403f8c ReadFile 14666->14669 14667->14666 14668 403f5b WaitForSingleObject GetOverlappedResult 14667->14668 14668->14666 14670 403ff0 14669->14670 14671 403fc2 GetLastError 14669->14671 14670->14627 14670->14628 14671->14670 14672 403fcf WaitForSingleObject GetOverlappedResult 14671->14672 14672->14670 14699 40eb74 14673->14699 14677 40ec37 14676->14677 14678 40438f 14676->14678 14702 40eba0 14677->14702 14678->14639 14682 406dd7 14681->14682 14686 406e24 14681->14686 14687 406cc9 14682->14687 14684 406ddc 14684->14684 14685 406e02 GetVolumeInformationA 14684->14685 14684->14686 14685->14686 14686->14658 14688 406cdc GetModuleHandleA GetProcAddress 14687->14688 14689 406dbe 14687->14689 14690 406d12 GetSystemDirectoryA 14688->14690 14691 406cfd 14688->14691 14689->14684 14692 406d27 GetWindowsDirectoryA 14690->14692 14693 406d1e 14690->14693 14691->14690 14695 406d8b 14691->14695 14694 406d42 14692->14694 14693->14692 14693->14695 14697 40ef1e lstrlenA 14694->14697 14695->14689 14698 40ef32 14697->14698 14698->14695 14700 40eb7b GetProcessHeap HeapSize 14699->14700 14701 404350 14699->14701 14700->14701 14701->14635 14703 40eba7 GetProcessHeap HeapSize 14702->14703 14704 40ebbf GetProcessHeap HeapFree 14702->14704 14703->14704 14704->14678 14706 409794 CreateProcessA 14705->14706 14706->14644 14706->14645 14708 406386 14707->14708 14709 40638a GetModuleHandleA VirtualAlloc 14707->14709 14708->14651 14710 4063f5 14709->14710 14711 4063b6 14709->14711 14710->14651 14712 4063be VirtualAllocEx 14711->14712 14712->14710 14713 4063d6 14712->14713 14714 4063df WriteProcessMemory 14713->14714 14714->14710 14746 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14863 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14746->14863 14748 409a95 14749 409aa3 GetModuleHandleA GetModuleFileNameA 14748->14749 14755 40a3c7 14748->14755 14762 409ac4 14749->14762 14750 40a41c CreateThread WSAStartup 14974 40e52e 14750->14974 15802 40405e CreateEventA 14750->15802 14752 409afd GetCommandLineA 14763 409b22 14752->14763 14753 40a406 DeleteFileA 14753->14755 14756 40a40d 14753->14756 14754 40a445 14993 40eaaf 14754->14993 14755->14750 14755->14753 14755->14756 14758 40a3ed GetLastError 14755->14758 14756->14750 14758->14756 14760 40a3f8 Sleep 14758->14760 14759 40a44d 14997 401d96 14759->14997 14760->14753 14762->14752 14766 409c0c 14763->14766 14773 409b47 14763->14773 14764 40a457 15045 4080c9 14764->15045 14864 4096aa 14766->14864 14777 409b96 lstrlenA 14773->14777 14781 409b58 14773->14781 14774 40a1d2 14782 40a1e3 GetCommandLineA 14774->14782 14775 409c39 14778 40a167 GetModuleHandleA GetModuleFileNameA 14775->14778 14779 409c4b 14775->14779 14777->14781 14780 409c05 ExitProcess 14778->14780 14784 40a189 14778->14784 14779->14778 14785 404280 30 API calls 14779->14785 14781->14780 14786 409bd2 14781->14786 14809 40a205 14782->14809 14784->14780 14791 40a1b2 GetDriveTypeA 14784->14791 14788 409c5b 14785->14788 14876 40675c 14786->14876 14788->14778 14795 40675c 21 API calls 14788->14795 14791->14780 14794 40a1c5 14791->14794 14966 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14794->14966 14797 409c79 14795->14797 14797->14778 14805 409ca0 GetTempPathA 14797->14805 14806 409e3e 14797->14806 14798 409bff 14798->14780 14800 40a491 14801 40a49f GetTickCount 14800->14801 14803 40a4be Sleep 14800->14803 14808 40a4b7 GetTickCount 14800->14808 15091 40c913 14800->15091 14801->14800 14801->14803 14802 40a239 14872 406ec3 14802->14872 14803->14800 14805->14806 14807 409cba 14805->14807 14812 409e6b GetEnvironmentVariableA 14806->14812 14842 409e04 14806->14842 14914 4099d2 lstrcpyA 14807->14914 14808->14803 14809->14802 14813 40a285 lstrlenA 14809->14813 14810 40ec2e codecvt 4 API calls 14814 40a15d 14810->14814 14816 409e7d 14812->14816 14812->14842 14813->14802 14814->14778 14814->14780 14817 4099d2 16 API calls 14816->14817 14818 409e9d 14817->14818 14823 409eb0 lstrcpyA lstrlenA 14818->14823 14818->14842 14819 406dc2 6 API calls 14821 409d5f 14819->14821 14824 406cc9 5 API calls 14821->14824 14822 40a3c2 14825 4098f2 41 API calls 14822->14825 14826 409ef4 14823->14826 14828 409d72 lstrcpyA lstrcatA lstrcatA 14824->14828 14825->14755 14829 406dc2 6 API calls 14826->14829 14831 409f03 14826->14831 14827 40a39d StartServiceCtrlDispatcherA 14827->14822 14830 409cf6 14828->14830 14829->14831 14921 409326 14830->14921 14832 409f32 RegOpenKeyExA 14831->14832 14833 409f48 RegSetValueExA RegCloseKey 14832->14833 14837 409f70 14832->14837 14833->14837 14834 40a35f 14834->14822 14834->14827 14843 409f9d GetModuleHandleA GetModuleFileNameA 14837->14843 14838 409e0c DeleteFileA 14838->14806 14839 409dde GetFileAttributesExA 14839->14838 14841 409df7 14839->14841 14841->14842 14958 4096ff 14841->14958 14842->14810 14845 409fc2 14843->14845 14846 40a093 14843->14846 14845->14846 14851 409ff1 GetDriveTypeA 14845->14851 14847 40a103 CreateProcessA 14846->14847 14850 40a0a4 wsprintfA 14846->14850 14848 40a13a 14847->14848 14849 40a12a DeleteFileA 14847->14849 14848->14842 14855 4096ff 3 API calls 14848->14855 14849->14848 14964 402544 14850->14964 14851->14846 14853 40a00d 14851->14853 14858 40a02d lstrcatA 14853->14858 14855->14842 14856 40ee2a 14857 40a0ec lstrcatA 14856->14857 14857->14847 14859 40a046 14858->14859 14860 40a052 lstrcatA 14859->14860 14861 40a064 lstrcatA 14859->14861 14860->14861 14861->14846 14862 40a081 lstrcatA 14861->14862 14862->14846 14863->14748 14865 4096b9 14864->14865 15194 4073ff 14865->15194 14867 4096e2 14868 4096e9 14867->14868 14869 4096fa 14867->14869 15214 40704c 14868->15214 14869->14774 14869->14775 14871 4096f7 14871->14869 14873 406ed5 14872->14873 14874 406ecc 14872->14874 14873->14834 15239 406e36 GetUserNameW 14874->15239 14877 406784 CreateFileA 14876->14877 14878 40677a SetFileAttributesA 14876->14878 14879 4067a4 CreateFileA 14877->14879 14880 4067b5 14877->14880 14878->14877 14879->14880 14881 4067c5 14880->14881 14882 4067ba SetFileAttributesA 14880->14882 14883 406977 14881->14883 14884 4067cf GetFileSize 14881->14884 14882->14881 14883->14780 14901 406a60 CreateFileA 14883->14901 14885 4067e5 14884->14885 14899 406922 14884->14899 14887 4067ed ReadFile 14885->14887 14885->14899 14886 40696e CloseHandle 14886->14883 14888 406811 SetFilePointer 14887->14888 14887->14899 14889 40682a ReadFile 14888->14889 14888->14899 14890 406848 SetFilePointer 14889->14890 14889->14899 14892 406867 14890->14892 14890->14899 14891 406878 ReadFile 14891->14892 14893 4068d0 14891->14893 14892->14891 14892->14893 14893->14886 14894 40ebcc 4 API calls 14893->14894 14895 4068f8 14894->14895 14896 406900 SetFilePointer 14895->14896 14895->14899 14897 40695a 14896->14897 14898 40690d ReadFile 14896->14898 14900 40ec2e codecvt 4 API calls 14897->14900 14898->14897 14898->14899 14899->14886 14900->14899 14902 406b8c GetLastError 14901->14902 14903 406a8f GetDiskFreeSpaceA 14901->14903 14904 406b86 14902->14904 14905 406ac5 14903->14905 14913 406ad7 14903->14913 14904->14798 15242 40eb0e 14905->15242 14909 406b56 CloseHandle 14909->14904 14912 406b65 GetLastError CloseHandle 14909->14912 14910 406b36 GetLastError CloseHandle 14911 406b7f DeleteFileA 14910->14911 14911->14904 14912->14911 15246 406987 14913->15246 14915 4099eb 14914->14915 14916 409a2f lstrcatA 14915->14916 14917 40ee2a 14916->14917 14918 409a4b lstrcatA 14917->14918 14919 406a60 13 API calls 14918->14919 14920 409a60 14919->14920 14920->14806 14920->14819 14920->14830 15256 401910 14921->15256 14924 40934a GetModuleHandleA GetModuleFileNameA 14926 40937f 14924->14926 14927 4093a4 14926->14927 14928 4093d9 14926->14928 14929 4093c3 wsprintfA 14927->14929 14930 409401 wsprintfA 14928->14930 14931 409415 14929->14931 14930->14931 14933 406cc9 5 API calls 14931->14933 14954 4094a0 14931->14954 14940 409439 14933->14940 14934 4094ac 14935 40962f 14934->14935 14936 4094e8 RegOpenKeyExA 14934->14936 14942 409646 14935->14942 15279 401820 14935->15279 14938 409502 14936->14938 14939 4094fb 14936->14939 14945 40951f RegQueryValueExA 14938->14945 14939->14935 14944 40958a 14939->14944 14943 40ef1e lstrlenA 14940->14943 14951 4095d6 14942->14951 15285 4091eb 14942->15285 14948 409462 14943->14948 14944->14942 14949 409593 14944->14949 14946 409530 14945->14946 14947 409539 14945->14947 14950 40956e RegCloseKey 14946->14950 14952 409556 RegQueryValueExA 14947->14952 14953 40947e wsprintfA 14948->14953 14949->14951 15266 40f0e4 14949->15266 14950->14939 14951->14838 14951->14839 14952->14946 14952->14950 14953->14954 15258 406edd 14954->15258 14956 4095bb 14956->14951 15273 4018e0 14956->15273 14959 402544 14958->14959 14960 40972d RegOpenKeyExA 14959->14960 14961 409740 14960->14961 14962 409765 14960->14962 14963 40974f RegDeleteValueA RegCloseKey 14961->14963 14962->14842 14963->14962 14965 402554 lstrcatA 14964->14965 14965->14856 14967 402544 14966->14967 14968 40919e wsprintfA 14967->14968 14969 4091bb 14968->14969 15324 409064 GetTempPathA 14969->15324 14972 4091d5 ShellExecuteA 14973 4091e7 14972->14973 14973->14798 15331 40dd05 GetTickCount 14974->15331 14976 40e538 15338 40dbcf 14976->15338 14978 40e544 14979 40e555 GetFileSize 14978->14979 14984 40e5b8 14978->14984 14980 40e5b1 CloseHandle 14979->14980 14981 40e566 14979->14981 14980->14984 15348 40db2e 14981->15348 15357 40e3ca RegOpenKeyExA 14984->15357 14985 40e576 ReadFile 14985->14980 14987 40e58d 14985->14987 15352 40e332 14987->15352 14989 40e5f2 14991 40e3ca 19 API calls 14989->14991 14992 40e629 14989->14992 14991->14992 14992->14754 14994 40eabe 14993->14994 14996 40eaba 14993->14996 14995 40dd05 6 API calls 14994->14995 14994->14996 14995->14996 14996->14759 14998 40ee2a 14997->14998 14999 401db4 GetVersionExA 14998->14999 15000 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14999->15000 15002 401e24 15000->15002 15003 401e16 GetCurrentProcess 15000->15003 15410 40e819 15002->15410 15003->15002 15005 401e3d 15006 40e819 11 API calls 15005->15006 15007 401e4e 15006->15007 15008 401e77 15007->15008 15417 40df70 15007->15417 15426 40ea84 15008->15426 15011 401e6c 15013 40df70 12 API calls 15011->15013 15013->15008 15014 40e819 11 API calls 15015 401e93 15014->15015 15430 40199c inet_addr LoadLibraryA 15015->15430 15018 40e819 11 API calls 15019 401eb9 15018->15019 15020 401ed8 15019->15020 15021 40f04e 4 API calls 15019->15021 15022 40e819 11 API calls 15020->15022 15023 401ec9 15021->15023 15024 401eee 15022->15024 15026 40ea84 30 API calls 15023->15026 15025 401f0a 15024->15025 15443 401b71 15024->15443 15028 40e819 11 API calls 15025->15028 15026->15020 15030 401f23 15028->15030 15029 401efd 15031 40ea84 30 API calls 15029->15031 15032 401f3f 15030->15032 15447 401bdf 15030->15447 15031->15025 15034 40e819 11 API calls 15032->15034 15036 401f5e 15034->15036 15037 401f77 15036->15037 15039 40ea84 30 API calls 15036->15039 15454 4030b5 15037->15454 15038 40ea84 30 API calls 15038->15032 15039->15037 15042 406ec3 2 API calls 15044 401f8e GetTickCount 15042->15044 15044->14764 15046 406ec3 2 API calls 15045->15046 15047 4080eb 15046->15047 15048 4080f9 15047->15048 15049 4080ef 15047->15049 15051 40704c 16 API calls 15048->15051 15502 407ee6 15049->15502 15052 408110 15051->15052 15053 4080f4 15052->15053 15055 408156 RegOpenKeyExA 15052->15055 15054 40675c 21 API calls 15053->15054 15063 408269 CreateThread 15053->15063 15059 408244 15054->15059 15055->15053 15056 40816d RegQueryValueExA 15055->15056 15057 4081f7 15056->15057 15058 40818d 15056->15058 15060 40820d RegCloseKey 15057->15060 15062 40ec2e codecvt 4 API calls 15057->15062 15058->15057 15064 40ebcc 4 API calls 15058->15064 15061 40ec2e codecvt 4 API calls 15059->15061 15059->15063 15060->15053 15061->15063 15069 4081dd 15062->15069 15070 405e6c 15063->15070 15831 40877e 15063->15831 15065 4081a0 15064->15065 15065->15060 15066 4081aa RegQueryValueExA 15065->15066 15066->15057 15067 4081c4 15066->15067 15068 40ebcc 4 API calls 15067->15068 15068->15069 15069->15060 15570 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15070->15570 15072 405e71 15571 40e654 15072->15571 15074 405ec1 15075 403132 15074->15075 15076 40df70 12 API calls 15075->15076 15077 40313b 15076->15077 15078 40c125 15077->15078 15582 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15078->15582 15080 40c12d 15081 40e654 13 API calls 15080->15081 15082 40c2bd 15081->15082 15083 40e654 13 API calls 15082->15083 15084 40c2c9 15083->15084 15085 40e654 13 API calls 15084->15085 15086 40a47a 15085->15086 15087 408db1 15086->15087 15088 408dbc 15087->15088 15089 40e654 13 API calls 15088->15089 15090 408dec Sleep 15089->15090 15090->14800 15092 40c92f 15091->15092 15093 40c93c 15092->15093 15583 40c517 15092->15583 15095 40ca2b 15093->15095 15096 40e819 11 API calls 15093->15096 15095->14800 15097 40c96a 15096->15097 15098 40e819 11 API calls 15097->15098 15099 40c97d 15098->15099 15100 40e819 11 API calls 15099->15100 15101 40c990 15100->15101 15102 40c9aa 15101->15102 15103 40ebcc 4 API calls 15101->15103 15102->15095 15600 402684 15102->15600 15103->15102 15108 40ca26 15607 40c8aa 15108->15607 15111 40ca44 15112 40ca4b closesocket 15111->15112 15113 40ca83 15111->15113 15112->15108 15114 40ea84 30 API calls 15113->15114 15115 40caac 15114->15115 15116 40f04e 4 API calls 15115->15116 15117 40cab2 15116->15117 15118 40ea84 30 API calls 15117->15118 15119 40caca 15118->15119 15120 40ea84 30 API calls 15119->15120 15121 40cad9 15120->15121 15615 40c65c 15121->15615 15124 40cb60 closesocket 15124->15095 15126 40dad2 closesocket 15127 40e318 23 API calls 15126->15127 15127->15095 15128 40df4c 20 API calls 15177 40cb70 15128->15177 15133 40e654 13 API calls 15133->15177 15139 40cc1c GetTempPathA 15139->15177 15140 40ea84 30 API calls 15140->15177 15141 40d569 closesocket Sleep 15662 40e318 15141->15662 15142 40d815 wsprintfA 15142->15177 15143 40c517 23 API calls 15143->15177 15145 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15145->15177 15146 40e8a1 30 API calls 15146->15177 15147 40d582 ExitProcess 15148 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15148->15177 15149 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15149->15177 15150 40cfe3 GetSystemDirectoryA 15150->15177 15151 40675c 21 API calls 15151->15177 15152 40d027 GetSystemDirectoryA 15152->15177 15153 40cfad GetEnvironmentVariableA 15153->15177 15154 40d105 lstrcatA 15154->15177 15155 40ef1e lstrlenA 15155->15177 15156 40cc9f CreateFileA 15159 40ccc6 WriteFile 15156->15159 15156->15177 15157 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15157->15177 15158 40d15b CreateFileA 15160 40d182 WriteFile CloseHandle 15158->15160 15158->15177 15161 40cdcc CloseHandle 15159->15161 15162 40cced CloseHandle 15159->15162 15160->15177 15161->15177 15167 40cd2f 15162->15167 15163 40d149 SetFileAttributesA 15163->15158 15164 40cd16 wsprintfA 15164->15167 15165 40d36e GetEnvironmentVariableA 15165->15177 15166 40d1bf SetFileAttributesA 15166->15177 15167->15164 15644 407fcf 15167->15644 15168 407ead 6 API calls 15168->15177 15169 40d22d GetEnvironmentVariableA 15169->15177 15171 40d3af lstrcatA 15174 40d3f2 CreateFileA 15171->15174 15171->15177 15173 407fcf 64 API calls 15173->15177 15174->15177 15178 40d415 WriteFile CloseHandle 15174->15178 15175 40cd81 WaitForSingleObject CloseHandle CloseHandle 15179 40f04e 4 API calls 15175->15179 15176 40cda5 15180 407ee6 64 API calls 15176->15180 15177->15126 15177->15128 15177->15133 15177->15139 15177->15140 15177->15141 15177->15142 15177->15143 15177->15145 15177->15146 15177->15148 15177->15149 15177->15150 15177->15151 15177->15152 15177->15153 15177->15154 15177->15155 15177->15156 15177->15157 15177->15158 15177->15163 15177->15165 15177->15166 15177->15168 15177->15169 15177->15171 15177->15173 15177->15174 15182 40d4b1 CreateProcessA 15177->15182 15183 40d3e0 SetFileAttributesA 15177->15183 15184 40d26e lstrcatA 15177->15184 15185 40d2b1 CreateFileA 15177->15185 15188 407ee6 64 API calls 15177->15188 15189 40d452 SetFileAttributesA 15177->15189 15190 40d29f SetFileAttributesA 15177->15190 15193 40d31d SetFileAttributesA 15177->15193 15623 40c75d 15177->15623 15635 407e2f 15177->15635 15657 407ead 15177->15657 15667 4031d0 15177->15667 15684 403c09 15177->15684 15694 403a00 15177->15694 15698 40e7b4 15177->15698 15701 40c06c 15177->15701 15707 406f5f GetUserNameA 15177->15707 15718 40e854 15177->15718 15728 407dd6 15177->15728 15178->15177 15179->15176 15181 40cdbd DeleteFileA 15180->15181 15181->15177 15182->15177 15186 40d4e8 CloseHandle CloseHandle 15182->15186 15183->15174 15184->15177 15184->15185 15185->15177 15187 40d2d8 WriteFile CloseHandle 15185->15187 15186->15177 15187->15177 15188->15177 15189->15177 15190->15185 15193->15177 15195 40741b 15194->15195 15196 406dc2 6 API calls 15195->15196 15197 40743f 15196->15197 15198 407469 RegOpenKeyExA 15197->15198 15200 4077f9 15198->15200 15209 407487 ___ascii_stricmp 15198->15209 15199 407703 RegEnumKeyA 15201 407714 RegCloseKey 15199->15201 15199->15209 15200->14867 15201->15200 15202 4074d2 RegOpenKeyExA 15202->15209 15203 40772c 15205 407742 RegCloseKey 15203->15205 15206 40774b 15203->15206 15204 407521 RegQueryValueExA 15204->15209 15205->15206 15207 4077ec RegCloseKey 15206->15207 15207->15200 15208 4076e4 RegCloseKey 15208->15209 15209->15199 15209->15202 15209->15203 15209->15204 15209->15208 15211 40f1a5 lstrlenA 15209->15211 15212 40777e GetFileAttributesExA 15209->15212 15213 407769 15209->15213 15210 4077e3 RegCloseKey 15210->15207 15211->15209 15212->15213 15213->15210 15215 407073 15214->15215 15216 4070b9 RegOpenKeyExA 15215->15216 15217 4070d0 15216->15217 15218 4071b8 15216->15218 15219 406dc2 6 API calls 15217->15219 15218->14871 15222 4070d5 15219->15222 15220 40719b RegEnumValueA 15221 4071af RegCloseKey 15220->15221 15220->15222 15221->15218 15222->15220 15224 4071d0 15222->15224 15237 40f1a5 lstrlenA 15222->15237 15225 407205 RegCloseKey 15224->15225 15226 407227 15224->15226 15225->15218 15227 4072b8 ___ascii_stricmp 15226->15227 15228 40728e RegCloseKey 15226->15228 15229 4072cd RegCloseKey 15227->15229 15230 4072dd 15227->15230 15228->15218 15229->15218 15231 407311 RegCloseKey 15230->15231 15233 407335 15230->15233 15231->15218 15232 4073d5 RegCloseKey 15234 4073e4 15232->15234 15233->15232 15235 40737e GetFileAttributesExA 15233->15235 15236 407397 15233->15236 15235->15236 15236->15232 15238 40f1c3 15237->15238 15238->15222 15238->15238 15240 406e97 15239->15240 15241 406e5f LookupAccountNameW 15239->15241 15240->14873 15241->15240 15243 40eb17 15242->15243 15244 40eb21 15242->15244 15252 40eae4 15243->15252 15244->14913 15248 4069b9 WriteFile 15246->15248 15249 4069ff 15248->15249 15250 406a3c 15248->15250 15249->15250 15251 406a10 WriteFile 15249->15251 15250->14909 15250->14910 15251->15249 15251->15250 15253 40eb02 GetProcAddress 15252->15253 15254 40eaed LoadLibraryA 15252->15254 15253->15244 15254->15253 15255 40eb01 15254->15255 15255->15244 15257 401924 GetVersionExA 15256->15257 15257->14924 15259 406f55 15258->15259 15260 406eef AllocateAndInitializeSid 15258->15260 15259->14934 15261 406f44 15260->15261 15262 406f1c CheckTokenMembership 15260->15262 15261->15259 15265 406e36 2 API calls 15261->15265 15263 406f3b FreeSid 15262->15263 15264 406f2e 15262->15264 15263->15261 15264->15263 15265->15259 15267 40f0f1 15266->15267 15268 40f0ed 15266->15268 15269 40f119 15267->15269 15270 40f0fa lstrlenA SysAllocStringByteLen 15267->15270 15268->14956 15272 40f11c MultiByteToWideChar 15269->15272 15271 40f117 15270->15271 15270->15272 15271->14956 15272->15271 15274 401820 17 API calls 15273->15274 15275 4018f2 15274->15275 15276 4018f9 15275->15276 15290 401280 15275->15290 15276->14951 15278 401908 15278->14951 15303 401000 15279->15303 15281 401839 15282 401851 GetCurrentProcess 15281->15282 15283 40183d 15281->15283 15284 401864 15282->15284 15283->14942 15284->14942 15286 409308 15285->15286 15288 40920e 15285->15288 15286->14951 15287 4092f1 Sleep 15287->15288 15288->15286 15288->15287 15288->15288 15289 4092bf ShellExecuteA 15288->15289 15289->15286 15289->15288 15293 4012e1 ShellExecuteExW 15290->15293 15292 4016f9 GetLastError 15299 401699 15292->15299 15293->15292 15300 4013a8 15293->15300 15294 401570 lstrlenW 15294->15300 15295 4015be GetStartupInfoW 15295->15300 15296 4015ff CreateProcessWithLogonW 15297 4016bf GetLastError 15296->15297 15298 40163f WaitForSingleObject 15296->15298 15297->15299 15298->15300 15301 401659 CloseHandle 15298->15301 15299->15278 15300->15294 15300->15295 15300->15296 15300->15299 15302 401668 CloseHandle 15300->15302 15301->15300 15302->15300 15304 40100d LoadLibraryA 15303->15304 15314 401023 15303->15314 15305 401021 15304->15305 15304->15314 15305->15281 15306 4010b5 GetProcAddress 15307 4010d1 GetProcAddress 15306->15307 15308 40127b 15306->15308 15307->15308 15309 4010f0 GetProcAddress 15307->15309 15308->15281 15309->15308 15310 401110 GetProcAddress 15309->15310 15310->15308 15311 401130 GetProcAddress 15310->15311 15311->15308 15312 40114f GetProcAddress 15311->15312 15312->15308 15313 40116f GetProcAddress 15312->15313 15313->15308 15315 40118f GetProcAddress 15313->15315 15314->15306 15323 4010ae 15314->15323 15315->15308 15316 4011ae GetProcAddress 15315->15316 15316->15308 15317 4011ce GetProcAddress 15316->15317 15317->15308 15318 4011ee GetProcAddress 15317->15318 15318->15308 15319 401209 GetProcAddress 15318->15319 15319->15308 15320 401225 GetProcAddress 15319->15320 15320->15308 15321 401241 GetProcAddress 15320->15321 15321->15308 15322 40125c GetProcAddress 15321->15322 15322->15308 15323->15281 15325 40908d 15324->15325 15326 4090e2 wsprintfA 15325->15326 15327 40ee2a 15326->15327 15328 4090fd CreateFileA 15327->15328 15329 40911a lstrlenA WriteFile CloseHandle 15328->15329 15330 40913f 15328->15330 15329->15330 15330->14972 15330->14973 15332 40dd41 InterlockedExchange 15331->15332 15333 40dd20 GetCurrentThreadId 15332->15333 15337 40dd4a 15332->15337 15334 40dd53 GetCurrentThreadId 15333->15334 15335 40dd2e GetTickCount 15333->15335 15334->14976 15336 40dd39 Sleep 15335->15336 15335->15337 15336->15332 15337->15334 15339 40dbf0 15338->15339 15371 40db67 GetEnvironmentVariableA 15339->15371 15341 40dc19 15342 40dcda 15341->15342 15343 40db67 3 API calls 15341->15343 15342->14978 15344 40dc5c 15343->15344 15344->15342 15345 40db67 3 API calls 15344->15345 15346 40dc9b 15345->15346 15346->15342 15347 40db67 3 API calls 15346->15347 15347->15342 15349 40db3a 15348->15349 15351 40db55 15348->15351 15375 40ebed 15349->15375 15351->14980 15351->14985 15384 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15352->15384 15354 40e3be 15354->14980 15356 40e342 15356->15354 15387 40de24 15356->15387 15358 40e528 15357->15358 15359 40e3f4 15357->15359 15358->14989 15360 40e434 RegQueryValueExA 15359->15360 15361 40e458 15360->15361 15362 40e51d RegCloseKey 15360->15362 15363 40e46e RegQueryValueExA 15361->15363 15362->15358 15363->15361 15364 40e488 15363->15364 15364->15362 15365 40db2e 8 API calls 15364->15365 15366 40e499 15365->15366 15366->15362 15367 40e4b9 RegQueryValueExA 15366->15367 15368 40e4e8 15366->15368 15367->15366 15367->15368 15368->15362 15369 40e332 14 API calls 15368->15369 15370 40e513 15369->15370 15370->15362 15372 40dbca 15371->15372 15374 40db89 lstrcpyA CreateFileA 15371->15374 15372->15341 15374->15341 15376 40ec01 15375->15376 15377 40ebf6 15375->15377 15378 40eba0 codecvt 2 API calls 15376->15378 15379 40ebcc 4 API calls 15377->15379 15380 40ec0a GetProcessHeap HeapReAlloc 15378->15380 15381 40ebfe 15379->15381 15382 40eb74 2 API calls 15380->15382 15381->15351 15383 40ec28 15382->15383 15383->15351 15398 40eb41 15384->15398 15388 40de3a 15387->15388 15394 40de4e 15388->15394 15402 40dd84 15388->15402 15391 40ebed 8 API calls 15396 40def6 15391->15396 15392 40de9e 15392->15391 15392->15394 15393 40de76 15406 40ddcf 15393->15406 15394->15356 15396->15394 15397 40ddcf lstrcmpA 15396->15397 15397->15394 15399 40eb54 15398->15399 15400 40eb4a 15398->15400 15399->15356 15401 40eae4 2 API calls 15400->15401 15401->15399 15403 40ddc5 15402->15403 15404 40dd96 15402->15404 15403->15392 15403->15393 15404->15403 15405 40ddad lstrcmpiA 15404->15405 15405->15403 15405->15404 15407 40dddd 15406->15407 15409 40de20 15406->15409 15408 40ddfa lstrcmpA 15407->15408 15407->15409 15408->15407 15409->15394 15411 40dd05 6 API calls 15410->15411 15412 40e821 15411->15412 15413 40dd84 lstrcmpiA 15412->15413 15414 40e82c 15413->15414 15415 40e844 15414->15415 15458 402480 15414->15458 15415->15005 15418 40dd05 6 API calls 15417->15418 15419 40df7c 15418->15419 15420 40dd84 lstrcmpiA 15419->15420 15424 40df89 15420->15424 15421 40dfc4 15421->15011 15422 40ddcf lstrcmpA 15422->15424 15423 40ec2e codecvt 4 API calls 15423->15424 15424->15421 15424->15422 15424->15423 15425 40dd84 lstrcmpiA 15424->15425 15425->15424 15427 40ea98 15426->15427 15467 40e8a1 15427->15467 15429 401e84 15429->15014 15431 4019d5 GetProcAddress GetProcAddress GetProcAddress 15430->15431 15434 4019ce 15430->15434 15432 401ab3 FreeLibrary 15431->15432 15433 401a04 15431->15433 15432->15434 15433->15432 15435 401a14 GetProcessHeap 15433->15435 15434->15018 15435->15434 15437 401a2e HeapAlloc 15435->15437 15437->15434 15438 401a42 15437->15438 15439 401a52 HeapReAlloc 15438->15439 15441 401a62 15438->15441 15439->15441 15440 401aa1 FreeLibrary 15440->15434 15441->15440 15442 401a96 HeapFree 15441->15442 15442->15440 15495 401ac3 LoadLibraryA 15443->15495 15446 401bcf 15446->15029 15448 401ac3 12 API calls 15447->15448 15449 401c09 15448->15449 15450 401c41 15449->15450 15451 401c0d GetComputerNameA 15449->15451 15450->15038 15452 401c45 GetVolumeInformationA 15451->15452 15453 401c1f 15451->15453 15452->15450 15453->15450 15453->15452 15455 40ee2a 15454->15455 15456 4030d0 gethostname gethostbyname 15455->15456 15457 401f82 15456->15457 15457->15042 15457->15044 15461 402419 lstrlenA 15458->15461 15460 402491 15460->15415 15462 402474 15461->15462 15463 40243d lstrlenA 15461->15463 15462->15460 15464 402464 lstrlenA 15463->15464 15465 40244e lstrcmpiA 15463->15465 15464->15462 15464->15463 15465->15464 15466 40245c 15465->15466 15466->15462 15466->15464 15468 40dd05 6 API calls 15467->15468 15469 40e8b4 15468->15469 15470 40dd84 lstrcmpiA 15469->15470 15471 40e8c0 15470->15471 15472 40e90a 15471->15472 15473 40e8c8 lstrcpynA 15471->15473 15474 402419 4 API calls 15472->15474 15483 40ea27 15472->15483 15475 40e8f5 15473->15475 15476 40e926 lstrlenA lstrlenA 15474->15476 15488 40df4c 15475->15488 15478 40e96a 15476->15478 15479 40e94c lstrlenA 15476->15479 15482 40ebcc 4 API calls 15478->15482 15478->15483 15479->15478 15480 40e901 15481 40dd84 lstrcmpiA 15480->15481 15481->15472 15484 40e98f 15482->15484 15483->15429 15484->15483 15485 40df4c 20 API calls 15484->15485 15486 40ea1e 15485->15486 15487 40ec2e codecvt 4 API calls 15486->15487 15487->15483 15489 40dd05 6 API calls 15488->15489 15490 40df51 15489->15490 15491 40f04e 4 API calls 15490->15491 15492 40df58 15491->15492 15493 40de24 10 API calls 15492->15493 15494 40df63 15493->15494 15494->15480 15496 401ae2 GetProcAddress 15495->15496 15497 401b68 GetComputerNameA GetVolumeInformationA 15495->15497 15496->15497 15498 401af5 15496->15498 15497->15446 15499 401b29 15498->15499 15500 40ebed 8 API calls 15498->15500 15499->15497 15501 40ec2e codecvt 4 API calls 15499->15501 15500->15498 15501->15497 15503 406ec3 2 API calls 15502->15503 15504 407ef4 15503->15504 15505 4073ff 17 API calls 15504->15505 15514 407fc9 15504->15514 15506 407f16 15505->15506 15506->15514 15515 407809 GetUserNameA 15506->15515 15508 407f63 15509 40ef1e lstrlenA 15508->15509 15508->15514 15510 407fa6 15509->15510 15511 40ef1e lstrlenA 15510->15511 15512 407fb7 15511->15512 15539 407a95 RegOpenKeyExA 15512->15539 15514->15053 15516 40783d LookupAccountNameA 15515->15516 15521 407a8d 15515->15521 15517 407874 GetLengthSid GetFileSecurityA 15516->15517 15516->15521 15518 4078a8 GetSecurityDescriptorOwner 15517->15518 15517->15521 15519 4078c5 EqualSid 15518->15519 15520 40791d GetSecurityDescriptorDacl 15518->15520 15519->15520 15522 4078dc LocalAlloc 15519->15522 15520->15521 15533 407941 15520->15533 15521->15508 15522->15520 15523 4078ef InitializeSecurityDescriptor 15522->15523 15524 407916 LocalFree 15523->15524 15525 4078fb SetSecurityDescriptorOwner 15523->15525 15524->15520 15525->15524 15527 40790b SetFileSecurityA 15525->15527 15526 40795b GetAce 15526->15533 15527->15524 15528 407980 EqualSid 15528->15533 15529 407a3d 15529->15521 15532 407a43 LocalAlloc 15529->15532 15530 4079be EqualSid 15530->15533 15531 40799d DeleteAce 15531->15533 15532->15521 15534 407a56 InitializeSecurityDescriptor 15532->15534 15533->15521 15533->15526 15533->15528 15533->15529 15533->15530 15533->15531 15535 407a62 SetSecurityDescriptorDacl 15534->15535 15536 407a86 LocalFree 15534->15536 15535->15536 15537 407a73 SetFileSecurityA 15535->15537 15536->15521 15537->15536 15538 407a83 15537->15538 15538->15536 15540 407ac4 15539->15540 15541 407acb GetUserNameA 15539->15541 15540->15514 15542 407da7 RegCloseKey 15541->15542 15543 407aed LookupAccountNameA 15541->15543 15542->15540 15543->15542 15544 407b24 RegGetKeySecurity 15543->15544 15544->15542 15545 407b49 GetSecurityDescriptorOwner 15544->15545 15546 407b63 EqualSid 15545->15546 15547 407bb8 GetSecurityDescriptorDacl 15545->15547 15546->15547 15549 407b74 LocalAlloc 15546->15549 15548 407da6 15547->15548 15555 407bdc 15547->15555 15548->15542 15549->15547 15550 407b8a InitializeSecurityDescriptor 15549->15550 15551 407bb1 LocalFree 15550->15551 15552 407b96 SetSecurityDescriptorOwner 15550->15552 15551->15547 15552->15551 15554 407ba6 RegSetKeySecurity 15552->15554 15553 407bf8 GetAce 15553->15555 15554->15551 15555->15548 15555->15553 15556 407c1d EqualSid 15555->15556 15557 407c5f EqualSid 15555->15557 15558 407cd9 15555->15558 15559 407c3a DeleteAce 15555->15559 15556->15555 15557->15555 15558->15548 15560 407d5a LocalAlloc 15558->15560 15562 407cf2 RegOpenKeyExA 15558->15562 15559->15555 15560->15548 15561 407d70 InitializeSecurityDescriptor 15560->15561 15563 407d7c SetSecurityDescriptorDacl 15561->15563 15564 407d9f LocalFree 15561->15564 15562->15560 15567 407d0f 15562->15567 15563->15564 15565 407d8c RegSetKeySecurity 15563->15565 15564->15548 15565->15564 15566 407d9c 15565->15566 15566->15564 15568 407d43 RegSetValueExA 15567->15568 15568->15560 15569 407d54 15568->15569 15569->15560 15570->15072 15572 40dd05 6 API calls 15571->15572 15575 40e65f 15572->15575 15573 40e6a5 15574 40ebcc 4 API calls 15573->15574 15580 40e6f5 15573->15580 15577 40e6b0 15574->15577 15575->15573 15576 40e68c lstrcmpA 15575->15576 15576->15575 15578 40e6b7 15577->15578 15579 40e6e0 lstrcpynA 15577->15579 15577->15580 15578->15074 15579->15580 15580->15578 15581 40e71d lstrcmpA 15580->15581 15581->15580 15582->15080 15584 40c525 15583->15584 15585 40c532 15583->15585 15584->15585 15587 40ec2e codecvt 4 API calls 15584->15587 15586 40c548 15585->15586 15735 40e7ff 15585->15735 15589 40e7ff lstrcmpiA 15586->15589 15597 40c54f 15586->15597 15587->15585 15590 40c615 15589->15590 15591 40ebcc 4 API calls 15590->15591 15590->15597 15591->15597 15592 40c5d1 15595 40ebcc 4 API calls 15592->15595 15594 40e819 11 API calls 15596 40c5b7 15594->15596 15595->15597 15598 40f04e 4 API calls 15596->15598 15597->15093 15599 40c5bf 15598->15599 15599->15586 15599->15592 15601 402692 inet_addr 15600->15601 15602 40268e 15600->15602 15601->15602 15603 40269e gethostbyname 15601->15603 15604 40f428 15602->15604 15603->15602 15738 40f315 15604->15738 15608 40c8d2 15607->15608 15609 40c907 15608->15609 15610 40c517 23 API calls 15608->15610 15609->15095 15610->15609 15611 40f43e 15612 40f473 recv 15611->15612 15613 40f458 15612->15613 15614 40f47c 15612->15614 15613->15612 15613->15614 15614->15111 15616 40c670 15615->15616 15617 40c67d 15615->15617 15618 40ebcc 4 API calls 15616->15618 15619 40ebcc 4 API calls 15617->15619 15621 40c699 15617->15621 15618->15617 15619->15621 15620 40c6f3 15620->15124 15620->15177 15621->15620 15622 40c73c send 15621->15622 15622->15620 15624 40c770 15623->15624 15625 40c77d 15623->15625 15626 40ebcc 4 API calls 15624->15626 15627 40c799 15625->15627 15629 40ebcc 4 API calls 15625->15629 15626->15625 15628 40c7b5 15627->15628 15630 40ebcc 4 API calls 15627->15630 15631 40f43e recv 15628->15631 15629->15627 15630->15628 15632 40c7cb 15631->15632 15633 40f43e recv 15632->15633 15634 40c7d3 15632->15634 15633->15634 15634->15177 15751 407db7 15635->15751 15638 407e96 15638->15177 15639 40f04e 4 API calls 15641 407e4c 15639->15641 15640 40f04e 4 API calls 15640->15638 15642 40f04e 4 API calls 15641->15642 15643 407e70 15641->15643 15642->15643 15643->15638 15643->15640 15645 406ec3 2 API calls 15644->15645 15646 407fdd 15645->15646 15647 4080c2 CreateProcessA 15646->15647 15648 4073ff 17 API calls 15646->15648 15647->15175 15647->15176 15649 407fff 15648->15649 15649->15647 15650 407809 21 API calls 15649->15650 15651 40804d 15650->15651 15651->15647 15652 40ef1e lstrlenA 15651->15652 15653 40809e 15652->15653 15654 40ef1e lstrlenA 15653->15654 15655 4080af 15654->15655 15656 407a95 24 API calls 15655->15656 15656->15647 15658 407db7 2 API calls 15657->15658 15659 407eb8 15658->15659 15660 40f04e 4 API calls 15659->15660 15661 407ece DeleteFileA 15660->15661 15661->15177 15663 40dd05 6 API calls 15662->15663 15664 40e31d 15663->15664 15755 40e177 15664->15755 15666 40e326 15666->15147 15668 4031f3 15667->15668 15678 4031ec 15667->15678 15669 40ebcc 4 API calls 15668->15669 15683 4031fc 15669->15683 15670 40344b 15671 403459 15670->15671 15672 40349d 15670->15672 15674 40f04e 4 API calls 15671->15674 15673 40ec2e codecvt 4 API calls 15672->15673 15673->15678 15675 40345f 15674->15675 15677 4030fa 4 API calls 15675->15677 15676 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15676->15683 15677->15678 15678->15177 15679 40344d 15680 40ec2e codecvt 4 API calls 15679->15680 15680->15670 15682 403141 lstrcmpiA 15682->15683 15683->15670 15683->15676 15683->15678 15683->15679 15683->15682 15781 4030fa GetTickCount 15683->15781 15685 4030fa 4 API calls 15684->15685 15686 403c1a 15685->15686 15687 403ce6 15686->15687 15786 403a72 15686->15786 15687->15177 15690 403a72 9 API calls 15692 403c5e 15690->15692 15691 403a72 9 API calls 15691->15692 15692->15687 15692->15691 15693 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15692->15693 15693->15692 15695 403a10 15694->15695 15696 4030fa 4 API calls 15695->15696 15697 403a1a 15696->15697 15697->15177 15699 40dd05 6 API calls 15698->15699 15700 40e7be 15699->15700 15700->15177 15702 40c105 15701->15702 15703 40c07e wsprintfA 15701->15703 15702->15177 15795 40bfce GetTickCount wsprintfA 15703->15795 15705 40c0ef 15796 40bfce GetTickCount wsprintfA 15705->15796 15708 407047 15707->15708 15709 406f88 LookupAccountNameA 15707->15709 15708->15177 15711 407025 15709->15711 15712 406fcb 15709->15712 15713 406edd 5 API calls 15711->15713 15715 406fdb ConvertSidToStringSidA 15712->15715 15714 40702a wsprintfA 15713->15714 15714->15708 15715->15711 15716 406ff1 15715->15716 15717 407013 LocalFree 15716->15717 15717->15711 15719 40dd05 6 API calls 15718->15719 15720 40e85c 15719->15720 15721 40dd84 lstrcmpiA 15720->15721 15722 40e867 15721->15722 15723 40e885 lstrcpyA 15722->15723 15797 4024a5 15722->15797 15800 40dd69 15723->15800 15729 407db7 2 API calls 15728->15729 15730 407de1 15729->15730 15731 40f04e 4 API calls 15730->15731 15734 407e16 15730->15734 15732 407df2 15731->15732 15733 40f04e 4 API calls 15732->15733 15732->15734 15733->15734 15734->15177 15736 40dd84 lstrcmpiA 15735->15736 15737 40c58e 15736->15737 15737->15586 15737->15592 15737->15594 15739 40ca1d 15738->15739 15740 40f33b 15738->15740 15739->15108 15739->15611 15741 40f347 htons socket 15740->15741 15742 40f382 ioctlsocket 15741->15742 15743 40f374 closesocket 15741->15743 15744 40f3aa connect select 15742->15744 15745 40f39d 15742->15745 15743->15739 15744->15739 15747 40f3f2 __WSAFDIsSet 15744->15747 15746 40f39f closesocket 15745->15746 15746->15739 15747->15746 15748 40f403 ioctlsocket 15747->15748 15750 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15748->15750 15750->15739 15752 407dc8 InterlockedExchange 15751->15752 15753 407dc0 Sleep 15752->15753 15754 407dd4 15752->15754 15753->15752 15754->15639 15754->15643 15756 40e184 15755->15756 15757 40e2e4 15756->15757 15758 40e223 15756->15758 15771 40dfe2 15756->15771 15757->15666 15758->15757 15760 40dfe2 8 API calls 15758->15760 15763 40e23c 15760->15763 15761 40e1be 15761->15758 15762 40dbcf 3 API calls 15761->15762 15764 40e1d6 15762->15764 15763->15757 15775 40e095 RegCreateKeyExA 15763->15775 15764->15758 15765 40e21a CloseHandle 15764->15765 15766 40e1f9 WriteFile 15764->15766 15765->15758 15766->15765 15768 40e213 15766->15768 15768->15765 15769 40e2a3 15769->15757 15770 40e095 4 API calls 15769->15770 15770->15757 15772 40dffc 15771->15772 15774 40e024 15771->15774 15773 40db2e 8 API calls 15772->15773 15772->15774 15773->15774 15774->15761 15776 40e172 15775->15776 15778 40e0c0 15775->15778 15776->15769 15777 40e13d 15779 40e14e RegDeleteValueA RegCloseKey 15777->15779 15778->15777 15780 40e115 RegSetValueExA 15778->15780 15779->15776 15780->15777 15780->15778 15782 403122 InterlockedExchange 15781->15782 15783 40312e 15782->15783 15784 40310f GetTickCount 15782->15784 15783->15683 15784->15783 15785 40311a Sleep 15784->15785 15785->15782 15787 40f04e 4 API calls 15786->15787 15794 403a83 15787->15794 15788 403ac1 15788->15687 15788->15690 15789 403be6 15792 40ec2e codecvt 4 API calls 15789->15792 15790 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15791 403bc0 15790->15791 15791->15789 15791->15790 15792->15788 15793 403b66 lstrlenA 15793->15788 15793->15794 15794->15788 15794->15791 15794->15793 15795->15705 15796->15702 15798 402419 4 API calls 15797->15798 15799 4024b6 15798->15799 15799->15723 15801 40dd79 lstrlenA 15800->15801 15801->15177 15803 404084 15802->15803 15804 40407d 15802->15804 15805 403ecd 6 API calls 15803->15805 15806 40408f 15805->15806 15807 404000 3 API calls 15806->15807 15809 404095 15807->15809 15808 404130 15810 403ecd 6 API calls 15808->15810 15809->15808 15814 403f18 4 API calls 15809->15814 15811 404159 CreateNamedPipeA 15810->15811 15812 404167 Sleep 15811->15812 15813 404188 ConnectNamedPipe 15811->15813 15812->15808 15815 404176 CloseHandle 15812->15815 15817 404195 GetLastError 15813->15817 15827 4041ab 15813->15827 15816 4040da 15814->15816 15815->15813 15818 403f8c 4 API calls 15816->15818 15819 40425e DisconnectNamedPipe 15817->15819 15817->15827 15820 4040ec 15818->15820 15819->15813 15821 404127 CloseHandle 15820->15821 15822 404101 15820->15822 15821->15808 15823 403f18 4 API calls 15822->15823 15825 40411c ExitProcess 15823->15825 15824 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15824->15827 15826 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15826->15827 15827->15813 15827->15819 15827->15824 15827->15826 15828 40426a CloseHandle CloseHandle 15827->15828 15829 40e318 23 API calls 15828->15829 15830 40427b 15829->15830 15830->15830 15832 408791 15831->15832 15833 40879f 15831->15833 15834 40f04e 4 API calls 15832->15834 15835 4087bc 15833->15835 15836 40f04e 4 API calls 15833->15836 15834->15833 15837 40e819 11 API calls 15835->15837 15836->15835 15838 4087d7 15837->15838 15851 408803 15838->15851 15853 4026b2 gethostbyaddr 15838->15853 15841 4087eb 15843 40e8a1 30 API calls 15841->15843 15841->15851 15843->15851 15846 40e819 11 API calls 15846->15851 15847 4088a0 Sleep 15847->15851 15849 4026b2 2 API calls 15849->15851 15850 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15850->15851 15851->15846 15851->15847 15851->15849 15851->15850 15852 40e8a1 30 API calls 15851->15852 15858 408cee 15851->15858 15866 40c4d6 15851->15866 15869 40c4e2 15851->15869 15872 402011 15851->15872 15907 408328 15851->15907 15852->15851 15854 4026fb 15853->15854 15855 4026cd 15853->15855 15854->15841 15856 4026e1 inet_ntoa 15855->15856 15857 4026de 15855->15857 15856->15857 15857->15841 15859 408d02 GetTickCount 15858->15859 15860 408dae 15858->15860 15859->15860 15863 408d19 15859->15863 15860->15851 15861 408da1 GetTickCount 15861->15860 15863->15861 15865 408d89 15863->15865 15959 40a677 15863->15959 15962 40a688 15863->15962 15865->15861 15970 40c2dc 15866->15970 15870 40c2dc 142 API calls 15869->15870 15871 40c4ec 15870->15871 15871->15851 15873 402020 15872->15873 15874 40202e 15872->15874 15876 40f04e 4 API calls 15873->15876 15875 40204b 15874->15875 15877 40f04e 4 API calls 15874->15877 15878 40206e GetTickCount 15875->15878 15879 40f04e 4 API calls 15875->15879 15876->15874 15877->15875 15880 4020db GetTickCount 15878->15880 15892 402090 15878->15892 15883 402068 15879->15883 15881 402132 GetTickCount GetTickCount 15880->15881 15882 4020e7 15880->15882 15885 40f04e 4 API calls 15881->15885 15886 40212b GetTickCount 15882->15886 15897 402125 15882->15897 15900 401978 15 API calls 15882->15900 16304 402ef8 15882->16304 15883->15878 15884 4020d4 GetTickCount 15884->15880 15887 402159 15885->15887 15886->15881 15891 40e854 13 API calls 15887->15891 15904 4021b4 15887->15904 15888 402684 2 API calls 15888->15892 15890 40f04e 4 API calls 15894 4021d1 15890->15894 15896 40218e 15891->15896 15892->15884 15892->15888 15895 4020ce 15892->15895 16299 401978 15892->16299 15898 4021f2 15894->15898 15901 40ea84 30 API calls 15894->15901 15895->15884 15899 40e819 11 API calls 15896->15899 15897->15886 15898->15851 15902 40219c 15899->15902 15900->15882 15903 4021ec 15901->15903 15902->15904 16312 401c5f 15902->16312 15905 40f04e 4 API calls 15903->15905 15904->15890 15905->15898 15908 407dd6 6 API calls 15907->15908 15909 40833c 15908->15909 15910 406ec3 2 API calls 15909->15910 15915 408340 15909->15915 15911 40834f 15910->15911 15912 40835c 15911->15912 15917 40846b 15911->15917 15913 4073ff 17 API calls 15912->15913 15930 408373 15913->15930 15914 4085df 15918 408626 GetTempPathA 15914->15918 15921 408638 15914->15921 15927 408762 15914->15927 15915->15851 15916 40675c 21 API calls 15916->15914 15919 4084a7 RegOpenKeyExA 15917->15919 15945 408450 15917->15945 15918->15921 15922 4084c0 RegQueryValueExA 15919->15922 15923 40852f 15919->15923 16384 406ba7 IsBadCodePtr 15921->16384 15925 408521 RegCloseKey 15922->15925 15926 4084dd 15922->15926 15929 408564 RegOpenKeyExA 15923->15929 15935 4085a5 15923->15935 15924 4086ad 15924->15927 15928 407e2f 6 API calls 15924->15928 15925->15923 15926->15925 15934 40ebcc 4 API calls 15926->15934 15927->15915 15932 40ec2e codecvt 4 API calls 15927->15932 15936 4086bb 15928->15936 15933 408573 15929->15933 15929->15935 15930->15915 15939 4083ea RegOpenKeyExA 15930->15939 15930->15945 15931 40875b DeleteFileA 15931->15927 15932->15915 15933->15933 15937 408585 RegSetValueExA RegCloseKey 15933->15937 15938 4084f0 15934->15938 15942 40ec2e codecvt 4 API calls 15935->15942 15935->15945 15936->15931 15946 4086e0 lstrcpyA lstrlenA 15936->15946 15937->15935 15938->15925 15940 4084f8 RegQueryValueExA 15938->15940 15943 4083fd RegQueryValueExA 15939->15943 15939->15945 15940->15925 15941 408515 15940->15941 15944 40ec2e codecvt 4 API calls 15941->15944 15942->15945 15947 40842d RegSetValueExA 15943->15947 15948 40841e 15943->15948 15949 40851d 15944->15949 15945->15914 15945->15916 15950 407fcf 64 API calls 15946->15950 15951 408447 RegCloseKey 15947->15951 15948->15947 15948->15951 15949->15925 15952 408719 CreateProcessA 15950->15952 15951->15945 15953 40873d CloseHandle CloseHandle 15952->15953 15954 40874f 15952->15954 15953->15927 15955 407ee6 64 API calls 15954->15955 15956 408754 15955->15956 15957 407ead 6 API calls 15956->15957 15958 40875a 15957->15958 15958->15931 15965 40a63d 15959->15965 15961 40a685 15961->15863 15963 40a63d GetTickCount 15962->15963 15964 40a696 15963->15964 15964->15863 15966 40a645 15965->15966 15967 40a64d 15965->15967 15966->15961 15968 40a66e 15967->15968 15969 40a65e GetTickCount 15967->15969 15968->15961 15969->15968 15986 40a4c7 GetTickCount 15970->15986 15973 40c300 GetTickCount 15975 40c337 15973->15975 15974 40c326 15974->15975 15976 40c32b GetTickCount 15974->15976 15980 40c363 GetTickCount 15975->15980 15985 40c45e 15975->15985 15976->15975 15977 40c4d2 15977->15851 15978 40c4ab InterlockedIncrement CreateThread 15978->15977 15979 40c4cb CloseHandle 15978->15979 15991 40b535 15978->15991 15979->15977 15981 40c373 15980->15981 15980->15985 15982 40c378 GetTickCount 15981->15982 15983 40c37f 15981->15983 15982->15983 15984 40c43b GetTickCount 15983->15984 15984->15985 15985->15977 15985->15978 15987 40a4f7 InterlockedExchange 15986->15987 15988 40a500 15987->15988 15989 40a4e4 GetTickCount 15987->15989 15988->15973 15988->15974 15988->15985 15989->15988 15990 40a4ef Sleep 15989->15990 15990->15987 15992 40b566 15991->15992 15993 40ebcc 4 API calls 15992->15993 15994 40b587 15993->15994 15995 40ebcc 4 API calls 15994->15995 16028 40b590 15995->16028 15996 40bdcd InterlockedDecrement 15997 40bde2 15996->15997 15999 40ec2e codecvt 4 API calls 15997->15999 16000 40bdea 15999->16000 16002 40ec2e codecvt 4 API calls 16000->16002 16001 40bdb7 Sleep 16001->16028 16003 40bdf2 16002->16003 16005 40be05 16003->16005 16006 40ec2e codecvt 4 API calls 16003->16006 16004 40bdcc 16004->15996 16006->16005 16007 40ebed 8 API calls 16007->16028 16010 40b6b6 lstrlenA 16010->16028 16011 4030b5 2 API calls 16011->16028 16012 40e819 11 API calls 16012->16028 16013 40b6ed lstrcpyA 16066 405ce1 16013->16066 16016 40b731 lstrlenA 16016->16028 16017 40b71f lstrcmpA 16017->16016 16017->16028 16018 40b772 GetTickCount 16018->16028 16019 40bd49 InterlockedIncrement 16160 40a628 16019->16160 16022 40b7ce InterlockedIncrement 16076 40acd7 16022->16076 16023 40bc5b InterlockedIncrement 16023->16028 16026 40b912 GetTickCount 16026->16028 16027 40b826 InterlockedIncrement 16027->16018 16028->15996 16028->16001 16028->16004 16028->16007 16028->16010 16028->16011 16028->16012 16028->16013 16028->16016 16028->16017 16028->16018 16028->16019 16028->16022 16028->16023 16028->16026 16028->16027 16029 40b932 GetTickCount 16028->16029 16030 40bcdc closesocket 16028->16030 16031 405ce1 23 API calls 16028->16031 16033 4038f0 6 API calls 16028->16033 16036 40a7c1 22 API calls 16028->16036 16037 40bba6 InterlockedIncrement 16028->16037 16039 40bc4c closesocket 16028->16039 16042 40ba71 wsprintfA 16028->16042 16044 40ab81 lstrcpynA InterlockedIncrement 16028->16044 16045 40ef1e lstrlenA 16028->16045 16046 405ded 12 API calls 16028->16046 16047 40a688 GetTickCount 16028->16047 16048 403e10 16028->16048 16051 403e4f 16028->16051 16054 40384f 16028->16054 16074 40a7a3 inet_ntoa 16028->16074 16081 40abee 16028->16081 16093 401feb GetTickCount 16028->16093 16114 403cfb 16028->16114 16117 40b3c5 16028->16117 16148 40ab81 16028->16148 16029->16028 16032 40bc6d InterlockedIncrement 16029->16032 16030->16028 16031->16028 16032->16028 16033->16028 16036->16028 16037->16028 16039->16028 16094 40a7c1 16042->16094 16044->16028 16045->16028 16046->16028 16047->16028 16049 4030fa 4 API calls 16048->16049 16050 403e1d 16049->16050 16050->16028 16052 4030fa 4 API calls 16051->16052 16053 403e5c 16052->16053 16053->16028 16055 4030fa 4 API calls 16054->16055 16057 403863 16055->16057 16056 4038b2 16056->16028 16057->16056 16058 4038b9 16057->16058 16059 403889 16057->16059 16169 4035f9 16058->16169 16163 403718 16059->16163 16064 403718 6 API calls 16064->16056 16065 4035f9 6 API calls 16065->16056 16067 405cf4 16066->16067 16068 405cec 16066->16068 16070 404bd1 4 API calls 16067->16070 16175 404bd1 GetTickCount 16068->16175 16071 405d02 16070->16071 16180 405472 16071->16180 16075 40a7b9 16074->16075 16075->16028 16077 40f315 14 API calls 16076->16077 16078 40aceb 16077->16078 16079 40acff 16078->16079 16080 40f315 14 API calls 16078->16080 16079->16028 16080->16079 16082 40abfb 16081->16082 16085 40ac65 16082->16085 16245 402f22 16082->16245 16084 40f315 14 API calls 16084->16085 16085->16084 16086 40ac8a 16085->16086 16087 40ac6f 16085->16087 16086->16028 16089 40ab81 2 API calls 16087->16089 16088 40ac23 16088->16085 16091 402684 2 API calls 16088->16091 16090 40ac81 16089->16090 16253 4038f0 16090->16253 16091->16088 16093->16028 16095 40a87d lstrlenA send 16094->16095 16096 40a7df 16094->16096 16097 40a899 16095->16097 16098 40a8bf 16095->16098 16096->16095 16103 40a7fa wsprintfA 16096->16103 16104 40a80a 16096->16104 16106 40a8f2 16096->16106 16101 40a8a5 wsprintfA 16097->16101 16113 40a89e 16097->16113 16099 40a8c4 send 16098->16099 16098->16106 16102 40a8d8 wsprintfA 16099->16102 16099->16106 16100 40a978 recv 16100->16106 16107 40a982 16100->16107 16101->16113 16102->16113 16103->16104 16104->16095 16105 40a9b0 wsprintfA 16105->16113 16106->16100 16106->16105 16106->16107 16108 4030b5 2 API calls 16107->16108 16107->16113 16109 40ab05 16108->16109 16110 40e819 11 API calls 16109->16110 16111 40ab17 16110->16111 16112 40a7a3 inet_ntoa 16111->16112 16112->16113 16113->16028 16115 4030fa 4 API calls 16114->16115 16116 403d0b 16115->16116 16116->16028 16118 405ce1 23 API calls 16117->16118 16119 40b3e6 16118->16119 16120 405ce1 23 API calls 16119->16120 16122 40b404 16120->16122 16121 40b440 16124 40ef7c 3 API calls 16121->16124 16122->16121 16123 40ef7c 3 API calls 16122->16123 16125 40b42b 16123->16125 16126 40b458 wsprintfA 16124->16126 16127 40ef7c 3 API calls 16125->16127 16128 40ef7c 3 API calls 16126->16128 16127->16121 16129 40b480 16128->16129 16130 40ef7c 3 API calls 16129->16130 16131 40b493 16130->16131 16132 40ef7c 3 API calls 16131->16132 16133 40b4bb 16132->16133 16267 40ad89 GetLocalTime SystemTimeToFileTime 16133->16267 16137 40b4cc 16138 40ef7c 3 API calls 16137->16138 16139 40b4dd 16138->16139 16140 40b211 7 API calls 16139->16140 16141 40b4ec 16140->16141 16142 40ef7c 3 API calls 16141->16142 16143 40b4fd 16142->16143 16144 40b211 7 API calls 16143->16144 16145 40b509 16144->16145 16146 40ef7c 3 API calls 16145->16146 16147 40b51a 16146->16147 16147->16028 16149 40abe9 GetTickCount 16148->16149 16150 40ab8c 16148->16150 16153 40a51d 16149->16153 16150->16149 16151 40aba8 lstrcpynA 16150->16151 16152 40abe1 InterlockedIncrement 16150->16152 16151->16150 16152->16150 16154 40a4c7 4 API calls 16153->16154 16155 40a52c 16154->16155 16156 40a542 GetTickCount 16155->16156 16158 40a539 GetTickCount 16155->16158 16156->16158 16159 40a56c 16158->16159 16159->16028 16161 40a4c7 4 API calls 16160->16161 16162 40a633 16161->16162 16162->16028 16164 40f04e 4 API calls 16163->16164 16166 40372a 16164->16166 16165 403847 16165->16056 16165->16064 16166->16165 16167 4037b3 GetCurrentThreadId 16166->16167 16167->16166 16168 4037c8 GetCurrentThreadId 16167->16168 16168->16166 16170 40f04e 4 API calls 16169->16170 16174 40360c 16170->16174 16171 4036f1 16171->16056 16171->16065 16172 4036da GetCurrentThreadId 16172->16171 16173 4036e5 GetCurrentThreadId 16172->16173 16173->16171 16174->16171 16174->16172 16176 404bff InterlockedExchange 16175->16176 16177 404c08 16176->16177 16178 404bec GetTickCount 16176->16178 16177->16067 16178->16177 16179 404bf7 Sleep 16178->16179 16179->16176 16201 404763 16180->16201 16182 405b58 16211 404699 16182->16211 16185 404763 lstrlenA 16186 405b6e 16185->16186 16232 404f9f 16186->16232 16188 405b79 16188->16028 16190 405549 lstrlenA 16200 40548a 16190->16200 16192 40558d lstrcpynA 16192->16200 16193 405a9f lstrcpyA 16193->16200 16194 404ae6 8 API calls 16194->16200 16195 405935 lstrcpynA 16195->16200 16196 404ae6 8 API calls 16197 405643 LoadLibraryW 16196->16197 16197->16200 16198 405472 13 API calls 16198->16200 16199 4058e7 lstrcpyA 16199->16200 16200->16182 16200->16192 16200->16193 16200->16194 16200->16195 16200->16196 16200->16198 16200->16199 16205 404ae6 16200->16205 16209 40ef7c lstrlenA lstrlenA lstrlenA 16200->16209 16202 40477a 16201->16202 16203 404859 16202->16203 16204 40480d lstrlenA 16202->16204 16203->16200 16204->16202 16206 404af3 16205->16206 16208 404b03 16205->16208 16207 40ebed 8 API calls 16206->16207 16207->16208 16208->16190 16210 40efb4 16209->16210 16210->16200 16237 4045b3 16211->16237 16214 4045b3 7 API calls 16215 4046c6 16214->16215 16216 4045b3 7 API calls 16215->16216 16217 4046d8 16216->16217 16218 4045b3 7 API calls 16217->16218 16219 4046ea 16218->16219 16220 4045b3 7 API calls 16219->16220 16221 4046ff 16220->16221 16222 4045b3 7 API calls 16221->16222 16223 404711 16222->16223 16224 4045b3 7 API calls 16223->16224 16225 404723 16224->16225 16226 40ef7c 3 API calls 16225->16226 16227 404735 16226->16227 16228 40ef7c 3 API calls 16227->16228 16229 40474a 16228->16229 16230 40ef7c 3 API calls 16229->16230 16231 40475c 16230->16231 16231->16185 16233 404fac 16232->16233 16235 404fb0 16232->16235 16233->16188 16234 404ffd 16234->16188 16235->16234 16236 404fd5 IsBadCodePtr 16235->16236 16236->16235 16238 4045c1 16237->16238 16239 4045c8 16237->16239 16240 40ebcc 4 API calls 16238->16240 16241 40ebcc 4 API calls 16239->16241 16243 4045e1 16239->16243 16240->16239 16241->16243 16242 404691 16242->16214 16243->16242 16244 40ef7c 3 API calls 16243->16244 16244->16243 16260 402d21 GetModuleHandleA 16245->16260 16248 402fcf GetProcessHeap HeapFree 16252 402f44 16248->16252 16249 402f4f 16251 402f6b GetProcessHeap HeapFree 16249->16251 16250 402f85 16250->16248 16250->16250 16251->16252 16252->16088 16254 403900 16253->16254 16259 403980 16253->16259 16255 4030fa 4 API calls 16254->16255 16257 40390a 16255->16257 16256 40391b GetCurrentThreadId 16256->16257 16257->16256 16258 403939 GetCurrentThreadId 16257->16258 16257->16259 16258->16257 16259->16086 16261 402d46 LoadLibraryA 16260->16261 16262 402d5b GetProcAddress 16260->16262 16261->16262 16263 402d54 16261->16263 16262->16263 16264 402d6b 16262->16264 16263->16249 16263->16250 16263->16252 16264->16263 16265 402d97 GetProcessHeap HeapAlloc 16264->16265 16266 402db5 lstrcpynA 16264->16266 16265->16263 16265->16264 16266->16264 16268 40adbf 16267->16268 16292 40ad08 gethostname 16268->16292 16271 4030b5 2 API calls 16272 40add3 16271->16272 16273 40a7a3 inet_ntoa 16272->16273 16280 40ade4 16272->16280 16273->16280 16274 40ae85 wsprintfA 16275 40ef7c 3 API calls 16274->16275 16277 40aebb 16275->16277 16276 40ae36 wsprintfA wsprintfA 16278 40ef7c 3 API calls 16276->16278 16279 40ef7c 3 API calls 16277->16279 16278->16280 16281 40aed2 16279->16281 16280->16274 16280->16276 16282 40b211 16281->16282 16283 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16282->16283 16284 40b2af GetLocalTime 16282->16284 16285 40b2d2 16283->16285 16284->16285 16286 40b2d9 SystemTimeToFileTime 16285->16286 16287 40b31c GetTimeZoneInformation 16285->16287 16288 40b2ec 16286->16288 16289 40b33a wsprintfA 16287->16289 16290 40b312 FileTimeToSystemTime 16288->16290 16289->16137 16290->16287 16293 40ad71 16292->16293 16294 40ad26 lstrlenA 16292->16294 16295 40ad85 16293->16295 16296 40ad79 lstrcpyA 16293->16296 16294->16293 16298 40ad68 lstrlenA 16294->16298 16295->16271 16296->16295 16298->16293 16300 40f428 14 API calls 16299->16300 16301 40198a 16300->16301 16302 401990 closesocket 16301->16302 16303 401998 16301->16303 16302->16303 16303->15892 16305 402d21 6 API calls 16304->16305 16306 402f01 16305->16306 16307 402f0f 16306->16307 16320 402df2 GetModuleHandleA 16306->16320 16309 402684 2 API calls 16307->16309 16311 402f1f 16307->16311 16310 402f1d 16309->16310 16310->15882 16311->15882 16314 401c80 16312->16314 16313 401d1c 16317 401d47 wsprintfA 16313->16317 16314->16313 16315 401cc2 wsprintfA 16314->16315 16318 401d79 16314->16318 16316 402684 2 API calls 16315->16316 16316->16314 16319 402684 2 API calls 16317->16319 16318->15904 16319->16318 16321 402e10 LoadLibraryA 16320->16321 16322 402e0b 16320->16322 16323 402e17 16321->16323 16322->16321 16322->16323 16324 402ef1 16323->16324 16325 402e28 GetProcAddress 16323->16325 16324->16307 16325->16324 16326 402e3e GetProcessHeap HeapAlloc 16325->16326 16328 402e62 16326->16328 16327 402ede GetProcessHeap HeapFree 16327->16324 16328->16324 16328->16327 16329 402e7f htons inet_addr 16328->16329 16330 402ea5 gethostbyname 16328->16330 16332 402ceb 16328->16332 16329->16328 16329->16330 16330->16328 16333 402cf2 16332->16333 16335 402d1c 16333->16335 16336 402d0e Sleep 16333->16336 16337 402a62 GetProcessHeap HeapAlloc 16333->16337 16335->16328 16336->16333 16336->16335 16338 402a92 16337->16338 16339 402a99 socket 16337->16339 16338->16333 16340 402cd3 GetProcessHeap HeapFree 16339->16340 16341 402ab4 16339->16341 16340->16338 16341->16340 16351 402abd 16341->16351 16342 402adb htons 16357 4026ff 16342->16357 16344 402b04 select 16344->16351 16345 402ca4 16346 402cb3 GetProcessHeap HeapFree closesocket 16345->16346 16346->16338 16347 402b3f recv 16347->16351 16348 402b66 htons 16348->16345 16348->16351 16349 402b87 htons 16349->16345 16349->16351 16351->16342 16351->16344 16351->16345 16351->16346 16351->16347 16351->16348 16351->16349 16353 402bf3 GetProcessHeap HeapAlloc 16351->16353 16354 402c17 htons 16351->16354 16356 402c4d GetProcessHeap HeapFree 16351->16356 16364 402923 16351->16364 16376 402904 16351->16376 16353->16351 16372 402871 16354->16372 16356->16351 16358 40271d 16357->16358 16359 402717 16357->16359 16361 40272b GetTickCount htons 16358->16361 16360 40ebcc 4 API calls 16359->16360 16360->16358 16362 4027cc htons htons sendto 16361->16362 16363 40278a 16361->16363 16362->16351 16363->16362 16365 402944 16364->16365 16366 40293d 16364->16366 16380 402816 htons 16365->16380 16366->16351 16368 402871 htons 16371 402950 16368->16371 16369 4029bd htons htons htons 16369->16366 16370 4029f6 GetProcessHeap HeapAlloc 16369->16370 16370->16366 16370->16371 16371->16366 16371->16368 16371->16369 16373 4028e3 16372->16373 16374 402889 16372->16374 16373->16351 16374->16373 16375 4028c3 htons 16374->16375 16375->16373 16375->16374 16377 402921 16376->16377 16378 402908 16376->16378 16377->16351 16379 402909 GetProcessHeap HeapFree 16378->16379 16379->16377 16379->16379 16381 40286b 16380->16381 16382 402836 16380->16382 16381->16371 16382->16381 16383 40285c htons 16382->16383 16383->16381 16383->16382 16385 406bc0 16384->16385 16386 406bbc 16384->16386 16387 40ebcc 4 API calls 16385->16387 16397 406bd4 16385->16397 16386->15924 16388 406be4 16387->16388 16389 406c07 CreateFileA 16388->16389 16390 406bfc 16388->16390 16388->16397 16391 406c34 WriteFile 16389->16391 16392 406c2a 16389->16392 16393 40ec2e codecvt 4 API calls 16390->16393 16395 406c49 CloseHandle DeleteFileA 16391->16395 16396 406c5a CloseHandle 16391->16396 16394 40ec2e codecvt 4 API calls 16392->16394 16393->16397 16394->16397 16395->16392 16398 40ec2e codecvt 4 API calls 16396->16398 16397->15924 16398->16397 16427 641d38 16428 641d47 16427->16428 16431 6424d8 16428->16431 16432 6424f3 16431->16432 16433 6424fc CreateToolhelp32Snapshot 16432->16433 16434 642518 Module32First 16432->16434 16433->16432 16433->16434 16435 642527 16434->16435 16436 641d50 16434->16436 16438 642197 16435->16438 16439 6421c2 16438->16439 16440 6421d3 VirtualAlloc 16439->16440 16441 64220b 16439->16441 16440->16441 16441->16441 16442 ee0920 TerminateProcess 14715 407a95 RegOpenKeyExA 14716 407ac4 14715->14716 14717 407acb GetUserNameA 14715->14717 14718 407da7 RegCloseKey 14717->14718 14719 407aed LookupAccountNameA 14717->14719 14718->14716 14719->14718 14720 407b24 RegGetKeySecurity 14719->14720 14720->14718 14721 407b49 GetSecurityDescriptorOwner 14720->14721 14722 407b63 EqualSid 14721->14722 14723 407bb8 GetSecurityDescriptorDacl 14721->14723 14722->14723 14725 407b74 LocalAlloc 14722->14725 14724 407da6 14723->14724 14731 407bdc 14723->14731 14724->14718 14725->14723 14726 407b8a InitializeSecurityDescriptor 14725->14726 14727 407bb1 LocalFree 14726->14727 14728 407b96 SetSecurityDescriptorOwner 14726->14728 14727->14723 14728->14727 14730 407ba6 RegSetKeySecurity 14728->14730 14729 407bf8 GetAce 14729->14731 14730->14727 14731->14724 14731->14729 14732 407c1d EqualSid 14731->14732 14733 407c5f EqualSid 14731->14733 14734 407cd9 14731->14734 14735 407c3a DeleteAce 14731->14735 14732->14731 14733->14731 14734->14724 14736 407d5a LocalAlloc 14734->14736 14738 407cf2 RegOpenKeyExA 14734->14738 14735->14731 14736->14724 14737 407d70 InitializeSecurityDescriptor 14736->14737 14739 407d7c SetSecurityDescriptorDacl 14737->14739 14740 407d9f LocalFree 14737->14740 14738->14736 14743 407d0f 14738->14743 14739->14740 14741 407d8c RegSetKeySecurity 14739->14741 14740->14724 14741->14740 14742 407d9c 14741->14742 14742->14740 14744 407d43 RegSetValueExA 14743->14744 14744->14736 14745 407d54 14744->14745 14745->14736 16399 ee0005 16404 ee092b GetPEB 16399->16404 16401 ee0030 16406 ee003c 16401->16406 16405 ee0972 16404->16405 16405->16401 16407 ee0049 16406->16407 16421 ee0e0f SetErrorMode SetErrorMode 16407->16421 16412 ee0265 16413 ee02ce VirtualProtect 16412->16413 16415 ee030b 16413->16415 16414 ee0439 VirtualFree 16419 ee05f4 LoadLibraryA 16414->16419 16420 ee04be 16414->16420 16415->16414 16416 ee04e3 LoadLibraryA 16416->16420 16418 ee08c7 16419->16418 16420->16416 16420->16419 16422 ee0223 16421->16422 16423 ee0d90 16422->16423 16424 ee0dad 16423->16424 16425 ee0dbb GetPEB 16424->16425 16426 ee0238 VirtualAlloc 16424->16426 16425->16426 16426->16412
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(C:\Users\user\Desktop\foufdsk.exe), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\foufdsk.exe$C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe$D$P$\$qruvscyd
                                                                                            • API String ID: 2089075347-3995567300
                                                                                            • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 574 40637c-406384 575 406386-406389 574->575 576 40638a-4063b4 GetModuleHandleA VirtualAlloc 574->576 577 4063f5-4063f7 576->577 578 4063b6-4063d4 call 40ee08 VirtualAllocEx 576->578 580 40640b-40640f 577->580 578->577 582 4063d6-4063f3 call 4062b7 WriteProcessMemory 578->582 582->577 585 4063f9-40640a 582->585 585->580
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 267 407db4-407db6 265->267 268 407da7-407db3 RegCloseKey 266->268 269 407aed-407b1e LookupAccountNameA 266->269 268->267 269->268 270 407b24-407b43 RegGetKeySecurity 269->270 270->268 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 276 407b74-407b88 LocalAlloc 272->276 274 407da6 273->274 275 407bdc-407be1 273->275 274->268 275->274 278 407be7-407bf2 275->278 276->273 277 407b8a-407b94 InitializeSecurityDescriptor 276->277 279 407bb1-407bb2 LocalFree 277->279 280 407b96-407ba4 SetSecurityDescriptorOwner 277->280 278->274 281 407bf8-407c08 GetAce 278->281 279->273 280->279 282 407ba6-407bab RegSetKeySecurity 280->282 283 407cc6 281->283 284 407c0e-407c1b 281->284 282->279 285 407cc9-407cd3 283->285 286 407c1d-407c2f EqualSid 284->286 287 407c4f-407c52 284->287 285->281 288 407cd9-407cdc 285->288 289 407c31-407c34 286->289 290 407c36-407c38 286->290 291 407c54-407c5e 287->291 292 407c5f-407c71 EqualSid 287->292 288->274 295 407ce2-407ce8 288->295 289->286 289->290 290->287 296 407c3a-407c4d DeleteAce 290->296 291->292 293 407c73-407c84 292->293 294 407c86 292->294 297 407c8b-407c8e 293->297 294->297 298 407d5a-407d6e LocalAlloc 295->298 299 407cea-407cf0 295->299 296->285 300 407c90-407c96 297->300 301 407c9d-407c9f 297->301 298->274 302 407d70-407d7a InitializeSecurityDescriptor 298->302 299->298 303 407cf2-407d0d RegOpenKeyExA 299->303 300->301 304 407ca1-407ca5 301->304 305 407ca7-407cc3 301->305 306 407d7c-407d8a SetSecurityDescriptorDacl 302->306 307 407d9f-407da0 LocalFree 302->307 303->298 308 407d0f-407d16 303->308 304->283 304->305 305->283 306->307 309 407d8c-407d9a RegSetKeySecurity 306->309 307->274 310 407d19-407d1e 308->310 309->307 311 407d9c 309->311 310->310 312 407d20-407d52 call 402544 RegSetValueExA 310->312 311->307 312->298 315 407d54 312->315 315->298
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe$D
                                                                                            • API String ID: 2976863881-4037504507
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 336 407703-40770e RegEnumKeyA 329->336 335 407801 330->335 337 407804-407808 335->337 338 4074a2-4074b1 call 406cad 336->338 339 407714-40771d RegCloseKey 336->339 342 4074b7-4074cc call 40f1a5 338->342 343 4076ed-407700 338->343 339->335 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->336 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 356 407536-40753c 348->356 361 4076df-4076e2 349->361 358 407742-407745 RegCloseKey 350->358 359 40774b-40774e 350->359 360 40753f-407544 356->360 358->359 363 4077ec-4077f7 RegCloseKey 359->363 360->360 362 407546-40754b 360->362 361->343 364 4076e4-4076e7 RegCloseKey 361->364 362->349 365 407551-40756b call 40ee95 362->365 363->337 364->343 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 382 4075d8-4075da 375->382 376->382 384 4075dc 382->384 385 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 382->385 384->385 394 407626-40762b 385->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 404 407769-40777c call 40ef00 398->404 405 407680 399->405 406 407675-40767e 399->406 411 4077e3-4077e6 RegCloseKey 404->411 408 407683-40768e call 406cad 405->408 406->408 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 411->363 416 4076dd 413->416 420 4076c1-4076c7 414->420 421 4076d8 414->421 416->361 420->421 422 4076c9-4076d2 420->422 421->416 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 431 4077d7-4077dc 428->431 432 4077ca-4077d6 call 40ef00 428->432 429->428 435 4077e0-4077e2 431->435 436 4077de 431->436 432->431 435->411 436->435
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 438 ee003c-ee0047 439 ee004c-ee0263 call ee0a3f call ee0e0f call ee0d90 VirtualAlloc 438->439 440 ee0049 438->440 455 ee028b-ee0292 439->455 456 ee0265-ee0289 call ee0a69 439->456 440->439 458 ee02a1-ee02b0 455->458 459 ee02ce-ee03c2 VirtualProtect call ee0cce call ee0ce7 456->459 458->459 460 ee02b2-ee02cc 458->460 467 ee03d1-ee03e0 459->467 460->458 468 ee0439-ee04b8 VirtualFree 467->468 469 ee03e2-ee0437 call ee0ce7 467->469 471 ee04be-ee04cd 468->471 472 ee05f4-ee05fe 468->472 469->467 474 ee04d3-ee04dd 471->474 475 ee077f-ee0789 472->475 476 ee0604-ee060d 472->476 474->472 481 ee04e3-ee0505 LoadLibraryA 474->481 479 ee078b-ee07a3 475->479 480 ee07a6-ee07b0 475->480 476->475 477 ee0613-ee0637 476->477 482 ee063e-ee0648 477->482 479->480 483 ee086e-ee08be LoadLibraryA 480->483 484 ee07b6-ee07cb 480->484 485 ee0517-ee0520 481->485 486 ee0507-ee0515 481->486 482->475 489 ee064e-ee065a 482->489 494 ee08c7-ee08f9 483->494 487 ee07d2-ee07d5 484->487 488 ee0526-ee0547 485->488 486->488 490 ee07d7-ee07e0 487->490 491 ee0824-ee0833 487->491 492 ee054d-ee0550 488->492 489->475 493 ee0660-ee066a 489->493 495 ee07e4-ee0822 490->495 496 ee07e2 490->496 500 ee0839-ee083c 491->500 497 ee0556-ee056b 492->497 498 ee05e0-ee05ef 492->498 499 ee067a-ee0689 493->499 501 ee08fb-ee0901 494->501 502 ee0902-ee091d 494->502 495->487 496->491 503 ee056f-ee057a 497->503 504 ee056d 497->504 498->474 505 ee068f-ee06b2 499->505 506 ee0750-ee077a 499->506 500->483 507 ee083e-ee0847 500->507 501->502 509 ee057c-ee0599 503->509 510 ee059b-ee05bb 503->510 504->498 511 ee06ef-ee06fc 505->511 512 ee06b4-ee06ed 505->512 506->482 513 ee084b-ee086c 507->513 514 ee0849 507->514 521 ee05bd-ee05db 509->521 510->521 515 ee06fe-ee0748 511->515 516 ee074b 511->516 512->511 513->500 514->483 515->516 516->499 521->492
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00EE024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 7908eb0240f38d2f487b19ca8ce29cbb718f4d7713ca0e75e80b0e786db81f0f
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: 3F526874A00269DFDB64CF99C984BA8BBB1BF09304F1480D9E94DAB351DB70AE85DF14

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 522 40977c-4097b9 call 40ee2a CreateProcessA 525 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 522->525 526 4097bb-4097bd 522->526 530 409801-40981c call 40637c 525->530 531 4097f5 525->531 527 409864-409866 526->527 532 4097f6-4097ff TerminateProcess 530->532 535 40981e-409839 WriteProcessMemory 530->535 531->532 532->526 535->531 536 40983b-409856 Wow64SetThreadContext 535->536 536->531 537 409858-409863 ResumeThread 536->537 537->527
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2098669666-2746444292
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 586 404000-404008 587 40400b-40402a CreateFileA 586->587 588 404057 587->588 589 40402c-404035 GetLastError 587->589 592 404059-40405c 588->592 590 404052 589->590 591 404037-40403a 589->591 594 404054-404056 590->594 591->590 593 40403c-40403f 591->593 592->594 593->592 595 404041-404050 Sleep 593->595 595->587 595->590
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 614 406e36-406e5d GetUserNameW 615 406ebe-406ec2 614->615 616 406e5f-406e95 LookupAccountNameW 614->616 616->615 617 406e97-406e9b 616->617 618 406ebb-406ebd 617->618 619 406e9d-406ea3 617->619 618->615 619->618 620 406ea5-406eaa 619->620 621 406eb7-406eb9 620->621 622 406eac-406eb0 620->622 621->615 622->618 623 406eb2-406eb5 622->623 623->618 623->621
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID:
                                                                                            • API String ID: 2370142434-0
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 624 6424d8-6424f1 625 6424f3-6424f5 624->625 626 6424f7 625->626 627 6424fc-642508 CreateToolhelp32Snapshot 625->627 626->627 628 642518-642525 Module32First 627->628 629 64250a-642510 627->629 630 642527-642528 call 642197 628->630 631 64252e-642536 628->631 629->628 634 642512-642516 629->634 635 64252d 630->635 634->625 634->628 635->631
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00642500
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00642520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154069469.0000000000632000.00000040.00000020.00020000.00000000.sdmp, Offset: 00632000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_632000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 0ab0e0f5277109e02144eaf9765a34bf381a8a48d04cd7d3a9a954411b8231e6
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 91F096355007166BE7203BF9D89DBAF7AEAEF49724F600568F642911C0DB70EC458A61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 637 ee0e0f-ee0e24 SetErrorMode * 2 638 ee0e2b-ee0e2c 637->638 639 ee0e26 637->639 639->638
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,00EE0223,?,?), ref: 00EE0E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,00EE0223,?,?), ref: 00EE0E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: ef30fba9bf3548e3dc093541d68b64efd9fb2f6631cb4b1eaf607e76994b8711
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: 91D0123114512C77DB002A95DC09BCD7B1CDF05B66F008421FB0DE9180C7B0994046E5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 640 406dc2-406dd5 641 406e33-406e35 640->641 642 406dd7-406df1 call 406cc9 call 40ef00 640->642 647 406df4-406df9 642->647 647->647 648 406dfb-406e00 647->648 649 406e02-406e22 GetVolumeInformationA 648->649 650 406e24 648->650 649->650 651 406e2e 649->651 650->651 651->641
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 652 409892-4098c0 653 4098c2-4098c5 652->653 654 4098d9 652->654 653->654 655 4098c7-4098d7 653->655 656 4098e0-4098f1 SetServiceStatus 654->656 655->656
                                                                                            APIs
                                                                                            • SetServiceStatus.ADVAPI32(00413394), ref: 004098EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ServiceStatus
                                                                                            • String ID:
                                                                                            • API String ID: 3969395364-0
                                                                                            • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                            • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 657 ee0920-ee0929 TerminateProcess
                                                                                            APIs
                                                                                            • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00EE0929
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 560597551-0
                                                                                            • Opcode ID: 9604ea1dcd4f22a8949a886f7bdec1d118a5d81d9110c455f59b90acc83c70ce
                                                                                            • Instruction ID: e1e1a94a0531323669c5b18f76ad3daf4669449f0ff4b443a9781655a3b09211
                                                                                            • Opcode Fuzzy Hash: 9604ea1dcd4f22a8949a886f7bdec1d118a5d81d9110c455f59b90acc83c70ce
                                                                                            • Instruction Fuzzy Hash: C09004307441501DDC7035DD0C01F4500013741731F3347107530FD1F0C4415F104555
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006421E8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154069469.0000000000632000.00000040.00000020.00020000.00000000.sdmp, Offset: 00632000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_632000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: d73b3567200ed30ca1d96301365ffaffc8bd0422bc55aded7e7785edf344b11f
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: F7112D79A00208EFDB01DF98C985E99BBF5AF08750F158094F9489B362D371EA50DB90
                                                                                            APIs
                                                                                              • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3100162736-0
                                                                                            • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                            • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 00EE65F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00EE6610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00EE6631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00EE6652
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 394ee0724fceebbde7b3da7f4da60d556d56aba89e104ce3bf8482d31f15ed46
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 6611A3B160025DBFDB219F66EC0AF9B3FA8EB047E9F104024F908E7291D7B1DD0086A4
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 00EE9E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00EE9FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 00EE9FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 00EEA004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 00EEA054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 00EEA09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00EEA0D6
                                                                                            • lstrcpy.KERNEL32 ref: 00EEA12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 00EEA13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00EE9F13
                                                                                              • Part of subcall function 00EE7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00EE7081
                                                                                              • Part of subcall function 00EE6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\efijgqmr,00EE7043), ref: 00EE6F4E
                                                                                              • Part of subcall function 00EE6F30: GetProcAddress.KERNEL32(00000000), ref: 00EE6F55
                                                                                              • Part of subcall function 00EE6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00EE6F7B
                                                                                              • Part of subcall function 00EE6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00EE6F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 00EEA1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 00EEA1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 00EEA214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 00EEA21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 00EEA265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 00EEA29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 00EEA2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 00EEA2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 00EEA2F4
                                                                                            • wsprintfA.USER32 ref: 00EEA31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 00EEA345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 00EEA364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 00EEA387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 00EEA398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 00EEA1D1
                                                                                              • Part of subcall function 00EE9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 00EE999D
                                                                                              • Part of subcall function 00EE9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 00EE99BD
                                                                                              • Part of subcall function 00EE9966: RegCloseKey.ADVAPI32(?), ref: 00EE99C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 00EEA3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 00EEA3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 00EEA41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: 9c7afb460c9ec6c3abb6889ff01bfb1d9f4161ea002403845db88e12dbbcd671
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: 64F151B1D4029DAFDB11DBA19C49EEE7BBCAB08304F0450BAF605F2142E7759A848F65
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00EE7D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00EE7D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00EE7D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00EE7DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00EE7DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00EE7DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00EE7DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00EE7DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00EE7E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00EE7E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00EE7E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE7E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe$D
                                                                                            • API String ID: 2976863881-4037504507
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 5908d26e91580b2abc2e2bbea858524c0b5e59c700e99de854ea4d5329330f1b
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: 38A15C71A0025DAFDF118FA1DD88FEEBBB9FB08304F04846AE545F2150DB758A85CB64
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00EE7A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00EE7ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00EE7ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00EE7B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00EE7B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00EE7B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00EE7B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00EE7B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00EE7B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00EE7B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00EE7B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE7B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 00EE7BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00EE7BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 00EE7C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00EE7C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00EE7CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00EE7CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00EE7CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00EE7CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00EE7CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 6afde6b714865a0d3a008701a088d2749aba6b33d9d4ea8c825575c38a348fde
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 17815A7190424DABDB21CFA5DD84FEEBBBCEF08304F14806AE545F6150D7359A41CBA4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe$localcfg
                                                                                            • API String ID: 237177642-2907806470
                                                                                            • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-1839596206
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 00EE865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 00EE867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 00EE86A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00EE86B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe
                                                                                            • API String ID: 237177642-2767854593
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 3f2bee3c7cf9ca918f7d8c829330bab074d436722ca1910cda9b09f40f02af36
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 6DC1B1B190028DBEEB11ABA5DE85EEF7BBCEB04304F145076F609F2051EB714E948B65
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00EE1601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00EE17D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: 830dda2e9e14eb0d9e17694fb909e372ed7a5b551ffd8d503ec4f6d3c938c047
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: A4F1ACB11083859FD720CF65C888BABBBE4FBC9704F00896DF596A7290D7B4D984CB56
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 00EE76D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00EE7757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 00EE778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 00EE78B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00EE794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00EE796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00EE797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00EE79AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00EE7A56
                                                                                              • Part of subcall function 00EEF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,00EE772A,?), ref: 00EEF414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00EE79F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00EE7A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: ff6e7f0c9ee7ac7934348ca72146e23f0f3e179cdac7dd5c8b117cce11472f06
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 37C1BF7290428DABEB11DFA6DC45FEEBBB9EF44314F1010A5F544F6192EB719E808B60
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EE2CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00EE2D07
                                                                                            • htons.WS2_32(00000000), ref: 00EE2D42
                                                                                            • select.WS2_32 ref: 00EE2D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00EE2DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00EE2E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: 62031a00dde707265e5eddcdd4adf2c856fbf17bdb3abef72865e85fc5009162
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: C561E371504359ABC3219F62DC09BABBBFCEB84345F10581DFA44B7161D7B4D880CBA5
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNEL32(000000FF,?,76230F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00EE202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00EE204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 00EE206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00EE2071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00EE2082
                                                                                            • GetTickCount.KERNEL32 ref: 00EE2230
                                                                                              • Part of subcall function 00EE1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00EE1E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: 1728fd795a2c80bc7c53840afd7efcb24db2906ec7bc2442e1060a0f9588f869
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: F251E97150038C6FE330AF768C85F67BAECEF44704F00592DFA96A2252D7B5A984C765
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00EE3068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00EE3078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 00EE3095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EE30B6
                                                                                            • htons.WS2_32(00000035), ref: 00EE30EF
                                                                                            • inet_addr.WS2_32(?), ref: 00EE30FA
                                                                                            • gethostbyname.WS2_32(?), ref: 00EE310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00EE314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 798d28db865cf56ef5b93172ea59ba6491352df0a2acb3cb79a7f6ecb96b23d5
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: 4F31D831A0168EBBDB119BB69C4CAAE77B8EF04364F144229F518F3290DB74DE41CB54
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 00EE95A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00EE95D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00EE95DC
                                                                                            • wsprintfA.USER32 ref: 00EE9635
                                                                                            • wsprintfA.USER32 ref: 00EE9673
                                                                                            • wsprintfA.USER32 ref: 00EE96F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00EE9758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00EE978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00EE97D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID:
                                                                                            • API String ID: 3696105349-0
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: 8aa6f895cf61cf520cbb86483a44ba0d2e7995579fe4d100559531264830cc7a
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: E2A18CB190028CAFEB25DFA2CC45FDA3BECEB05340F105026FA15E6152E7B5D984CBA4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 00EE67C3
                                                                                            • htonl.WS2_32(?), ref: 00EE67DF
                                                                                            • htonl.WS2_32(?), ref: 00EE67EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 00EE68F1
                                                                                            • ExitProcess.KERNEL32 ref: 00EE69BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: 5eff5e9ae63a1098fd8770bb189fc4d3ce5d67b19578674e92884a4eecdfeebd
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: E3618E71A40248AFDB609FB4DC45FEA77E9FB48300F248066FA6CD2161EA7599908F14
                                                                                            APIs
                                                                                            • htons.WS2_32(00EECC84), ref: 00EEF5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 00EEF5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 00EEF5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 5d38cab0550fe4ac086d7f7e0a2a72a3b2b11f716c61e856bc4490805cb9a114
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 1931587290015DABDB10DFA6DC89DEEBBBCEF88314F10456AF915E3150E7709A818BE4
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 00EE2FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00EE2FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00EE2FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00EE3000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00EE3007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00EE3032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 5d846ec2db9018854a0fe82c937614f967c60d4cfac61a651ac37f1a09081f3f
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 86219271A00669BBCB219F66DC489EEBBBCEF08B14F104425F901F7140D7B59E8187D4
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00EE9A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 00EE9A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00EE9A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00EE9A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 00EE9AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 00EE9AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: fdda36e5aa29fef3c0800ff16e13af2c3b0c4a6979bd46f98199cd5aec4ddf0a
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 84213BB1A0121DBBDB119BA2DC09EEF7BBCEF04754F404061FA19F1151E7758A44CBA4
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 00EE1C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 00EE1C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 00EE1C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00EE1C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00EE1CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 00EE1D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 00EE1D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: a0bb4410e8ac82af0b9362f35f9fc7555ee06cfb652162417595b090afc739ca
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: B7315E31E0028DBFCB119FA5DC888EEBAB9EB45306B2444BAE501F2110D7B54EC0DB95
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00EE6CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00EE6D22
                                                                                            • GetLastError.KERNEL32 ref: 00EE6DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 00EE6DB5
                                                                                            • GetLastError.KERNEL32 ref: 00EE6DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 00EE6DE7
                                                                                            • GetLastError.KERNEL32 ref: 00EE6DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: f9c5c81368cdc6f36a1b4dc15b2a06d37f62e8250e9773ffcc6ab8e183dd7861
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 39310176A0028DBFCB01EFE5DD48ADE7FB9EB98344F148065E211F3251D7708A858B61
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\efijgqmr,00EE7043), ref: 00EE6F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00EE6F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00EE6F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00EE6F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$\\.\pipe\efijgqmr
                                                                                            • API String ID: 1082366364-3101994323
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: 3ea2dce7bd52ff229ddd1db0f94e14f36765b89e924cca30e932a53e0032160f
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: 342146217413C879F3225732AC89FFB3E8C8B62764F0860A5F444F5082DAD988D6C26D
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: d3dd5489506388d966130f670c90cc0214f2c4f2b20cf3b4deb6c4a938addfbf
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: 90713972A0038CAADF319A56DC85FEE77699B0031CF3C503EF905B2091DA62AD848757
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            APIs
                                                                                              • Part of subcall function 00EEDF6C: GetCurrentThreadId.KERNEL32 ref: 00EEDFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 00EEE8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00EE6128), ref: 00EEE950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 00EEE989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: 86969e97725e4ed6a19fb8ad9afa85e7e82f3f0716d7e1094fb577e60343bad0
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 7131E43160078DDBCF71CF26D8847A63BE4EB84314F10956AE555A7752D372EC80CB81
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: db453ac504c66944e84f296058014d8c242c23d7b0c4cdbc28d09c5764b564a5
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: 6F216D76104159BFDB109B72FC49EDF3FADDB483A4B209461F502E10A1EB719B009674
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 00EE92E2
                                                                                            • wsprintfA.USER32 ref: 00EE9350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00EE9375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 00EE9389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 00EE9394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00EE939B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: b4d4b09c205e19722bad894a446e39c46d8d6dfa175edae8f0eab775a0491f7d
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: FC1196B17401587BE7206B32EC0EFEF3AADDBC8B10F00C065BB09F5195EEB44A418664
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00EEC6B4
                                                                                            • InterlockedIncrement.KERNEL32(00EEC74B), ref: 00EEC715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,00EEC747), ref: 00EEC728
                                                                                            • CloseHandle.KERNEL32(00000000,?,00EEC747,00413588,00EE8A77), ref: 00EEC733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 1d9f584f20d5ae31488df6fbd83ac6db7da3f1b3b556e56484f2349ba48c600b
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: 36517DB1A00B858FC7248F6AC5C552BBBE9FB48704B60693EE18BD7A90D774F845CB50
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe
                                                                                            • API String ID: 124786226-4236501990
                                                                                            • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,00EEE50A,00000000,00000000,00000000,00020106,00000000,00EEE50A,00000000,000000E4), ref: 00EEE319
                                                                                            • RegSetValueExA.ADVAPI32(00EEE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 00EEE38E
                                                                                            • RegDeleteValueA.ADVAPI32(00EEE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D), ref: 00EEE3BF
                                                                                            • RegCloseKey.ADVAPI32(00EEE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D,00EEE50A), ref: 00EEE3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: D
                                                                                            • API String ID: 2667537340-185221428
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 7376c119ab498158ceabf0f937061575498249cfc9f2d28179081aea81ad4e69
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: 8E215C71A0025DBBDF209FA6EC89EEE7FB9EF08B54F008061F904E6151E2718A54D7A0
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00EE71E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00EE7228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 00EE7286
                                                                                            • wsprintfA.USER32 ref: 00EE729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 90fe98140516f76cf1e8cd791c3bf8114e585c3128a8a20ff287b99ba6b04786
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 12316BB290424CBFDB01DFA9DC45ADA3BACEF08314F14C066F949EB111EA75DA488B94
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 00EEB51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EEB529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EEB548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 00EEB590
                                                                                            • wsprintfA.USER32 ref: 00EEB61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 7517df38def41b83557ac81ce4bb03909dfced10078651f007cd317cb1f67805
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 23511FB1D0025CAACF14DFD5D8895EEBBB9BF48304F10816AF505B6150E7B84AC9CF98
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00EE6303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00EE632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00EE63B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00EE6405
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: bb40b3c037295c59c81b9aa08ffe763fea9b3959e5aa45062db205be316e3df1
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: 71416C71A00249EFDB14CF5AC884AA9B7B8FF64398F248169E855E7290E771ED40CB50
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1802437671-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 00EE93C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00EE93CD
                                                                                            • CharToOemA.USER32(?,?), ref: 00EE93DB
                                                                                            • wsprintfA.USER32 ref: 00EE9410
                                                                                              • Part of subcall function 00EE92CB: GetTempPathA.KERNEL32(00000400,?), ref: 00EE92E2
                                                                                              • Part of subcall function 00EE92CB: wsprintfA.USER32 ref: 00EE9350
                                                                                              • Part of subcall function 00EE92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00EE9375
                                                                                              • Part of subcall function 00EE92CB: lstrlen.KERNEL32(?,?,00000000), ref: 00EE9389
                                                                                              • Part of subcall function 00EE92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00EE9394
                                                                                              • Part of subcall function 00EE92CB: CloseHandle.KERNEL32(00000000), ref: 00EE939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00EE9448
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: 9dfd947c6f48116c990af2a9814d2220c6951bd4f09eac3329149660e7f98138
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: 0A0152F69001587BDB21A7619D89EDF3BBCDB95701F0040A2BB49F2081DAB496C58F75
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: a4663c7a40171aa5e43456e34e231765597a586a97dd5fbc04d5589227b40490
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 7EE08C306041558FDB008F29F848AC537A9AF4A330F019189F140E31A0C7349C80A648
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00EE69E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00EE6A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00EE6A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00EE6BD8
                                                                                              • Part of subcall function 00EEEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00EE1DCF,?), ref: 00EEEEA8
                                                                                              • Part of subcall function 00EEEE95: HeapFree.KERNEL32(00000000), ref: 00EEEEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: f6d500464515940723cce7c5d2afcbb4239122ef0e0d23fd5d3b438d247e657e
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: B671357190026DEFDB109FA5CC80AEEBBB9FB04354F1055AAE515F62A0D7309E92DB60
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00EE421F
                                                                                            • GetLastError.KERNEL32 ref: 00EE4229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 00EE423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EE424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 66c05c882ceea9462745ec8aeebccc09dc6c41ec8507b584cb81cf4c69a18536
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: 6601A5B251114DABDF01DF91ED84BEE7BACEB08355F1084A1FA01E20A0D770AA549BB6
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00EE41AB
                                                                                            • GetLastError.KERNEL32 ref: 00EE41B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 00EE41C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EE41D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 0617be4cef3edcb22c2e0056e1ebe7d2e7735fc9ec72e5308dced970c7c8f2ac
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 2101E97651214EABDF01DF91ED84BEE7B6CEB18359F104061F901E2090D7709A948BB5
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 00EEE066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: 858b905da63f2d0dfd6a9bc3902dc980f29a0fd1c5922e6ca54b460d5451f50d
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 06F0963120075ADBCB30CF26D884A82B7E9FF05325B44862BE154E3260D3B4ECD8CB55
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,D,00000000,00000000,00000000), ref: 00EEE470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 00EEE484
                                                                                              • Part of subcall function 00EEE2FC: RegCreateKeyExA.ADVAPI32(80000001,00EEE50A,00000000,00000000,00000000,00020106,00000000,00EEE50A,00000000,000000E4), ref: 00EEE319
                                                                                              • Part of subcall function 00EEE2FC: RegSetValueExA.ADVAPI32(00EEE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 00EEE38E
                                                                                              • Part of subcall function 00EEE2FC: RegDeleteValueA.ADVAPI32(00EEE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D), ref: 00EEE3BF
                                                                                              • Part of subcall function 00EEE2FC: RegCloseKey.ADVAPI32(00EEE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D,00EEE50A), ref: 00EEE3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 4151426672-185221428
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: 3846409bbb60b32f979fcb7bf548eadefda7f8eb7136c764ad6e87b89935c41d
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: C341F1B1D0028CBADB205F538C46FDB3F5CEF04758F149025FA19B4192E7B58A54D6B4
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 00EE83C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00EE8477
                                                                                              • Part of subcall function 00EE69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 00EE69E5
                                                                                              • Part of subcall function 00EE69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00EE6A26
                                                                                              • Part of subcall function 00EE69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00EE6A3A
                                                                                              • Part of subcall function 00EEEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00EE1DCF,?), ref: 00EEEEA8
                                                                                              • Part of subcall function 00EEEE95: HeapFree.KERNEL32(00000000), ref: 00EEEEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe
                                                                                            • API String ID: 359188348-4236501990
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: daf520b5395765a44a50056594fad5fd0d344f36b6af09dfeb898bb9c5b0eff8
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: E641B4B280018DBFDB10EBA29E81DFF77ACEB00304F0454A6F558F2151FAB15A448B50
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 00EEAFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00EEB00D
                                                                                              • Part of subcall function 00EEAF6F: gethostname.WS2_32(?,00000080), ref: 00EEAF83
                                                                                              • Part of subcall function 00EEAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 00EEAFE6
                                                                                              • Part of subcall function 00EE331C: gethostname.WS2_32(?,00000080), ref: 00EE333F
                                                                                              • Part of subcall function 00EE331C: gethostbyname.WS2_32(?), ref: 00EE3349
                                                                                              • Part of subcall function 00EEAA0A: inet_ntoa.WS2_32(00000000), ref: 00EEAA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: 986e06ce8ea04b04ffc14efd6387a296b7169b727548a805976392ba886ab12c
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: B241017290024CABDB25EFA1DC46EEF3BACFF08304F14442AF925A2152EB75E654CB54
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00EE9536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 00EE955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: b2e23fcf87422fb771e677f8123fa816147117c2d686ddce624a316486c2612d
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 424127718043CD6EEB378B66D88C7F63BE49B02318F2420A5D492B7193D6B44D89C731
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00EEB9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 00EEBA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 00EEBA94
                                                                                            • GetTickCount.KERNEL32 ref: 00EEBB79
                                                                                            • GetTickCount.KERNEL32 ref: 00EEBB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 00EEBE15
                                                                                            • closesocket.WS2_32(00000000), ref: 00EEBEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: b20994bba1e81808b03c866407ed0017cd2059b017b30e41d0ce15410bd32b2a
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 0D318D7190028CDFDF25DFA6DC84AEA77F8EB48704F20506AFA24A2161DB30DA85CF10
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 00EE70BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 00EE70F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 4a8bfacca90c7415b6c6ead06872fec320d0a4b180fbe5f974ff6b0bbf8bbb38
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 56118E7290529CEBCF11CFD1DC84ADEB7BCAB04305F1051A6E541F2190E7709B88EBA0
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            APIs
                                                                                              • Part of subcall function 00EE2F88: GetModuleHandleA.KERNEL32(?), ref: 00EE2FA1
                                                                                              • Part of subcall function 00EE2F88: LoadLibraryA.KERNEL32(?), ref: 00EE2FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE31DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00EE31E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2154193010.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_ee0000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: aa294943f97b954fd36bf96bfc2023f050259d085998abf42a5003004de244c0
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: CC51AC3190028AEFCB019F65D8889EAB7B5FF19304F145169ED96A7221E732DA19CB90
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2153853694.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_zgjedxxr.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                            Execution Graph

                                                                                            Execution Coverage:15%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0.7%
                                                                                            Total number of Nodes:1809
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 8061 745d34 IsBadWritePtr 8062 745d47 8061->8062 8063 745d4a 8061->8063 8066 745389 8063->8066 8067 744bd1 4 API calls 8066->8067 8068 7453a5 8067->8068 8069 744ae6 8 API calls 8068->8069 8072 7453ad 8069->8072 8070 745407 8071 744ae6 8 API calls 8071->8072 8072->8070 8072->8071 7914 744c75 7916 744c83 7914->7916 7915 744c92 7916->7915 7918 741940 7916->7918 7919 74ec2e codecvt 4 API calls 7918->7919 7920 741949 7919->7920 7920->7915 8073 74be31 lstrcmpiA 8074 74be55 lstrcmpiA 8073->8074 8080 74be71 8073->8080 8075 74be61 lstrcmpiA 8074->8075 8074->8080 8078 74bfc8 8075->8078 8075->8080 8076 74bf62 lstrcmpiA 8077 74bf77 lstrcmpiA 8076->8077 8081 74bf70 8076->8081 8079 74bf8c lstrcmpiA 8077->8079 8077->8081 8079->8081 8080->8076 8084 74ebcc 4 API calls 8080->8084 8081->8078 8082 74bfc2 8081->8082 8083 74ec2e codecvt 4 API calls 8081->8083 8085 74ec2e codecvt 4 API calls 8082->8085 8083->8081 8086 74beb6 8084->8086 8085->8078 8086->8076 8086->8078 8087 74bf5a 8086->8087 8088 74ebcc 4 API calls 8086->8088 8087->8076 8088->8086 8089 7435a5 8090 7430fa 4 API calls 8089->8090 8092 7435b3 8090->8092 8091 7435ea 8092->8091 8096 74355d 8092->8096 8094 7435da 8094->8091 8095 74355d 4 API calls 8094->8095 8095->8091 8097 74f04e 4 API calls 8096->8097 8098 74356a 8097->8098 8098->8094 7929 744960 7930 74496d 7929->7930 7932 74497d 7929->7932 7931 74ebed 8 API calls 7930->7931 7931->7932 7933 744861 IsBadWritePtr 7934 744876 7933->7934 7935 749961 RegisterServiceCtrlHandlerA 7936 74997d 7935->7936 7937 7499cb 7935->7937 7945 749892 7936->7945 7939 74999a 7940 7499ba 7939->7940 7941 749892 SetServiceStatus 7939->7941 7940->7937 7942 749892 SetServiceStatus 7940->7942 7943 7499aa 7941->7943 7942->7937 7943->7940 7944 7498f2 41 API calls 7943->7944 7944->7940 7946 7498c2 SetServiceStatus 7945->7946 7946->7939 8099 745e21 8100 745e36 8099->8100 8101 745e29 8099->8101 8103 7450dc 8101->8103 8104 744bd1 4 API calls 8103->8104 8105 7450f2 8104->8105 8106 744ae6 8 API calls 8105->8106 8112 7450ff 8106->8112 8107 745130 8109 744ae6 8 API calls 8107->8109 8108 744ae6 8 API calls 8110 745110 lstrcmpA 8108->8110 8111 745138 8109->8111 8110->8107 8110->8112 8113 74513e 8111->8113 8114 74516e 8111->8114 8116 744ae6 8 API calls 8111->8116 8112->8107 8112->8108 8115 744ae6 8 API calls 8112->8115 8113->8100 8114->8113 8118 744ae6 8 API calls 8114->8118 8115->8112 8117 74515e 8116->8117 8117->8114 8121 744ae6 8 API calls 8117->8121 8119 7451b6 8118->8119 8146 744a3d 8119->8146 8121->8114 8123 744ae6 8 API calls 8124 7451c7 8123->8124 8125 744ae6 8 API calls 8124->8125 8126 7451d7 8125->8126 8127 744ae6 8 API calls 8126->8127 8128 7451e7 8127->8128 8128->8113 8129 744ae6 8 API calls 8128->8129 8130 745219 8129->8130 8131 744ae6 8 API calls 8130->8131 8132 745227 8131->8132 8133 744ae6 8 API calls 8132->8133 8134 74524f lstrcpyA 8133->8134 8135 744ae6 8 API calls 8134->8135 8139 745263 8135->8139 8136 744ae6 8 API calls 8137 745315 8136->8137 8138 744ae6 8 API calls 8137->8138 8140 745323 8138->8140 8139->8136 8141 744ae6 8 API calls 8140->8141 8145 745331 8141->8145 8142 744ae6 8 API calls 8142->8145 8143 744ae6 8 API calls 8144 745351 lstrcmpA 8143->8144 8144->8113 8144->8145 8145->8113 8145->8142 8145->8143 8147 744a53 8146->8147 8148 744a4a 8146->8148 8150 74ebed 8 API calls 8147->8150 8151 744a78 8147->8151 8149 74ebed 8 API calls 8148->8149 8149->8147 8150->8151 8153 744a8e 8151->8153 8154 744aa3 8151->8154 8152 744a9b 8152->8123 8153->8152 8155 74ec2e codecvt 4 API calls 8153->8155 8154->8152 8156 74ebed 8 API calls 8154->8156 8155->8152 8156->8152 8157 745029 8162 744a02 8157->8162 8163 744a12 8162->8163 8164 744a18 8162->8164 8165 74ec2e codecvt 4 API calls 8163->8165 8166 744a26 8164->8166 8167 74ec2e codecvt 4 API calls 8164->8167 8165->8164 8168 74ec2e codecvt 4 API calls 8166->8168 8169 744a34 8166->8169 8167->8166 8168->8169 6141 749a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6257 74ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6141->6257 6143 749a95 6144 749aa3 GetModuleHandleA GetModuleFileNameA 6143->6144 6151 74a3cc 6143->6151 6156 749ac4 6144->6156 6145 74a41c CreateThread WSAStartup 6258 74e52e 6145->6258 7333 74405e CreateEventA 6145->7333 6147 749afd GetCommandLineA 6149 749b22 6147->6149 6148 74a406 DeleteFileA 6150 74a40d 6148->6150 6148->6151 6161 749c0c 6149->6161 6167 749b47 6149->6167 6150->6145 6151->6145 6151->6148 6151->6150 6154 74a3ed GetLastError 6151->6154 6152 74a445 6277 74eaaf 6152->6277 6154->6150 6157 74a3f8 Sleep 6154->6157 6155 74a44d 6281 741d96 6155->6281 6156->6147 6157->6148 6159 74a457 6329 7480c9 6159->6329 6521 7496aa 6161->6521 6172 749b96 lstrlenA 6167->6172 6177 749b58 6167->6177 6168 74a1d2 6178 74a1e3 GetCommandLineA 6168->6178 6169 749c39 6173 74a167 GetModuleHandleA GetModuleFileNameA 6169->6173 6527 744280 CreateEventA 6169->6527 6172->6177 6175 749c05 ExitProcess 6173->6175 6176 74a189 6173->6176 6176->6175 6185 74a1b2 GetDriveTypeA 6176->6185 6177->6175 6480 74675c 6177->6480 6203 74a205 6178->6203 6185->6175 6187 74a1c5 6185->6187 6628 749145 GetModuleHandleA GetModuleFileNameA CharToOemA 6187->6628 6188 74675c 21 API calls 6190 749c79 6188->6190 6190->6173 6197 749ca0 GetTempPathA 6190->6197 6198 749e3e 6190->6198 6191 749bff 6191->6175 6193 74a491 6194 74a49f GetTickCount 6193->6194 6195 74a4be Sleep 6193->6195 6202 74a4b7 GetTickCount 6193->6202 6376 74c913 6193->6376 6194->6193 6194->6195 6195->6193 6197->6198 6199 749cba 6197->6199 6206 749e6b GetEnvironmentVariableA 6198->6206 6209 749e04 6198->6209 6553 7499d2 lstrcpyA 6199->6553 6202->6195 6207 74a285 lstrlenA 6203->6207 6215 74a239 6203->6215 6208 749e7d 6206->6208 6206->6209 6207->6215 6210 7499d2 16 API calls 6208->6210 6623 74ec2e 6209->6623 6212 749e9d 6210->6212 6212->6209 6217 749eb0 lstrcpyA lstrlenA 6212->6217 6213 749d5f 6567 746cc9 6213->6567 6636 746ec3 6215->6636 6216 74a3c2 6640 7498f2 6216->6640 6218 749ef4 6217->6218 6221 746dc2 6 API calls 6218->6221 6225 749f03 6218->6225 6221->6225 6222 74a39d StartServiceCtrlDispatcherA 6222->6216 6223 749d72 lstrcpyA lstrcatA lstrcatA 6226 749cf6 6223->6226 6224 74a3c7 6224->6151 6227 749f32 RegOpenKeyExA 6225->6227 6576 749326 6226->6576 6229 749f48 RegSetValueExA RegCloseKey 6227->6229 6232 749f70 6227->6232 6228 74a35f 6228->6216 6228->6222 6229->6232 6237 749f9d GetModuleHandleA GetModuleFileNameA 6232->6237 6233 749e0c DeleteFileA 6233->6198 6234 749dde GetFileAttributesExA 6234->6233 6236 749df7 6234->6236 6236->6209 6613 7496ff 6236->6613 6239 749fc2 6237->6239 6240 74a093 6237->6240 6239->6240 6246 749ff1 GetDriveTypeA 6239->6246 6241 74a103 CreateProcessA 6240->6241 6242 74a0a4 wsprintfA 6240->6242 6243 74a13a 6241->6243 6244 74a12a DeleteFileA 6241->6244 6619 742544 6242->6619 6243->6209 6250 7496ff 3 API calls 6243->6250 6244->6243 6246->6240 6248 74a00d 6246->6248 6247 74a0d3 lstrcatA 6621 74ee2a 6247->6621 6252 74a02d lstrcatA 6248->6252 6250->6209 6253 74a046 6252->6253 6254 74a064 lstrcatA 6253->6254 6255 74a052 lstrcatA 6253->6255 6254->6240 6256 74a081 lstrcatA 6254->6256 6255->6254 6256->6240 6257->6143 6647 74dd05 GetTickCount 6258->6647 6260 74e538 6655 74dbcf 6260->6655 6262 74e544 6263 74e555 GetFileSize 6262->6263 6267 74e5b8 6262->6267 6264 74e566 6263->6264 6265 74e5b1 CloseHandle 6263->6265 6679 74db2e 6264->6679 6265->6267 6665 74e3ca RegOpenKeyExA 6267->6665 6269 74e576 ReadFile 6269->6265 6271 74e58d 6269->6271 6683 74e332 6271->6683 6274 74e629 6274->6152 6275 74e5f2 6275->6274 6276 74e3ca 19 API calls 6275->6276 6276->6274 6278 74eabe 6277->6278 6280 74eaba 6277->6280 6279 74dd05 6 API calls 6278->6279 6278->6280 6279->6280 6280->6155 6282 74ee2a 6281->6282 6283 741db4 GetVersionExA 6282->6283 6284 741dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6283->6284 6286 741e24 6284->6286 6287 741e16 GetCurrentProcess 6284->6287 6741 74e819 6286->6741 6287->6286 6289 741e3d 6290 74e819 11 API calls 6289->6290 6291 741e4e 6290->6291 6292 741e77 6291->6292 6782 74df70 6291->6782 6748 74ea84 6292->6748 6296 741e6c 6297 74df70 12 API calls 6296->6297 6297->6292 6298 74e819 11 API calls 6299 741e93 6298->6299 6752 74199c inet_addr LoadLibraryA 6299->6752 6302 74e819 11 API calls 6303 741eb9 6302->6303 6304 741ed8 6303->6304 6306 74f04e 4 API calls 6303->6306 6305 74e819 11 API calls 6304->6305 6308 741eee 6305->6308 6307 741ec9 6306->6307 6309 74ea84 30 API calls 6307->6309 6310 741f0a 6308->6310 6766 741b71 6308->6766 6309->6304 6312 74e819 11 API calls 6310->6312 6314 741f23 6312->6314 6313 741efd 6315 74ea84 30 API calls 6313->6315 6316 741f3f 6314->6316 6770 741bdf 6314->6770 6315->6310 6317 74e819 11 API calls 6316->6317 6320 741f5e 6317->6320 6322 741f77 6320->6322 6323 74ea84 30 API calls 6320->6323 6321 74ea84 30 API calls 6321->6316 6778 7430b5 6322->6778 6323->6322 6327 746ec3 2 API calls 6328 741f8e GetTickCount 6327->6328 6328->6159 6330 746ec3 2 API calls 6329->6330 6331 7480eb 6330->6331 6332 7480ef 6331->6332 6333 7480f9 6331->6333 6836 747ee6 6332->6836 6849 74704c 6333->6849 6336 7480f4 6338 74675c 21 API calls 6336->6338 6348 748269 CreateThread 6336->6348 6337 748110 6337->6336 6339 748156 RegOpenKeyExA 6337->6339 6344 748244 6338->6344 6340 748216 6339->6340 6341 74816d RegQueryValueExA 6339->6341 6340->6336 6342 7481f7 6341->6342 6343 74818d 6341->6343 6345 74820d RegCloseKey 6342->6345 6347 74ec2e codecvt 4 API calls 6342->6347 6343->6342 6349 74ebcc 4 API calls 6343->6349 6346 74ec2e codecvt 4 API calls 6344->6346 6344->6348 6345->6340 6346->6348 6354 7481dd 6347->6354 6355 745e6c 6348->6355 7311 74877e 6348->7311 6350 7481a0 6349->6350 6350->6345 6351 7481aa RegQueryValueExA 6350->6351 6351->6342 6352 7481c4 6351->6352 6353 74ebcc 4 API calls 6352->6353 6353->6354 6354->6345 6951 74ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6355->6951 6357 745e71 6952 74e654 6357->6952 6359 745ec1 6360 743132 6359->6360 6361 74df70 12 API calls 6360->6361 6362 74313b 6361->6362 6363 74c125 6362->6363 6963 74ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6363->6963 6365 74c12d 6366 74e654 13 API calls 6365->6366 6367 74c2bd 6366->6367 6368 74e654 13 API calls 6367->6368 6369 74c2c9 6368->6369 6370 74e654 13 API calls 6369->6370 6371 74a47a 6370->6371 6372 748db1 6371->6372 6373 748dbc 6372->6373 6374 74e654 13 API calls 6373->6374 6375 748dec Sleep 6374->6375 6375->6193 6377 74c92f 6376->6377 6378 74c93c 6377->6378 6975 74c517 6377->6975 6380 74ca2b 6378->6380 6381 74e819 11 API calls 6378->6381 6380->6193 6382 74c96a 6381->6382 6383 74e819 11 API calls 6382->6383 6384 74c97d 6383->6384 6385 74e819 11 API calls 6384->6385 6386 74c990 6385->6386 6387 74c9aa 6386->6387 6388 74ebcc 4 API calls 6386->6388 6387->6380 6964 742684 6387->6964 6388->6387 6393 74ca26 6992 74c8aa 6393->6992 6396 74ca44 6397 74ca4b closesocket 6396->6397 6398 74ca83 6396->6398 6397->6393 6399 74ea84 30 API calls 6398->6399 6400 74caac 6399->6400 6401 74f04e 4 API calls 6400->6401 6402 74cab2 6401->6402 6403 74ea84 30 API calls 6402->6403 6404 74caca 6403->6404 6405 74ea84 30 API calls 6404->6405 6406 74cad9 6405->6406 6996 74c65c 6406->6996 6409 74cb60 closesocket 6409->6380 6411 74dad2 closesocket 6412 74e318 23 API calls 6411->6412 6413 74dae0 6412->6413 6413->6380 6414 74df4c 20 API calls 6435 74cb70 6414->6435 6419 74e654 13 API calls 6419->6435 6422 74f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6422->6435 6425 74c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6425->6435 6427 74ea84 30 API calls 6427->6435 6428 74d569 closesocket Sleep 7043 74e318 6428->7043 6429 74d815 wsprintfA 6429->6435 6430 74cc1c GetTempPathA 6430->6435 6431 74c517 23 API calls 6431->6435 6433 74e8a1 30 API calls 6433->6435 6434 74d582 ExitProcess 6435->6411 6435->6414 6435->6419 6435->6422 6435->6425 6435->6427 6435->6428 6435->6429 6435->6430 6435->6431 6435->6433 6436 74cfe3 GetSystemDirectoryA 6435->6436 6437 74cfad GetEnvironmentVariableA 6435->6437 6438 74675c 21 API calls 6435->6438 6439 74d027 GetSystemDirectoryA 6435->6439 6440 74d105 lstrcatA 6435->6440 6441 74ef1e lstrlenA 6435->6441 6442 74cc9f CreateFileA 6435->6442 6443 74ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6435->6443 6445 748e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6435->6445 6446 74d15b CreateFileA 6435->6446 6451 74d149 SetFileAttributesA 6435->6451 6452 74d36e GetEnvironmentVariableA 6435->6452 6453 74d1bf SetFileAttributesA 6435->6453 6455 74d22d GetEnvironmentVariableA 6435->6455 6456 747ead 6 API calls 6435->6456 6457 74d3af lstrcatA 6435->6457 6459 74d3f2 CreateFileA 6435->6459 6461 747fcf 64 API calls 6435->6461 6467 74d3e0 SetFileAttributesA 6435->6467 6468 74d26e lstrcatA 6435->6468 6470 74d4b1 CreateProcessA 6435->6470 6472 74d2b1 CreateFileA 6435->6472 6473 747ee6 64 API calls 6435->6473 6474 74d452 SetFileAttributesA 6435->6474 6477 74d29f SetFileAttributesA 6435->6477 6479 74d31d SetFileAttributesA 6435->6479 7004 74c75d 6435->7004 7016 747e2f 6435->7016 7038 747ead 6435->7038 7048 7431d0 6435->7048 7065 743c09 6435->7065 7075 743a00 6435->7075 7079 74e7b4 6435->7079 7082 74c06c 6435->7082 7088 746f5f GetUserNameA 6435->7088 7099 74e854 6435->7099 7109 747dd6 6435->7109 6436->6435 6437->6435 6438->6435 6439->6435 6440->6435 6441->6435 6442->6435 6444 74ccc6 WriteFile 6442->6444 6443->6435 6447 74cdcc CloseHandle 6444->6447 6448 74cced CloseHandle 6444->6448 6445->6435 6446->6435 6449 74d182 WriteFile CloseHandle 6446->6449 6447->6435 6454 74cd2f 6448->6454 6449->6435 6450 74cd16 wsprintfA 6450->6454 6451->6446 6452->6435 6453->6435 6454->6450 7025 747fcf 6454->7025 6455->6435 6456->6435 6457->6435 6457->6459 6459->6435 6462 74d415 WriteFile CloseHandle 6459->6462 6461->6435 6462->6435 6463 74cd81 WaitForSingleObject CloseHandle CloseHandle 6465 74f04e 4 API calls 6463->6465 6464 74cda5 6466 747ee6 64 API calls 6464->6466 6465->6464 6469 74cdbd DeleteFileA 6466->6469 6467->6459 6468->6435 6468->6472 6469->6435 6470->6435 6471 74d4e8 CloseHandle CloseHandle 6470->6471 6471->6435 6472->6435 6475 74d2d8 WriteFile CloseHandle 6472->6475 6473->6435 6474->6435 6475->6435 6477->6472 6479->6435 6481 746784 CreateFileA 6480->6481 6482 74677a SetFileAttributesA 6480->6482 6483 7467a4 CreateFileA 6481->6483 6484 7467b5 6481->6484 6482->6481 6483->6484 6485 7467c5 6484->6485 6486 7467ba SetFileAttributesA 6484->6486 6487 746977 6485->6487 6488 7467cf GetFileSize 6485->6488 6486->6485 6487->6175 6508 746a60 CreateFileA 6487->6508 6489 7467e5 6488->6489 6507 746965 6488->6507 6490 7467ed ReadFile 6489->6490 6489->6507 6492 746811 SetFilePointer 6490->6492 6490->6507 6491 74696e FindCloseChangeNotification 6491->6487 6493 74682a ReadFile 6492->6493 6492->6507 6494 746848 SetFilePointer 6493->6494 6493->6507 6495 746867 6494->6495 6494->6507 6496 746878 ReadFile 6495->6496 6498 7468d5 6495->6498 6497 7468d0 6496->6497 6501 746891 6496->6501 6497->6498 6498->6491 6499 74ebcc 4 API calls 6498->6499 6500 7468f8 6499->6500 6502 746900 SetFilePointer 6500->6502 6500->6507 6501->6496 6501->6497 6503 74690d ReadFile 6502->6503 6504 74695a 6502->6504 6503->6504 6505 746922 6503->6505 6506 74ec2e codecvt 4 API calls 6504->6506 6505->6491 6506->6507 6507->6491 6509 746b8c GetLastError 6508->6509 6510 746a8f GetDiskFreeSpaceA 6508->6510 6519 746b86 6509->6519 6511 746ac5 6510->6511 6520 746ad7 6510->6520 7194 74eb0e 6511->7194 6515 746b56 CloseHandle 6518 746b65 GetLastError CloseHandle 6515->6518 6515->6519 6516 746b36 GetLastError CloseHandle 6517 746b7f DeleteFileA 6516->6517 6517->6519 6518->6517 6519->6191 7198 746987 6520->7198 6522 7496b9 6521->6522 6523 7473ff 17 API calls 6522->6523 6524 7496e2 6523->6524 6525 7496f7 6524->6525 6526 74704c 16 API calls 6524->6526 6525->6168 6525->6169 6526->6525 6528 7442a5 6527->6528 6529 74429d 6527->6529 7204 743ecd 6528->7204 6529->6173 6529->6188 6531 7442b0 7208 744000 6531->7208 6533 7443c1 CloseHandle 6533->6529 6534 7442b6 6534->6529 6534->6533 7214 743f18 WriteFile 6534->7214 6539 7443ba CloseHandle 6539->6533 6540 744318 6541 743f18 4 API calls 6540->6541 6542 744331 6541->6542 6543 743f18 4 API calls 6542->6543 6544 74434a 6543->6544 6545 74ebcc 4 API calls 6544->6545 6546 744350 6545->6546 6547 743f18 4 API calls 6546->6547 6548 744389 6547->6548 6549 74ec2e codecvt 4 API calls 6548->6549 6550 74438f 6549->6550 6551 743f8c 4 API calls 6550->6551 6552 74439f CloseHandle CloseHandle 6551->6552 6552->6529 6554 7499eb 6553->6554 6555 749a2f lstrcatA 6554->6555 6556 74ee2a 6555->6556 6557 749a4b lstrcatA 6556->6557 6558 746a60 13 API calls 6557->6558 6559 749a60 6558->6559 6559->6198 6559->6226 6560 746dc2 6559->6560 6561 746dd7 6560->6561 6562 746e33 6560->6562 6563 746cc9 5 API calls 6561->6563 6562->6213 6564 746ddc 6563->6564 6564->6564 6565 746e24 6564->6565 6566 746e02 GetVolumeInformationA 6564->6566 6565->6562 6566->6565 6568 746cdc GetModuleHandleA GetProcAddress 6567->6568 6569 746d8b 6567->6569 6570 746d12 GetSystemDirectoryA 6568->6570 6571 746cfd 6568->6571 6569->6223 6572 746d27 GetWindowsDirectoryA 6570->6572 6573 746d1e 6570->6573 6571->6569 6571->6570 6574 746d42 6572->6574 6573->6569 6573->6572 6575 74ef1e lstrlenA 6574->6575 6575->6569 7222 741910 6576->7222 6579 74934a GetModuleHandleA GetModuleFileNameA 6581 74937f 6579->6581 6582 7493a4 6581->6582 6583 7493d9 6581->6583 6584 7493c3 wsprintfA 6582->6584 6585 749401 wsprintfA 6583->6585 6586 749415 6584->6586 6585->6586 6589 746cc9 5 API calls 6586->6589 6609 7494a0 6586->6609 6587 746edd 5 API calls 6588 7494ac 6587->6588 6590 74962f 6588->6590 6591 7494e8 RegOpenKeyExA 6588->6591 6592 749439 6589->6592 6597 749646 6590->6597 7237 741820 6590->7237 6594 749502 6591->6594 6595 7494fb 6591->6595 6599 74ef1e lstrlenA 6592->6599 6598 74951f RegQueryValueExA 6594->6598 6595->6590 6600 74958a 6595->6600 6605 7495d6 6597->6605 7243 7491eb 6597->7243 6601 749539 6598->6601 6608 749530 6598->6608 6602 749462 6599->6602 6600->6597 6604 749593 6600->6604 6606 749556 RegQueryValueExA 6601->6606 6607 74947e wsprintfA 6602->6607 6603 74956e RegCloseKey 6603->6595 6604->6605 7224 74f0e4 6604->7224 6605->6233 6605->6234 6606->6603 6606->6608 6607->6609 6608->6603 6609->6587 6611 7495bb 6611->6605 7231 7418e0 6611->7231 6614 742544 6613->6614 6615 74972d RegOpenKeyExA 6614->6615 6616 749765 6615->6616 6617 749740 6615->6617 6616->6209 6618 74974f RegDeleteValueA RegCloseKey 6617->6618 6618->6616 6620 742554 6619->6620 6620->6247 6620->6620 6622 74a0ec lstrcatA 6621->6622 6622->6241 6624 74ec37 6623->6624 6625 74a15d 6623->6625 6626 74eba0 codecvt 2 API calls 6624->6626 6625->6173 6625->6175 6627 74ec3d GetProcessHeap RtlFreeHeap 6626->6627 6627->6625 6629 742544 6628->6629 6630 74919e wsprintfA 6629->6630 6631 7491bb 6630->6631 7282 749064 GetTempPathA 6631->7282 6634 7491d5 ShellExecuteA 6635 7491e7 6634->6635 6635->6191 6637 746ed5 6636->6637 6638 746ecc 6636->6638 6637->6228 6639 746e36 2 API calls 6638->6639 6639->6637 6641 7498f6 6640->6641 6642 744280 30 API calls 6641->6642 6643 749904 Sleep 6641->6643 6644 749915 6641->6644 6642->6641 6643->6641 6643->6644 6645 749947 6644->6645 7289 74977c 6644->7289 6645->6224 6648 74dd41 InterlockedExchange 6647->6648 6649 74dd20 GetCurrentThreadId 6648->6649 6650 74dd4a 6648->6650 6651 74dd53 GetCurrentThreadId 6649->6651 6652 74dd2e GetTickCount 6649->6652 6650->6651 6651->6260 6653 74dd4c 6652->6653 6654 74dd39 Sleep 6652->6654 6653->6651 6654->6648 6656 74dbf0 6655->6656 6688 74db67 GetEnvironmentVariableA 6656->6688 6658 74dc19 6659 74dcda 6658->6659 6660 74db67 3 API calls 6658->6660 6659->6262 6661 74dc5c 6660->6661 6661->6659 6662 74db67 3 API calls 6661->6662 6663 74dc9b 6662->6663 6663->6659 6664 74db67 3 API calls 6663->6664 6664->6659 6666 74e528 6665->6666 6667 74e3f4 6665->6667 6666->6275 6668 74e434 RegQueryValueExA 6667->6668 6669 74e51d RegCloseKey 6668->6669 6670 74e458 6668->6670 6669->6666 6671 74e46e RegQueryValueExA 6670->6671 6671->6670 6672 74e488 6671->6672 6672->6669 6673 74db2e 8 API calls 6672->6673 6674 74e499 6673->6674 6674->6669 6675 74e4b9 RegQueryValueExA 6674->6675 6676 74e4e8 6674->6676 6675->6674 6675->6676 6676->6669 6677 74e332 14 API calls 6676->6677 6678 74e513 6677->6678 6678->6669 6680 74db55 6679->6680 6681 74db3a 6679->6681 6680->6265 6680->6269 6692 74ebed 6681->6692 6710 74f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6683->6710 6685 74e3be 6685->6265 6686 74e342 6686->6685 6713 74de24 6686->6713 6689 74dbca 6688->6689 6690 74db89 lstrcpyA CreateFileA 6688->6690 6689->6658 6690->6658 6693 74ebf6 6692->6693 6694 74ec01 6692->6694 6701 74ebcc GetProcessHeap RtlAllocateHeap 6693->6701 6704 74eba0 6694->6704 6702 74eb74 2 API calls 6701->6702 6703 74ebe8 6702->6703 6703->6680 6705 74eba7 GetProcessHeap HeapSize 6704->6705 6706 74ebbf GetProcessHeap RtlReAllocateHeap 6704->6706 6705->6706 6707 74eb74 6706->6707 6708 74eb7b GetProcessHeap HeapSize 6707->6708 6709 74eb93 6707->6709 6708->6709 6709->6680 6724 74eb41 6710->6724 6712 74f0b7 6712->6686 6714 74de3a 6713->6714 6719 74de4e 6714->6719 6733 74dd84 6714->6733 6717 74de9e 6718 74ebed 8 API calls 6717->6718 6717->6719 6722 74def6 6718->6722 6719->6686 6720 74de76 6737 74ddcf 6720->6737 6722->6719 6723 74ddcf lstrcmpA 6722->6723 6723->6719 6725 74eb61 6724->6725 6726 74eb4a 6724->6726 6725->6712 6729 74eae4 6726->6729 6728 74eb54 6728->6712 6728->6725 6730 74eb02 GetProcAddress 6729->6730 6731 74eaed LoadLibraryA 6729->6731 6730->6728 6731->6730 6732 74eb01 6731->6732 6732->6728 6734 74ddc5 6733->6734 6735 74dd96 6733->6735 6734->6717 6734->6720 6735->6734 6736 74ddad lstrcmpiA 6735->6736 6736->6734 6736->6735 6738 74de20 6737->6738 6739 74dddd 6737->6739 6738->6719 6739->6738 6740 74ddfa lstrcmpA 6739->6740 6740->6739 6742 74dd05 6 API calls 6741->6742 6743 74e821 6742->6743 6744 74dd84 lstrcmpiA 6743->6744 6745 74e82c 6744->6745 6746 74e844 6745->6746 6791 742480 6745->6791 6746->6289 6749 74ea98 6748->6749 6800 74e8a1 6749->6800 6751 741e84 6751->6298 6753 7419d5 GetProcAddress GetProcAddress GetProcAddress 6752->6753 6756 7419ce 6752->6756 6754 741a04 6753->6754 6755 741ab3 FreeLibrary 6753->6755 6754->6755 6757 741a14 GetBestInterface GetProcessHeap 6754->6757 6755->6756 6756->6302 6757->6756 6758 741a2e HeapAlloc 6757->6758 6758->6756 6759 741a42 GetAdaptersInfo 6758->6759 6760 741a62 6759->6760 6761 741a52 HeapReAlloc 6759->6761 6762 741aa1 FreeLibrary 6760->6762 6763 741a69 GetAdaptersInfo 6760->6763 6761->6760 6762->6756 6763->6762 6764 741a75 HeapFree 6763->6764 6764->6762 6828 741ac3 LoadLibraryA 6766->6828 6769 741bcf 6769->6313 6771 741ac3 13 API calls 6770->6771 6772 741c09 6771->6772 6773 741c0d GetComputerNameA 6772->6773 6774 741c5a 6772->6774 6775 741c45 GetVolumeInformationA 6773->6775 6776 741c1f 6773->6776 6774->6321 6775->6774 6776->6775 6777 741c41 6776->6777 6777->6774 6779 74ee2a 6778->6779 6780 7430d0 gethostname gethostbyname 6779->6780 6781 741f82 6780->6781 6781->6327 6781->6328 6783 74dd05 6 API calls 6782->6783 6784 74df7c 6783->6784 6785 74dd84 lstrcmpiA 6784->6785 6789 74df89 6785->6789 6786 74dfc4 6786->6296 6787 74ddcf lstrcmpA 6787->6789 6788 74ec2e codecvt 4 API calls 6788->6789 6789->6786 6789->6787 6789->6788 6790 74dd84 lstrcmpiA 6789->6790 6790->6789 6794 742419 lstrlenA 6791->6794 6793 742491 6793->6746 6795 74243d lstrlenA 6794->6795 6799 742474 6794->6799 6796 742464 lstrlenA 6795->6796 6797 74244e lstrcmpiA 6795->6797 6796->6795 6796->6799 6797->6796 6798 74245c 6797->6798 6798->6796 6798->6799 6799->6793 6801 74dd05 6 API calls 6800->6801 6802 74e8b4 6801->6802 6803 74dd84 lstrcmpiA 6802->6803 6804 74e8c0 6803->6804 6805 74e90a 6804->6805 6806 74e8c8 lstrcpynA 6804->6806 6808 742419 4 API calls 6805->6808 6816 74ea27 6805->6816 6807 74e8f5 6806->6807 6821 74df4c 6807->6821 6809 74e926 lstrlenA lstrlenA 6808->6809 6810 74e94c lstrlenA 6809->6810 6811 74e96a 6809->6811 6810->6811 6815 74ebcc 4 API calls 6811->6815 6811->6816 6813 74e901 6814 74dd84 lstrcmpiA 6813->6814 6814->6805 6817 74e98f 6815->6817 6816->6751 6817->6816 6818 74df4c 20 API calls 6817->6818 6819 74ea1e 6818->6819 6820 74ec2e codecvt 4 API calls 6819->6820 6820->6816 6822 74dd05 6 API calls 6821->6822 6823 74df51 6822->6823 6824 74f04e 4 API calls 6823->6824 6825 74df58 6824->6825 6826 74de24 10 API calls 6825->6826 6827 74df63 6826->6827 6827->6813 6829 741ae2 GetProcAddress 6828->6829 6830 741b68 GetComputerNameA GetVolumeInformationA 6828->6830 6829->6830 6834 741af5 6829->6834 6830->6769 6831 741b1c GetAdaptersAddresses 6832 741b29 6831->6832 6831->6834 6832->6830 6835 74ec2e codecvt 4 API calls 6832->6835 6833 74ebed 8 API calls 6833->6834 6834->6831 6834->6832 6834->6833 6835->6830 6837 746ec3 2 API calls 6836->6837 6838 747ef4 6837->6838 6848 747fc9 6838->6848 6872 7473ff 6838->6872 6840 747f16 6840->6848 6892 747809 GetUserNameA 6840->6892 6842 747f63 6842->6848 6916 74ef1e lstrlenA 6842->6916 6845 74ef1e lstrlenA 6846 747fb7 6845->6846 6918 747a95 RegOpenKeyExA 6846->6918 6848->6336 6850 747073 6849->6850 6851 7470b9 RegOpenKeyExA 6850->6851 6852 7470d0 6851->6852 6860 7471b8 6851->6860 6853 746dc2 6 API calls 6852->6853 6856 7470d5 6853->6856 6854 74719b RegEnumValueA 6855 7471af RegCloseKey 6854->6855 6854->6856 6855->6860 6856->6854 6857 7471d0 6856->6857 6949 74f1a5 lstrlenA 6856->6949 6859 747205 RegCloseKey 6857->6859 6861 747227 6857->6861 6859->6860 6860->6337 6862 74728e RegCloseKey 6861->6862 6863 7472b8 ___ascii_stricmp 6861->6863 6862->6860 6864 7472cd RegCloseKey 6863->6864 6865 7472dd 6863->6865 6864->6860 6866 747311 RegCloseKey 6865->6866 6868 747335 6865->6868 6866->6860 6867 7473d5 RegCloseKey 6869 7473e4 6867->6869 6868->6867 6870 74737e GetFileAttributesExA 6868->6870 6871 747397 6868->6871 6870->6871 6871->6867 6873 74741b 6872->6873 6874 746dc2 6 API calls 6873->6874 6875 74743f 6874->6875 6876 747469 RegOpenKeyExA 6875->6876 6877 7477f9 6876->6877 6888 747487 ___ascii_stricmp 6876->6888 6877->6840 6878 747703 RegEnumKeyA 6879 747714 RegCloseKey 6878->6879 6878->6888 6879->6877 6880 74f1a5 lstrlenA 6880->6888 6881 7474d2 RegOpenKeyExA 6881->6888 6882 74772c 6884 747742 RegCloseKey 6882->6884 6885 74774b 6882->6885 6883 747521 RegQueryValueExA 6883->6888 6884->6885 6886 7477ec RegCloseKey 6885->6886 6886->6877 6887 7476e4 RegCloseKey 6887->6888 6888->6878 6888->6880 6888->6881 6888->6882 6888->6883 6888->6887 6890 74777e GetFileAttributesExA 6888->6890 6891 747769 6888->6891 6889 7477e3 RegCloseKey 6889->6886 6890->6891 6891->6889 6893 74783d LookupAccountNameA 6892->6893 6894 747a8d 6892->6894 6893->6894 6895 747874 GetLengthSid GetFileSecurityA 6893->6895 6894->6842 6895->6894 6896 7478a8 GetSecurityDescriptorOwner 6895->6896 6897 7478c5 EqualSid 6896->6897 6898 74791d GetSecurityDescriptorDacl 6896->6898 6897->6898 6899 7478dc LocalAlloc 6897->6899 6898->6894 6906 747941 6898->6906 6899->6898 6900 7478ef InitializeSecurityDescriptor 6899->6900 6901 747916 LocalFree 6900->6901 6902 7478fb SetSecurityDescriptorOwner 6900->6902 6901->6898 6902->6901 6904 74790b SetFileSecurityA 6902->6904 6903 74795b GetAce 6903->6906 6904->6901 6905 747980 EqualSid 6905->6906 6906->6894 6906->6903 6906->6905 6907 7479be EqualSid 6906->6907 6908 747a3d 6906->6908 6909 74799d DeleteAce 6906->6909 6907->6906 6908->6894 6910 747a43 LocalAlloc 6908->6910 6909->6906 6910->6894 6911 747a56 InitializeSecurityDescriptor 6910->6911 6912 747a86 LocalFree 6911->6912 6913 747a62 SetSecurityDescriptorDacl 6911->6913 6912->6894 6913->6912 6914 747a73 SetFileSecurityA 6913->6914 6914->6912 6915 747a83 6914->6915 6915->6912 6917 747fa6 6916->6917 6917->6845 6919 747ac4 6918->6919 6920 747acb GetUserNameA 6918->6920 6919->6848 6921 747da7 RegCloseKey 6920->6921 6922 747aed LookupAccountNameA 6920->6922 6921->6919 6922->6921 6923 747b24 RegGetKeySecurity 6922->6923 6923->6921 6924 747b49 GetSecurityDescriptorOwner 6923->6924 6925 747b63 EqualSid 6924->6925 6926 747bb8 GetSecurityDescriptorDacl 6924->6926 6925->6926 6928 747b74 LocalAlloc 6925->6928 6927 747da6 6926->6927 6938 747bdc 6926->6938 6927->6921 6928->6926 6929 747b8a InitializeSecurityDescriptor 6928->6929 6931 747b96 SetSecurityDescriptorOwner 6929->6931 6932 747bb1 LocalFree 6929->6932 6930 747bf8 GetAce 6930->6938 6931->6932 6933 747ba6 RegSetKeySecurity 6931->6933 6932->6926 6933->6932 6934 747c1d EqualSid 6934->6938 6935 747cd9 6935->6927 6939 747d5a LocalAlloc 6935->6939 6941 747cf2 RegOpenKeyExA 6935->6941 6936 747c5f EqualSid 6936->6938 6937 747c3a DeleteAce 6937->6938 6938->6927 6938->6930 6938->6934 6938->6935 6938->6936 6938->6937 6939->6927 6940 747d70 InitializeSecurityDescriptor 6939->6940 6942 747d7c SetSecurityDescriptorDacl 6940->6942 6943 747d9f LocalFree 6940->6943 6941->6939 6946 747d0f 6941->6946 6942->6943 6944 747d8c RegSetKeySecurity 6942->6944 6943->6927 6944->6943 6945 747d9c 6944->6945 6945->6943 6947 747d43 RegSetValueExA 6946->6947 6947->6939 6948 747d54 6947->6948 6948->6939 6950 74f1c3 6949->6950 6950->6856 6951->6357 6953 74dd05 6 API calls 6952->6953 6954 74e65f 6953->6954 6955 74e6a5 6954->6955 6957 74e68c lstrcmpA 6954->6957 6956 74ebcc 4 API calls 6955->6956 6959 74e6f5 6955->6959 6958 74e6b0 6956->6958 6957->6954 6958->6959 6960 74e6b7 6958->6960 6961 74e6e0 lstrcpynA 6958->6961 6959->6960 6962 74e71d lstrcmpA 6959->6962 6960->6359 6961->6959 6962->6959 6963->6365 6965 742692 inet_addr 6964->6965 6966 74268e 6964->6966 6965->6966 6967 74269e gethostbyname 6965->6967 6968 74f428 6966->6968 6967->6966 7116 74f315 6968->7116 6971 74f43e 6972 74f473 recv 6971->6972 6973 74f47c 6972->6973 6974 74f458 6972->6974 6973->6396 6974->6972 6974->6973 6976 74c525 6975->6976 6977 74c532 6975->6977 6976->6977 6979 74ec2e codecvt 4 API calls 6976->6979 6978 74c548 6977->6978 7129 74e7ff 6977->7129 6981 74e7ff lstrcmpiA 6978->6981 6989 74c54f 6978->6989 6979->6977 6982 74c615 6981->6982 6983 74ebcc 4 API calls 6982->6983 6982->6989 6983->6989 6985 74c5d1 6987 74ebcc 4 API calls 6985->6987 6986 74e819 11 API calls 6988 74c5b7 6986->6988 6987->6989 6990 74f04e 4 API calls 6988->6990 6989->6378 6991 74c5bf 6990->6991 6991->6978 6991->6985 6994 74c8d2 6992->6994 6993 74c907 6993->6380 6994->6993 6995 74c517 23 API calls 6994->6995 6995->6993 6997 74c670 6996->6997 6998 74c67d 6996->6998 6999 74ebcc 4 API calls 6997->6999 7000 74ebcc 4 API calls 6998->7000 7002 74c699 6998->7002 6999->6998 7000->7002 7001 74c6f3 7001->6409 7001->6435 7002->7001 7003 74c73c send 7002->7003 7003->7001 7005 74c770 7004->7005 7006 74c77d 7004->7006 7008 74ebcc 4 API calls 7005->7008 7007 74c799 7006->7007 7009 74ebcc 4 API calls 7006->7009 7010 74c7b5 7007->7010 7011 74ebcc 4 API calls 7007->7011 7008->7006 7009->7007 7012 74f43e recv 7010->7012 7011->7010 7013 74c7cb 7012->7013 7014 74f43e recv 7013->7014 7015 74c7d3 7013->7015 7014->7015 7015->6435 7132 747db7 7016->7132 7019 747e70 7020 747e96 7019->7020 7022 74f04e 4 API calls 7019->7022 7020->6435 7021 74f04e 4 API calls 7023 747e4c 7021->7023 7022->7020 7023->7019 7024 74f04e 4 API calls 7023->7024 7024->7019 7026 746ec3 2 API calls 7025->7026 7027 747fdd 7026->7027 7028 7473ff 17 API calls 7027->7028 7029 7480c2 CreateProcessA 7027->7029 7030 747fff 7028->7030 7029->6463 7029->6464 7030->7029 7031 747809 21 API calls 7030->7031 7032 74804d 7031->7032 7032->7029 7033 74ef1e lstrlenA 7032->7033 7034 74809e 7033->7034 7035 74ef1e lstrlenA 7034->7035 7036 7480af 7035->7036 7037 747a95 24 API calls 7036->7037 7037->7029 7039 747db7 2 API calls 7038->7039 7040 747eb8 7039->7040 7041 74f04e 4 API calls 7040->7041 7042 747ece DeleteFileA 7041->7042 7042->6435 7044 74dd05 6 API calls 7043->7044 7045 74e31d 7044->7045 7136 74e177 7045->7136 7047 74e326 7047->6434 7049 7431f3 7048->7049 7059 7431ec 7048->7059 7050 74ebcc 4 API calls 7049->7050 7064 7431fc 7050->7064 7051 74344b 7052 74349d 7051->7052 7053 743459 7051->7053 7054 74ec2e codecvt 4 API calls 7052->7054 7055 74f04e 4 API calls 7053->7055 7054->7059 7056 74345f 7055->7056 7058 7430fa 4 API calls 7056->7058 7057 74ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7057->7064 7058->7059 7059->6435 7060 74344d 7061 74ec2e codecvt 4 API calls 7060->7061 7061->7051 7063 743141 lstrcmpiA 7063->7064 7064->7051 7064->7057 7064->7059 7064->7060 7064->7063 7162 7430fa GetTickCount 7064->7162 7066 7430fa 4 API calls 7065->7066 7067 743c1a 7066->7067 7071 743ce6 7067->7071 7167 743a72 7067->7167 7070 743a72 9 API calls 7073 743c5e 7070->7073 7071->6435 7072 743a72 9 API calls 7072->7073 7073->7071 7073->7072 7074 74ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7073->7074 7074->7073 7076 743a10 7075->7076 7077 7430fa 4 API calls 7076->7077 7078 743a1a 7077->7078 7078->6435 7080 74dd05 6 API calls 7079->7080 7081 74e7be 7080->7081 7081->6435 7083 74c105 7082->7083 7084 74c07e wsprintfA 7082->7084 7083->6435 7176 74bfce GetTickCount wsprintfA 7084->7176 7086 74c0ef 7177 74bfce GetTickCount wsprintfA 7086->7177 7089 747047 7088->7089 7090 746f88 LookupAccountNameA 7088->7090 7089->6435 7092 747025 7090->7092 7093 746fcb 7090->7093 7178 746edd 7092->7178 7095 746fdb ConvertSidToStringSidA 7093->7095 7095->7092 7097 746ff1 7095->7097 7098 747013 LocalFree 7097->7098 7098->7092 7100 74dd05 6 API calls 7099->7100 7101 74e85c 7100->7101 7102 74dd84 lstrcmpiA 7101->7102 7103 74e867 7102->7103 7104 74e885 lstrcpyA 7103->7104 7189 7424a5 7103->7189 7192 74dd69 7104->7192 7110 747db7 2 API calls 7109->7110 7111 747de1 7110->7111 7112 747e16 7111->7112 7113 74f04e 4 API calls 7111->7113 7112->6435 7114 747df2 7113->7114 7114->7112 7115 74f04e 4 API calls 7114->7115 7115->7112 7117 74f33b 7116->7117 7118 74ca1d 7116->7118 7119 74f347 htons socket 7117->7119 7118->6393 7118->6971 7120 74f374 closesocket 7119->7120 7121 74f382 ioctlsocket 7119->7121 7120->7118 7122 74f39d 7121->7122 7123 74f3aa connect select 7121->7123 7124 74f39f closesocket 7122->7124 7123->7118 7125 74f3f2 __WSAFDIsSet 7123->7125 7124->7118 7125->7124 7126 74f403 ioctlsocket 7125->7126 7128 74f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7126->7128 7128->7118 7130 74dd84 lstrcmpiA 7129->7130 7131 74c58e 7130->7131 7131->6978 7131->6985 7131->6986 7133 747dc8 InterlockedExchange 7132->7133 7134 747dd4 7133->7134 7135 747dc0 Sleep 7133->7135 7134->7019 7134->7021 7135->7133 7139 74e184 7136->7139 7137 74e2e4 7137->7047 7138 74e223 7138->7137 7141 74dfe2 8 API calls 7138->7141 7139->7137 7139->7138 7152 74dfe2 7139->7152 7146 74e23c 7141->7146 7142 74e1be 7142->7138 7143 74dbcf 3 API calls 7142->7143 7145 74e1d6 7143->7145 7144 74e21a CloseHandle 7144->7138 7145->7138 7145->7144 7147 74e1f9 WriteFile 7145->7147 7146->7137 7156 74e095 RegCreateKeyExA 7146->7156 7147->7144 7149 74e213 7147->7149 7149->7144 7150 74e2a3 7150->7137 7151 74e095 4 API calls 7150->7151 7151->7137 7153 74dffc 7152->7153 7155 74e024 7152->7155 7154 74db2e 8 API calls 7153->7154 7153->7155 7154->7155 7155->7142 7157 74e172 7156->7157 7158 74e0c0 7156->7158 7157->7150 7159 74e13d 7158->7159 7161 74e115 RegSetValueExA 7158->7161 7160 74e14e RegDeleteValueA RegCloseKey 7159->7160 7160->7157 7161->7158 7161->7159 7163 743122 InterlockedExchange 7162->7163 7164 74312e 7163->7164 7165 74310f GetTickCount 7163->7165 7164->7064 7165->7164 7166 74311a Sleep 7165->7166 7166->7163 7168 74f04e 4 API calls 7167->7168 7169 743a83 7168->7169 7170 743bc0 7169->7170 7173 743b66 lstrlenA 7169->7173 7174 743ac1 7169->7174 7171 743be6 7170->7171 7175 74ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7170->7175 7172 74ec2e codecvt 4 API calls 7171->7172 7172->7174 7173->7169 7173->7174 7174->7070 7174->7071 7175->7170 7176->7086 7177->7083 7179 746eef AllocateAndInitializeSid 7178->7179 7185 746f55 wsprintfA 7178->7185 7180 746f44 7179->7180 7181 746f1c CheckTokenMembership 7179->7181 7180->7185 7186 746e36 GetUserNameW 7180->7186 7182 746f2e 7181->7182 7183 746f3b FreeSid 7181->7183 7182->7183 7183->7180 7185->7089 7187 746e5f LookupAccountNameW 7186->7187 7188 746e97 7186->7188 7187->7188 7188->7185 7190 742419 4 API calls 7189->7190 7191 7424b6 7190->7191 7191->7104 7193 74dd79 lstrlenA 7192->7193 7193->6435 7195 74eb17 7194->7195 7197 74eb21 7194->7197 7196 74eae4 2 API calls 7195->7196 7196->7197 7197->6520 7200 7469b9 WriteFile 7198->7200 7201 746a3c 7200->7201 7203 7469ff 7200->7203 7201->6515 7201->6516 7202 746a10 WriteFile 7202->7201 7202->7203 7203->7201 7203->7202 7205 743ee2 7204->7205 7206 743edc 7204->7206 7205->6531 7207 746dc2 6 API calls 7206->7207 7207->7205 7209 74400b CreateFileA 7208->7209 7210 744052 7209->7210 7211 74402c GetLastError 7209->7211 7210->6534 7211->7210 7212 744037 7211->7212 7212->7210 7213 744041 Sleep 7212->7213 7213->7209 7213->7210 7215 743f7c 7214->7215 7216 743f4e GetLastError 7214->7216 7218 743f8c ReadFile 7215->7218 7216->7215 7217 743f5b WaitForSingleObject GetOverlappedResult 7216->7217 7217->7215 7219 743ff0 7218->7219 7220 743fc2 GetLastError 7218->7220 7219->6539 7219->6540 7220->7219 7221 743fcf WaitForSingleObject GetOverlappedResult 7220->7221 7221->7219 7223 741924 GetVersionExA 7222->7223 7223->6579 7225 74f0f1 7224->7225 7226 74f0ed 7224->7226 7227 74f119 7225->7227 7228 74f0fa lstrlenA SysAllocStringByteLen 7225->7228 7226->6611 7229 74f11c MultiByteToWideChar 7227->7229 7228->7229 7230 74f117 7228->7230 7229->7230 7230->6611 7232 741820 17 API calls 7231->7232 7233 7418f2 7232->7233 7234 7418f9 7233->7234 7248 741280 7233->7248 7234->6605 7236 741908 7236->6605 7261 741000 7237->7261 7239 741839 7240 741851 GetCurrentProcess 7239->7240 7241 74183d 7239->7241 7242 741864 7240->7242 7241->6597 7242->6597 7244 74920e 7243->7244 7247 749308 7243->7247 7244->7244 7245 7492f1 Sleep 7244->7245 7246 7492bf ShellExecuteA 7244->7246 7244->7247 7245->7244 7246->7244 7246->7247 7247->6605 7250 7412e1 7248->7250 7249 741373 ShellExecuteExW 7251 7416f9 GetLastError 7249->7251 7258 7413a8 7249->7258 7250->7249 7250->7250 7257 741699 7251->7257 7252 741570 lstrlenW 7252->7258 7253 7415be GetStartupInfoW 7253->7258 7254 7415ff CreateProcessWithLogonW 7255 7416bf GetLastError 7254->7255 7256 74163f WaitForSingleObject 7254->7256 7255->7257 7256->7258 7259 741659 CloseHandle 7256->7259 7257->7236 7258->7252 7258->7253 7258->7254 7258->7257 7260 741668 CloseHandle 7258->7260 7259->7258 7260->7258 7262 74100d LoadLibraryA 7261->7262 7271 741023 7261->7271 7263 741021 7262->7263 7262->7271 7263->7239 7264 7410b5 GetProcAddress 7265 7410d1 GetProcAddress 7264->7265 7266 74127b 7264->7266 7265->7266 7267 7410f0 GetProcAddress 7265->7267 7266->7239 7267->7266 7268 741110 GetProcAddress 7267->7268 7268->7266 7269 741130 GetProcAddress 7268->7269 7269->7266 7270 74114f GetProcAddress 7269->7270 7270->7266 7272 74116f GetProcAddress 7270->7272 7271->7264 7281 7410ae 7271->7281 7272->7266 7273 74118f GetProcAddress 7272->7273 7273->7266 7274 7411ae GetProcAddress 7273->7274 7274->7266 7275 7411ce GetProcAddress 7274->7275 7275->7266 7276 7411ee GetProcAddress 7275->7276 7276->7266 7277 741209 GetProcAddress 7276->7277 7277->7266 7278 741225 GetProcAddress 7277->7278 7278->7266 7279 741241 GetProcAddress 7278->7279 7279->7266 7280 74125c GetProcAddress 7279->7280 7280->7266 7281->7239 7283 74908d 7282->7283 7284 7490e2 wsprintfA 7283->7284 7285 74ee2a 7284->7285 7286 7490fd CreateFileA 7285->7286 7287 74913f 7286->7287 7288 74911a lstrlenA WriteFile CloseHandle 7286->7288 7287->6634 7287->6635 7288->7287 7290 74ee2a 7289->7290 7291 749794 CreateProcessA 7290->7291 7292 7497c2 7291->7292 7293 7497bb 7291->7293 7294 7497d4 GetThreadContext 7292->7294 7293->6645 7295 7497f5 7294->7295 7296 749801 7294->7296 7298 7497f6 TerminateProcess 7295->7298 7303 74637c 7296->7303 7298->7293 7299 749816 7299->7298 7300 74981e WriteProcessMemory 7299->7300 7300->7295 7301 74983b SetThreadContext 7300->7301 7301->7295 7302 749858 ResumeThread 7301->7302 7302->7293 7304 746386 7303->7304 7305 74638a GetModuleHandleA VirtualAlloc 7303->7305 7304->7299 7306 7463b6 7305->7306 7310 7463f5 7305->7310 7307 7463be VirtualAllocEx 7306->7307 7308 7463d6 7307->7308 7307->7310 7309 7463df WriteProcessMemory 7308->7309 7309->7310 7310->7299 7312 748791 7311->7312 7315 74879f 7311->7315 7313 74f04e 4 API calls 7312->7313 7313->7315 7314 7487bc 7317 74e819 11 API calls 7314->7317 7315->7314 7316 74f04e 4 API calls 7315->7316 7316->7314 7318 7487d7 7317->7318 7331 748803 7318->7331 7466 7426b2 gethostbyaddr 7318->7466 7321 7487eb 7323 74e8a1 30 API calls 7321->7323 7321->7331 7323->7331 7326 74e819 11 API calls 7326->7331 7327 7488a0 Sleep 7327->7331 7328 74f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7328->7331 7330 7426b2 2 API calls 7330->7331 7331->7326 7331->7327 7331->7328 7331->7330 7332 74e8a1 30 API calls 7331->7332 7363 748cee 7331->7363 7371 74c4d6 7331->7371 7374 74c4e2 7331->7374 7377 742011 7331->7377 7412 748328 7331->7412 7332->7331 7334 744084 7333->7334 7335 74407d 7333->7335 7336 743ecd 6 API calls 7334->7336 7337 74408f 7336->7337 7338 744000 3 API calls 7337->7338 7339 744095 7338->7339 7340 744130 7339->7340 7341 7440c0 7339->7341 7342 743ecd 6 API calls 7340->7342 7346 743f18 4 API calls 7341->7346 7343 744159 CreateNamedPipeA 7342->7343 7344 744167 Sleep 7343->7344 7345 744188 ConnectNamedPipe 7343->7345 7344->7340 7348 744176 CloseHandle 7344->7348 7347 744195 GetLastError 7345->7347 7359 7441ab 7345->7359 7349 7440da 7346->7349 7351 74425e DisconnectNamedPipe 7347->7351 7347->7359 7348->7345 7350 743f8c 4 API calls 7349->7350 7353 7440ec 7350->7353 7351->7345 7352 744127 CloseHandle 7352->7340 7353->7352 7354 744101 7353->7354 7355 743f18 4 API calls 7354->7355 7356 74411c ExitProcess 7355->7356 7357 743f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7357->7359 7358 743f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7358->7359 7359->7345 7359->7351 7359->7357 7359->7358 7360 74426a CloseHandle CloseHandle 7359->7360 7361 74e318 23 API calls 7360->7361 7362 74427b 7361->7362 7362->7362 7364 748d02 GetTickCount 7363->7364 7365 748dae 7363->7365 7364->7365 7368 748d19 7364->7368 7365->7331 7366 748da1 GetTickCount 7366->7365 7368->7366 7370 748d89 7368->7370 7471 74a677 7368->7471 7474 74a688 7368->7474 7370->7366 7482 74c2dc 7371->7482 7375 74c2dc 142 API calls 7374->7375 7376 74c4ec 7375->7376 7376->7331 7378 74202e 7377->7378 7379 742020 7377->7379 7381 74204b 7378->7381 7382 74f04e 4 API calls 7378->7382 7380 74f04e 4 API calls 7379->7380 7380->7378 7383 74206e GetTickCount 7381->7383 7384 74f04e 4 API calls 7381->7384 7382->7381 7385 7420db GetTickCount 7383->7385 7396 742090 7383->7396 7388 742068 7384->7388 7386 7420e7 7385->7386 7387 742132 GetTickCount GetTickCount 7385->7387 7391 74212b GetTickCount 7386->7391 7403 741978 15 API calls 7386->7403 7404 742125 7386->7404 7812 742ef8 7386->7812 7390 74f04e 4 API calls 7387->7390 7388->7383 7389 7420d4 GetTickCount 7389->7385 7393 742159 7390->7393 7391->7387 7392 742684 2 API calls 7392->7396 7394 7421b4 7393->7394 7398 74e854 13 API calls 7393->7398 7397 74f04e 4 API calls 7394->7397 7396->7389 7396->7392 7401 7420ce 7396->7401 7822 741978 7396->7822 7400 7421d1 7397->7400 7402 74218e 7398->7402 7405 7421f2 7400->7405 7407 74ea84 30 API calls 7400->7407 7401->7389 7406 74e819 11 API calls 7402->7406 7403->7386 7404->7391 7405->7331 7408 74219c 7406->7408 7409 7421ec 7407->7409 7408->7394 7827 741c5f 7408->7827 7410 74f04e 4 API calls 7409->7410 7410->7405 7413 747dd6 6 API calls 7412->7413 7414 74833c 7413->7414 7415 746ec3 2 API calls 7414->7415 7442 748340 7414->7442 7416 74834f 7415->7416 7417 74835c 7416->7417 7422 74846b 7416->7422 7418 7473ff 17 API calls 7417->7418 7443 748373 7418->7443 7419 7485df 7420 748626 GetTempPathA 7419->7420 7432 748768 7419->7432 7447 748671 7419->7447 7433 748638 7420->7433 7421 74675c 21 API calls 7421->7419 7424 7484a7 RegOpenKeyExA 7422->7424 7439 748450 7422->7439 7426 7484c0 RegQueryValueExA 7424->7426 7427 74852f 7424->7427 7425 7486ad 7428 748762 7425->7428 7431 747e2f 6 API calls 7425->7431 7429 748521 RegCloseKey 7426->7429 7430 7484dd 7426->7430 7434 748564 RegOpenKeyExA 7427->7434 7445 7485a5 7427->7445 7428->7432 7429->7427 7430->7429 7436 74ebcc 4 API calls 7430->7436 7446 7486bb 7431->7446 7438 74ec2e codecvt 4 API calls 7432->7438 7432->7442 7433->7447 7435 748573 RegSetValueExA RegCloseKey 7434->7435 7434->7445 7435->7445 7441 7484f0 7436->7441 7437 74875b DeleteFileA 7437->7428 7438->7442 7439->7419 7439->7421 7441->7429 7444 7484f8 RegQueryValueExA 7441->7444 7442->7331 7443->7439 7443->7442 7448 7483ea RegOpenKeyExA 7443->7448 7444->7429 7449 748515 7444->7449 7445->7439 7450 74ec2e codecvt 4 API calls 7445->7450 7446->7437 7455 7486e0 lstrcpyA lstrlenA 7446->7455 7899 746ba7 IsBadCodePtr 7447->7899 7448->7439 7451 7483fd RegQueryValueExA 7448->7451 7454 74ec2e codecvt 4 API calls 7449->7454 7450->7439 7452 74842d RegSetValueExA 7451->7452 7453 74841e 7451->7453 7456 748447 RegCloseKey 7452->7456 7453->7452 7453->7456 7457 74851d 7454->7457 7458 747fcf 64 API calls 7455->7458 7456->7439 7457->7429 7459 748719 CreateProcessA 7458->7459 7460 74873d CloseHandle CloseHandle 7459->7460 7461 74874f 7459->7461 7460->7432 7462 747ee6 64 API calls 7461->7462 7463 748754 7462->7463 7464 747ead 6 API calls 7463->7464 7465 74875a 7464->7465 7465->7437 7467 7426cd 7466->7467 7468 7426fb 7466->7468 7469 7426e1 inet_ntoa 7467->7469 7470 7426de 7467->7470 7468->7321 7469->7470 7470->7321 7477 74a63d 7471->7477 7473 74a685 7473->7368 7475 74a63d GetTickCount 7474->7475 7476 74a696 7475->7476 7476->7368 7478 74a645 7477->7478 7479 74a64d 7477->7479 7478->7473 7480 74a66e 7479->7480 7481 74a65e GetTickCount 7479->7481 7480->7473 7481->7480 7499 74a4c7 GetTickCount 7482->7499 7485 74c47a 7490 74c4d2 7485->7490 7491 74c4ab InterlockedIncrement CreateThread 7485->7491 7486 74c326 7488 74c337 7486->7488 7489 74c32b GetTickCount 7486->7489 7487 74c300 GetTickCount 7487->7488 7488->7485 7493 74c363 GetTickCount 7488->7493 7489->7488 7490->7331 7491->7490 7492 74c4cb CloseHandle 7491->7492 7504 74b535 7491->7504 7492->7490 7493->7485 7494 74c373 7493->7494 7495 74c378 GetTickCount 7494->7495 7496 74c37f 7494->7496 7495->7496 7497 74c43b GetTickCount 7496->7497 7498 74c45e 7497->7498 7498->7485 7500 74a4f7 InterlockedExchange 7499->7500 7501 74a4e4 GetTickCount 7500->7501 7502 74a500 7500->7502 7501->7502 7503 74a4ef Sleep 7501->7503 7502->7485 7502->7486 7502->7487 7503->7500 7505 74b566 7504->7505 7506 74ebcc 4 API calls 7505->7506 7507 74b587 7506->7507 7508 74ebcc 4 API calls 7507->7508 7559 74b590 7508->7559 7509 74bdcd InterlockedDecrement 7510 74bde2 7509->7510 7512 74ec2e codecvt 4 API calls 7510->7512 7513 74bdea 7512->7513 7515 74ec2e codecvt 4 API calls 7513->7515 7514 74bdb7 Sleep 7514->7559 7516 74bdf2 7515->7516 7517 74be05 7516->7517 7519 74ec2e codecvt 4 API calls 7516->7519 7518 74bdcc 7518->7509 7519->7517 7520 74ebed 8 API calls 7520->7559 7523 74b6b6 lstrlenA 7523->7559 7524 7430b5 2 API calls 7524->7559 7525 74e819 11 API calls 7525->7559 7526 74b6ed lstrcpyA 7579 745ce1 7526->7579 7529 74b731 lstrlenA 7529->7559 7530 74b71f lstrcmpA 7530->7529 7530->7559 7531 74b772 GetTickCount 7531->7559 7532 74bd49 InterlockedIncrement 7673 74a628 7532->7673 7535 74b7ce InterlockedIncrement 7589 74acd7 7535->7589 7536 74bc5b InterlockedIncrement 7536->7559 7539 74b912 GetTickCount 7539->7559 7540 74b826 InterlockedIncrement 7540->7531 7541 74b932 GetTickCount 7543 74bc6d InterlockedIncrement 7541->7543 7541->7559 7542 74bcdc closesocket 7542->7559 7543->7559 7544 745ce1 22 API calls 7544->7559 7545 7438f0 6 API calls 7545->7559 7546 74ab81 lstrcpynA InterlockedIncrement 7546->7559 7548 74bba6 InterlockedIncrement 7548->7559 7551 74a7c1 22 API calls 7551->7559 7552 74bc4c closesocket 7552->7559 7554 74ba71 wsprintfA 7607 74a7c1 7554->7607 7555 745ded 12 API calls 7555->7559 7558 74ef1e lstrlenA 7558->7559 7559->7509 7559->7514 7559->7518 7559->7520 7559->7523 7559->7524 7559->7525 7559->7526 7559->7529 7559->7530 7559->7531 7559->7532 7559->7535 7559->7536 7559->7539 7559->7540 7559->7541 7559->7542 7559->7544 7559->7545 7559->7546 7559->7548 7559->7551 7559->7552 7559->7554 7559->7555 7559->7558 7560 74a688 GetTickCount 7559->7560 7561 743e10 7559->7561 7564 743e4f 7559->7564 7567 74384f 7559->7567 7587 74a7a3 inet_ntoa 7559->7587 7594 74abee 7559->7594 7606 741feb GetTickCount 7559->7606 7627 743cfb 7559->7627 7630 74b3c5 7559->7630 7661 74ab81 7559->7661 7560->7559 7562 7430fa 4 API calls 7561->7562 7563 743e1d 7562->7563 7563->7559 7565 7430fa 4 API calls 7564->7565 7566 743e5c 7565->7566 7566->7559 7568 7430fa 4 API calls 7567->7568 7569 743863 7568->7569 7570 7438b9 7569->7570 7571 743889 7569->7571 7578 7438b2 7569->7578 7682 7435f9 7570->7682 7676 743718 7571->7676 7576 743718 6 API calls 7576->7578 7577 7435f9 6 API calls 7577->7578 7578->7559 7580 745cf4 7579->7580 7581 745cec 7579->7581 7583 744bd1 4 API calls 7580->7583 7688 744bd1 GetTickCount 7581->7688 7584 745d02 7583->7584 7693 745472 7584->7693 7588 74a7b9 7587->7588 7588->7559 7590 74f315 14 API calls 7589->7590 7591 74aceb 7590->7591 7592 74acff 7591->7592 7593 74f315 14 API calls 7591->7593 7592->7559 7593->7592 7595 74abfb 7594->7595 7598 74ac65 7595->7598 7756 742f22 7595->7756 7597 74f315 14 API calls 7597->7598 7598->7597 7599 74ac8a 7598->7599 7600 74ac6f 7598->7600 7599->7559 7602 74ab81 2 API calls 7600->7602 7601 74ac23 7601->7598 7603 742684 2 API calls 7601->7603 7604 74ac81 7602->7604 7603->7601 7764 7438f0 7604->7764 7606->7559 7608 74a87d lstrlenA send 7607->7608 7609 74a7df 7607->7609 7610 74a8bf 7608->7610 7611 74a899 7608->7611 7609->7608 7612 74a8f2 7609->7612 7613 74a80a 7609->7613 7618 74a7fa wsprintfA 7609->7618 7610->7612 7615 74a8c4 send 7610->7615 7614 74a8a5 wsprintfA 7611->7614 7626 74a89e 7611->7626 7616 74a978 recv 7612->7616 7619 74a9b0 wsprintfA 7612->7619 7620 74a982 7612->7620 7613->7608 7613->7613 7614->7626 7615->7612 7617 74a8d8 wsprintfA 7615->7617 7616->7612 7616->7620 7617->7626 7618->7613 7619->7626 7621 7430b5 2 API calls 7620->7621 7620->7626 7622 74ab05 7621->7622 7623 74e819 11 API calls 7622->7623 7624 74ab17 7623->7624 7625 74a7a3 inet_ntoa 7624->7625 7625->7626 7626->7559 7628 7430fa 4 API calls 7627->7628 7629 743d0b 7628->7629 7629->7559 7631 745ce1 22 API calls 7630->7631 7632 74b3e6 7631->7632 7633 745ce1 22 API calls 7632->7633 7635 74b404 7633->7635 7634 74b440 7637 74ef7c 3 API calls 7634->7637 7635->7634 7636 74ef7c 3 API calls 7635->7636 7638 74b42b 7636->7638 7639 74b458 wsprintfA 7637->7639 7640 74ef7c 3 API calls 7638->7640 7641 74ef7c 3 API calls 7639->7641 7640->7634 7642 74b480 7641->7642 7643 74ef7c 3 API calls 7642->7643 7644 74b493 7643->7644 7645 74ef7c 3 API calls 7644->7645 7646 74b4bb 7645->7646 7780 74ad89 GetLocalTime SystemTimeToFileTime 7646->7780 7650 74b4cc 7651 74ef7c 3 API calls 7650->7651 7652 74b4dd 7651->7652 7653 74b211 7 API calls 7652->7653 7654 74b4ec 7653->7654 7655 74ef7c 3 API calls 7654->7655 7656 74b4fd 7655->7656 7657 74b211 7 API calls 7656->7657 7658 74b509 7657->7658 7659 74ef7c 3 API calls 7658->7659 7660 74b51a 7659->7660 7660->7559 7662 74abe9 GetTickCount 7661->7662 7664 74ab8c 7661->7664 7666 74a51d 7662->7666 7663 74aba8 lstrcpynA 7663->7664 7664->7662 7664->7663 7665 74abe1 InterlockedIncrement 7664->7665 7665->7664 7667 74a4c7 4 API calls 7666->7667 7668 74a52c 7667->7668 7669 74a542 GetTickCount 7668->7669 7671 74a539 GetTickCount 7668->7671 7669->7671 7672 74a56c 7671->7672 7672->7559 7674 74a4c7 4 API calls 7673->7674 7675 74a633 7674->7675 7675->7559 7677 74f04e 4 API calls 7676->7677 7679 74372a 7677->7679 7678 743847 7678->7576 7678->7578 7679->7678 7680 7437b3 GetCurrentThreadId 7679->7680 7680->7679 7681 7437c8 GetCurrentThreadId 7680->7681 7681->7679 7683 74f04e 4 API calls 7682->7683 7687 74360c 7683->7687 7684 7436f1 7684->7577 7684->7578 7685 7436da GetCurrentThreadId 7685->7684 7686 7436e5 GetCurrentThreadId 7685->7686 7686->7684 7687->7684 7687->7685 7689 744bff InterlockedExchange 7688->7689 7690 744bec GetTickCount 7689->7690 7691 744c08 7689->7691 7690->7691 7692 744bf7 Sleep 7690->7692 7691->7580 7692->7689 7712 744763 7693->7712 7695 745b58 7722 744699 7695->7722 7698 744763 lstrlenA 7699 745b6e 7698->7699 7743 744f9f 7699->7743 7701 745b79 7701->7559 7703 745549 lstrlenA 7709 74548a 7703->7709 7705 74558d lstrcpynA 7705->7709 7706 745a9f lstrcpyA 7706->7709 7707 745935 lstrcpynA 7707->7709 7708 745472 13 API calls 7708->7709 7709->7695 7709->7705 7709->7706 7709->7707 7709->7708 7710 7458e7 lstrcpyA 7709->7710 7711 744ae6 8 API calls 7709->7711 7716 744ae6 7709->7716 7720 74ef7c lstrlenA lstrlenA lstrlenA 7709->7720 7710->7709 7711->7709 7715 74477a 7712->7715 7713 744859 7713->7709 7714 74480d lstrlenA 7714->7715 7715->7713 7715->7714 7717 744af3 7716->7717 7719 744b03 7716->7719 7718 74ebed 8 API calls 7717->7718 7718->7719 7719->7703 7721 74efb4 7720->7721 7721->7709 7748 7445b3 7722->7748 7725 7445b3 7 API calls 7726 7446c6 7725->7726 7727 7445b3 7 API calls 7726->7727 7728 7446d8 7727->7728 7729 7445b3 7 API calls 7728->7729 7730 7446ea 7729->7730 7731 7445b3 7 API calls 7730->7731 7732 7446ff 7731->7732 7733 7445b3 7 API calls 7732->7733 7734 744711 7733->7734 7735 7445b3 7 API calls 7734->7735 7736 744723 7735->7736 7737 74ef7c 3 API calls 7736->7737 7738 744735 7737->7738 7739 74ef7c 3 API calls 7738->7739 7740 74474a 7739->7740 7741 74ef7c 3 API calls 7740->7741 7742 74475c 7741->7742 7742->7698 7744 744fac 7743->7744 7747 744fb0 7743->7747 7744->7701 7745 744ffd 7745->7701 7746 744fd5 IsBadCodePtr 7746->7747 7747->7745 7747->7746 7749 7445c1 7748->7749 7751 7445c8 7748->7751 7750 74ebcc 4 API calls 7749->7750 7750->7751 7752 74ebcc 4 API calls 7751->7752 7754 7445e1 7751->7754 7752->7754 7753 744691 7753->7725 7754->7753 7755 74ef7c 3 API calls 7754->7755 7755->7754 7771 742d21 GetModuleHandleA 7756->7771 7759 742f44 7759->7601 7760 742fcf GetProcessHeap HeapFree 7760->7759 7761 742f4f 7763 742f6b GetProcessHeap HeapFree 7761->7763 7762 742f85 7762->7760 7762->7762 7763->7759 7765 743900 7764->7765 7766 743980 7764->7766 7767 7430fa 4 API calls 7765->7767 7766->7599 7770 74390a 7767->7770 7768 74391b GetCurrentThreadId 7768->7770 7769 743939 GetCurrentThreadId 7769->7770 7770->7766 7770->7768 7770->7769 7772 742d46 LoadLibraryA 7771->7772 7773 742d5b GetProcAddress 7771->7773 7772->7773 7777 742d54 7772->7777 7774 742d6b DnsQuery_A 7773->7774 7773->7777 7776 742d7d 7774->7776 7774->7777 7775 742d97 GetProcessHeap HeapAlloc 7775->7777 7778 742dac 7775->7778 7776->7775 7776->7777 7777->7759 7777->7761 7777->7762 7778->7776 7779 742db5 lstrcpynA 7778->7779 7779->7778 7781 74adbf 7780->7781 7805 74ad08 gethostname 7781->7805 7784 7430b5 2 API calls 7785 74add3 7784->7785 7786 74a7a3 inet_ntoa 7785->7786 7793 74ade4 7785->7793 7786->7793 7787 74ae85 wsprintfA 7788 74ef7c 3 API calls 7787->7788 7790 74aebb 7788->7790 7789 74ae36 wsprintfA wsprintfA 7791 74ef7c 3 API calls 7789->7791 7792 74ef7c 3 API calls 7790->7792 7791->7793 7794 74aed2 7792->7794 7793->7787 7793->7789 7795 74b211 7794->7795 7796 74b2af GetLocalTime 7795->7796 7797 74b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7795->7797 7798 74b2d2 7796->7798 7797->7798 7799 74b31c GetTimeZoneInformation 7798->7799 7800 74b2d9 SystemTimeToFileTime 7798->7800 7803 74b33a wsprintfA 7799->7803 7801 74b2ec 7800->7801 7802 74b312 FileTimeToSystemTime 7801->7802 7802->7799 7803->7650 7806 74ad71 7805->7806 7811 74ad26 lstrlenA 7805->7811 7808 74ad85 7806->7808 7809 74ad79 lstrcpyA 7806->7809 7808->7784 7809->7808 7810 74ad68 lstrlenA 7810->7806 7811->7806 7811->7810 7813 742d21 7 API calls 7812->7813 7814 742f01 7813->7814 7815 742f14 7814->7815 7816 742f06 7814->7816 7818 742684 2 API calls 7815->7818 7835 742df2 GetModuleHandleA 7816->7835 7820 742f1d 7818->7820 7820->7386 7821 742f1f 7821->7386 7823 74f428 14 API calls 7822->7823 7824 74198a 7823->7824 7825 741990 closesocket 7824->7825 7826 741998 7824->7826 7825->7826 7826->7396 7828 741c80 7827->7828 7829 741cc2 wsprintfA 7828->7829 7831 741d1c 7828->7831 7834 741d79 7828->7834 7830 742684 2 API calls 7829->7830 7830->7828 7832 741d47 wsprintfA 7831->7832 7833 742684 2 API calls 7832->7833 7833->7834 7834->7394 7836 742e10 LoadLibraryA 7835->7836 7837 742e0b 7835->7837 7838 742e17 7836->7838 7837->7836 7837->7838 7839 742ef1 7838->7839 7840 742e28 GetProcAddress 7838->7840 7839->7815 7839->7821 7840->7839 7841 742e3e GetProcessHeap HeapAlloc 7840->7841 7844 742e62 7841->7844 7842 742ede GetProcessHeap HeapFree 7842->7839 7843 742e7f htons inet_addr 7843->7844 7845 742ea5 gethostbyname 7843->7845 7844->7839 7844->7842 7844->7843 7844->7845 7847 742ceb 7844->7847 7845->7844 7849 742cf2 7847->7849 7850 742d1c 7849->7850 7851 742d0e Sleep 7849->7851 7852 742a62 GetProcessHeap HeapAlloc 7849->7852 7850->7844 7851->7849 7851->7850 7853 742a92 7852->7853 7854 742a99 socket 7852->7854 7853->7849 7855 742ab4 7854->7855 7856 742cd3 GetProcessHeap HeapFree 7854->7856 7855->7856 7870 742abd 7855->7870 7856->7853 7857 742adb htons 7872 7426ff 7857->7872 7859 742b04 select 7859->7870 7860 742ca4 7861 742cb3 GetProcessHeap HeapFree closesocket 7860->7861 7861->7853 7862 742b3f recv 7862->7870 7863 742b66 htons 7863->7860 7863->7870 7864 742b87 htons 7864->7860 7864->7870 7867 742bf3 GetProcessHeap HeapAlloc 7867->7870 7868 742c17 htons 7887 742871 7868->7887 7870->7857 7870->7859 7870->7860 7870->7861 7870->7862 7870->7863 7870->7864 7870->7867 7870->7868 7871 742c4d GetProcessHeap HeapFree 7870->7871 7879 742923 7870->7879 7891 742904 7870->7891 7871->7870 7873 742717 7872->7873 7874 74271d 7872->7874 7875 74ebcc 4 API calls 7873->7875 7876 74272b GetTickCount htons 7874->7876 7875->7874 7877 7427cc htons htons sendto 7876->7877 7878 74278a 7876->7878 7877->7870 7878->7877 7880 742944 7879->7880 7882 74293d 7879->7882 7895 742816 htons 7880->7895 7882->7870 7883 742950 7883->7882 7884 742871 htons 7883->7884 7885 7429bd htons htons htons 7883->7885 7884->7883 7885->7882 7886 7429f6 GetProcessHeap HeapAlloc 7885->7886 7886->7882 7886->7883 7888 7428e3 7887->7888 7890 742889 7887->7890 7888->7870 7889 7428c3 htons 7889->7888 7889->7890 7890->7888 7890->7889 7892 742921 7891->7892 7893 742908 7891->7893 7892->7870 7894 742909 GetProcessHeap HeapFree 7893->7894 7894->7892 7894->7894 7896 74286b 7895->7896 7897 742836 7895->7897 7896->7883 7897->7896 7898 74285c htons 7897->7898 7898->7896 7898->7897 7900 746bc0 7899->7900 7901 746bbc 7899->7901 7902 74ebcc 4 API calls 7900->7902 7912 746bd4 7900->7912 7901->7425 7903 746be4 7902->7903 7904 746c07 CreateFileA 7903->7904 7905 746bfc 7903->7905 7903->7912 7906 746c34 WriteFile 7904->7906 7907 746c2a 7904->7907 7908 74ec2e codecvt 4 API calls 7905->7908 7910 746c49 CloseHandle DeleteFileA 7906->7910 7911 746c5a CloseHandle 7906->7911 7909 74ec2e codecvt 4 API calls 7907->7909 7908->7912 7909->7912 7910->7907 7913 74ec2e codecvt 4 API calls 7911->7913 7912->7425 7913->7912 8170 748314 8171 74675c 21 API calls 8170->8171 8172 748324 8171->8172 7952 748c51 7953 748c86 7952->7953 7955 748c5d 7952->7955 7954 748c8b lstrcmpA 7953->7954 7965 748c7b 7953->7965 7956 748c9e 7954->7956 7954->7965 7957 748c7d 7955->7957 7958 748c6e 7955->7958 7959 748cad 7956->7959 7962 74ec2e codecvt 4 API calls 7956->7962 7974 748bb3 7957->7974 7966 748be7 7958->7966 7964 74ebcc 4 API calls 7959->7964 7959->7965 7962->7959 7964->7965 7967 748bf2 7966->7967 7968 748c2a 7966->7968 7969 748bb3 6 API calls 7967->7969 7968->7965 7970 748bf8 7969->7970 7978 746410 7970->7978 7972 748c01 7972->7968 7993 746246 7972->7993 7975 748be4 7974->7975 7976 748bbc 7974->7976 7976->7975 7977 746246 6 API calls 7976->7977 7977->7975 7979 746421 7978->7979 7980 74641e 7978->7980 7981 74643a 7979->7981 7982 74643e VirtualAlloc 7979->7982 7980->7972 7981->7972 7983 746472 7982->7983 7984 74645b VirtualAlloc 7982->7984 7985 74ebcc 4 API calls 7983->7985 7984->7983 7992 7464fb 7984->7992 7986 746479 7985->7986 7986->7992 8003 746069 7986->8003 7989 7464da 7990 746246 6 API calls 7989->7990 7989->7992 7990->7992 7992->7972 7994 746252 7993->7994 8002 7462b3 7993->8002 7997 74628f 7994->7997 7998 746281 FreeLibrary 7994->7998 8001 746297 7994->8001 7995 7462a0 VirtualFree 7996 7462ad 7995->7996 8000 74ec2e codecvt 4 API calls 7996->8000 7999 74ec2e codecvt 4 API calls 7997->7999 7998->7994 7999->8001 8000->8002 8001->7995 8001->7996 8002->7968 8004 746090 IsBadReadPtr 8003->8004 8006 746089 8003->8006 8004->8006 8009 7460aa 8004->8009 8005 7460c0 LoadLibraryA 8005->8006 8005->8009 8006->7989 8013 745f3f 8006->8013 8007 74ebcc 4 API calls 8007->8009 8008 74ebed 8 API calls 8008->8009 8009->8005 8009->8006 8009->8007 8009->8008 8010 746191 IsBadReadPtr 8009->8010 8011 746155 GetProcAddress 8009->8011 8012 746141 GetProcAddress 8009->8012 8010->8006 8010->8009 8011->8009 8012->8009 8014 745f61 8013->8014 8015 745fe6 8013->8015 8014->8015 8016 745fbf VirtualProtect 8014->8016 8015->7989 8016->8014 8016->8015 8173 746511 wsprintfA IsBadReadPtr 8174 74674e 8173->8174 8175 74656a htonl htonl wsprintfA wsprintfA 8173->8175 8176 74e318 23 API calls 8174->8176 8180 7465f3 8175->8180 8177 746753 ExitProcess 8176->8177 8178 74668a GetCurrentProcess StackWalk64 8179 7466a0 wsprintfA 8178->8179 8178->8180 8181 7466ba 8179->8181 8180->8178 8180->8179 8182 746652 wsprintfA 8180->8182 8183 746712 wsprintfA 8181->8183 8184 7466ed wsprintfA 8181->8184 8185 7466da wsprintfA 8181->8185 8182->8180 8186 74e8a1 30 API calls 8183->8186 8184->8181 8185->8184 8187 746739 8186->8187 8188 74e318 23 API calls 8187->8188 8189 746741 8188->8189 8017 7443d2 8018 7443e0 8017->8018 8019 7443ef 8018->8019 8020 741940 4 API calls 8018->8020 8020->8019 8190 744e92 GetTickCount 8191 744ec0 InterlockedExchange 8190->8191 8192 744ead GetTickCount 8191->8192 8193 744ec9 8191->8193 8192->8193 8194 744eb8 Sleep 8192->8194 8194->8191 8021 745453 8026 74543a 8021->8026 8029 745048 8026->8029 8030 744bd1 4 API calls 8029->8030 8032 745056 8030->8032 8031 74508b 8032->8031 8033 74ec2e codecvt 4 API calls 8032->8033 8033->8031 8034 744ed3 8039 744c9a 8034->8039 8040 744ca9 8039->8040 8042 744cd8 8039->8042 8041 74ec2e codecvt 4 API calls 8040->8041 8041->8042 8195 745d93 IsBadWritePtr 8196 745da8 8195->8196 8198 745ddc 8195->8198 8197 745389 12 API calls 8196->8197 8196->8198 8197->8198 8199 745099 8200 744bd1 4 API calls 8199->8200 8201 7450a2 8200->8201 8043 74195b 8044 741971 8043->8044 8045 74196b 8043->8045 8046 74ec2e codecvt 4 API calls 8045->8046 8046->8044 8202 74f304 8205 74f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8202->8205 8204 74f312 8205->8204 8206 745b84 IsBadWritePtr 8207 745b99 8206->8207 8208 745b9d 8206->8208 8209 744bd1 4 API calls 8208->8209 8210 745bcc 8209->8210 8211 745472 18 API calls 8210->8211 8212 745be5 8211->8212 8213 745c05 IsBadWritePtr 8214 745c24 IsBadWritePtr 8213->8214 8221 745ca6 8213->8221 8215 745c32 8214->8215 8214->8221 8216 745c82 8215->8216 8217 744bd1 4 API calls 8215->8217 8218 744bd1 4 API calls 8216->8218 8217->8216 8219 745c90 8218->8219 8220 745472 18 API calls 8219->8220 8220->8221 8222 74f483 WSAStartup 8047 745e4d 8048 745048 8 API calls 8047->8048 8049 745e55 8048->8049 8050 745e64 8049->8050 8051 741940 4 API calls 8049->8051 8051->8050 8223 745e0d 8224 7450dc 17 API calls 8223->8224 8225 745e20 8224->8225 8226 744c0d 8227 744ae6 8 API calls 8226->8227 8228 744c17 8227->8228 8052 74e749 8053 74dd05 6 API calls 8052->8053 8054 74e751 8053->8054 8055 74e781 lstrcmpA 8054->8055 8056 74e799 8054->8056 8055->8054
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0074CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0074CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0074CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0074CCB4
                                                                                            • WriteFile.KERNEL32(0074A4B3,?,-000000E8,?,00000000), ref: 0074CCDC
                                                                                            • CloseHandle.KERNEL32(0074A4B3), ref: 0074CCED
                                                                                            • wsprintfA.USER32 ref: 0074CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0074CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0074CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0074CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0074CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0074CDC4
                                                                                            • CloseHandle.KERNEL32(0074A4B3), ref: 0074CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0074CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0074CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0074D033
                                                                                            • lstrcatA.KERNEL32(?,03F00108), ref: 0074D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0074D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0074D171
                                                                                            • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000), ref: 0074D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0074D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0074D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0074D231
                                                                                            • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 0074D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0074D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0074D2C7
                                                                                            • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0074D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0074D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0074D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0074D372
                                                                                            • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 0074D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0074D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0074D408
                                                                                            • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0074D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0074D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0074D45B
                                                                                            • CreateProcessA.KERNEL32(?,00750264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0074D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0074D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0074D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0074D513
                                                                                            • closesocket.WS2_32(?), ref: 0074D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0074D577
                                                                                            • ExitProcess.KERNEL32 ref: 0074D583
                                                                                            • wsprintfA.USER32 ref: 0074D81F
                                                                                              • Part of subcall function 0074C65C: send.WS2_32(00000000,?,00000000), ref: 0074C74B
                                                                                            • closesocket.WS2_32(?), ref: 0074DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe$X u$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-2501426684
                                                                                            • Opcode ID: 056f8f49a8ac5de0514bae5e3444e30d23f54f8b35930b11383320c2e19c72c9
                                                                                            • Instruction ID: 1867527589e1a89e98a316e86b224ef11b1cd28640a754e913edfb18dca75337
                                                                                            • Opcode Fuzzy Hash: 056f8f49a8ac5de0514bae5e3444e30d23f54f8b35930b11383320c2e19c72c9
                                                                                            • Instruction Fuzzy Hash: 85B2D5B2901208EFEB219FA4DC89EEE7BBDEB05301F144069F949A3191D7BC9E45CB54
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00749A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00749A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00746511), ref: 00749A8A
                                                                                              • Part of subcall function 0074EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0074EC5E
                                                                                              • Part of subcall function 0074EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0074EC72
                                                                                              • Part of subcall function 0074EC54: GetTickCount.KERNEL32 ref: 0074EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00749AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00749ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00749AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00749B99
                                                                                            • ExitProcess.KERNEL32 ref: 00749C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00749CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00749D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00749D8B
                                                                                            • lstrcatA.KERNEL32(?,0075070C), ref: 00749D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00749DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00749E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00749E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00749EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00749ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00749F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00749F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00749F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00749FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00749FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00749FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0074A038
                                                                                            • lstrcatA.KERNEL32(00000022,00750A34), ref: 0074A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0074A072
                                                                                            • lstrcatA.KERNEL32(00000022,00750A34), ref: 0074A08D
                                                                                            • wsprintfA.USER32 ref: 0074A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0074A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0074A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0074A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0074A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0074A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0074A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0074A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0074A1E5
                                                                                              • Part of subcall function 007499D2: lstrcpyA.KERNEL32(?,?,00000100,007522F8,00000000,?,00749E9D,?,00000022,?,?,?,?,?,?,?), ref: 007499DF
                                                                                              • Part of subcall function 007499D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00749E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00749A3C
                                                                                              • Part of subcall function 007499D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00749E9D,?,00000022,?,?,?), ref: 00749A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0074A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0074A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0074A3ED
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 0074A400
                                                                                            • DeleteFileA.KERNELBASE(007533D8), ref: 0074A407
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0074405E,00000000,00000000,00000000), ref: 0074A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0074A43A
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0074877E,00000000,00000000,00000000), ref: 0074A469
                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 0074A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0074A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0074A4B7
                                                                                            • Sleep.KERNELBASE(00001A90), ref: 0074A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe$D$P$\$qruvscyd
                                                                                            • API String ID: 2089075347-4118977536
                                                                                            • Opcode ID: ac629fa324a6e14a5592e60797b8bfa96da26a9f9bc21a7fe3d2be4c6031e25e
                                                                                            • Instruction ID: 5f1b946e49c7ec47671b1de049cb854dc621df3c3c6510291a77ba667ed261f3
                                                                                            • Opcode Fuzzy Hash: ac629fa324a6e14a5592e60797b8bfa96da26a9f9bc21a7fe3d2be4c6031e25e
                                                                                            • Instruction Fuzzy Hash: 3C529FB1D4035DFFDB21DBA08C89EEF7BBCAB05300F1444A6F609A2141EB789A458B65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 905 74199c-7419cc inet_addr LoadLibraryA 906 7419d5-7419fe GetProcAddress * 3 905->906 907 7419ce-7419d0 905->907 909 741a04-741a06 906->909 910 741ab3-741ab6 FreeLibrary 906->910 908 741abf-741ac2 907->908 909->910 911 741a0c-741a0e 909->911 912 741abc 910->912 911->910 913 741a14-741a28 GetBestInterface GetProcessHeap 911->913 914 741abe 912->914 913->912 915 741a2e-741a40 HeapAlloc 913->915 914->908 915->912 916 741a42-741a50 GetAdaptersInfo 915->916 917 741a62-741a67 916->917 918 741a52-741a60 HeapReAlloc 916->918 919 741aa1-741aad FreeLibrary 917->919 920 741a69-741a73 GetAdaptersInfo 917->920 918->917 919->912 922 741aaf-741ab1 919->922 920->919 921 741a75 920->921 923 741a77-741a80 921->923 922->914 924 741a82-741a86 923->924 925 741a8a-741a91 923->925 924->923 926 741a88 924->926 927 741a96-741a9b HeapFree 925->927 928 741a93 925->928 926->927 927->919 928->927
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 007419B1
                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00741E9E), ref: 007419BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 007419E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 007419ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 007419F9
                                                                                            • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00741E9E), ref: 00741A1B
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00741E9E), ref: 00741A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00741E9E), ref: 00741A36
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00741E9E,?,?,?,?,00000001,00741E9E), ref: 00741A4A
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00741E9E,?,?,?,?,00000001,00741E9E), ref: 00741A5A
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00741E9E,?,?,?,?,00000001,00741E9E), ref: 00741A6E
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00741E9E), ref: 00741A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00741E9E), ref: 00741AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 293628436-270533642
                                                                                            • Opcode ID: a845bf450459ab4246253858b9cc4eea9b1129de34cdc3a27a89c7cf07eb3d9b
                                                                                            • Instruction ID: 00b50823469a76f985e2ed090643b144c9a78e1641c19625eae01bd57b78404b
                                                                                            • Opcode Fuzzy Hash: a845bf450459ab4246253858b9cc4eea9b1129de34cdc3a27a89c7cf07eb3d9b
                                                                                            • Instruction Fuzzy Hash: ED316D72E01209AFCB11AFE4CD888BEBBB9FF45302B548569E601A2110D7B84E808B91

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 696 747a95-747ac2 RegOpenKeyExA 697 747ac4-747ac6 696->697 698 747acb-747ae7 GetUserNameA 696->698 699 747db4-747db6 697->699 700 747da7-747db3 RegCloseKey 698->700 701 747aed-747b1e LookupAccountNameA 698->701 700->699 701->700 702 747b24-747b43 RegGetKeySecurity 701->702 702->700 703 747b49-747b61 GetSecurityDescriptorOwner 702->703 704 747b63-747b72 EqualSid 703->704 705 747bb8-747bd6 GetSecurityDescriptorDacl 703->705 704->705 708 747b74-747b88 LocalAlloc 704->708 706 747da6 705->706 707 747bdc-747be1 705->707 706->700 707->706 709 747be7-747bf2 707->709 708->705 710 747b8a-747b94 InitializeSecurityDescriptor 708->710 709->706 711 747bf8-747c08 GetAce 709->711 712 747b96-747ba4 SetSecurityDescriptorOwner 710->712 713 747bb1-747bb2 LocalFree 710->713 714 747cc6 711->714 715 747c0e-747c1b 711->715 712->713 716 747ba6-747bab RegSetKeySecurity 712->716 713->705 717 747cc9-747cd3 714->717 718 747c1d-747c2f EqualSid 715->718 719 747c4f-747c52 715->719 716->713 717->711 720 747cd9-747cdc 717->720 721 747c36-747c38 718->721 722 747c31-747c34 718->722 723 747c54-747c5e 719->723 724 747c5f-747c71 EqualSid 719->724 720->706 725 747ce2-747ce8 720->725 721->719 726 747c3a-747c4d DeleteAce 721->726 722->718 722->721 723->724 727 747c86 724->727 728 747c73-747c84 724->728 729 747d5a-747d6e LocalAlloc 725->729 730 747cea-747cf0 725->730 726->717 731 747c8b-747c8e 727->731 728->731 729->706 734 747d70-747d7a InitializeSecurityDescriptor 729->734 730->729 735 747cf2-747d0d RegOpenKeyExA 730->735 732 747c90-747c96 731->732 733 747c9d-747c9f 731->733 732->733 736 747ca7-747cc3 733->736 737 747ca1-747ca5 733->737 738 747d7c-747d8a SetSecurityDescriptorDacl 734->738 739 747d9f-747da0 LocalFree 734->739 735->729 740 747d0f-747d16 735->740 736->714 737->714 737->736 738->739 741 747d8c-747d9a RegSetKeySecurity 738->741 739->706 742 747d19-747d1e 740->742 741->739 743 747d9c 741->743 742->742 744 747d20-747d52 call 742544 RegSetValueExA 742->744 743->739 744->729 747 747d54 744->747 747->729
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00747ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00747ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0075070C,?,?,?), ref: 00747B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00747B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00747B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00747B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00747B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00747B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00747B9C
                                                                                            • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00747BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00747BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00747FC9,?,00000000), ref: 00747BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe$D
                                                                                            • API String ID: 2976863881-4037504507
                                                                                            • Opcode ID: c559feeb7721912bc32a292c8cc562b0afe8378064d2f14784bffb3b6b76b6f3
                                                                                            • Instruction ID: e12d506ae0c424480e4f45453f2914c991eb4d201a5821950aadb27bdc484426
                                                                                            • Opcode Fuzzy Hash: c559feeb7721912bc32a292c8cc562b0afe8378064d2f14784bffb3b6b76b6f3
                                                                                            • Instruction Fuzzy Hash: 89A12AB1A04219AFDF159FA0DC88FEEBBBDFF44301F148069E905E2150E7799A45CBA4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 748 747809-747837 GetUserNameA 749 74783d-74786e LookupAccountNameA 748->749 750 747a8e-747a94 748->750 749->750 751 747874-7478a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 7478a8-7478c3 GetSecurityDescriptorOwner 751->752 753 7478c5-7478da EqualSid 752->753 754 74791d-74793b GetSecurityDescriptorDacl 752->754 753->754 755 7478dc-7478ed LocalAlloc 753->755 756 747941-747946 754->756 757 747a8d 754->757 755->754 758 7478ef-7478f9 InitializeSecurityDescriptor 755->758 756->757 759 74794c-747955 756->759 757->750 760 747916-747917 LocalFree 758->760 761 7478fb-747909 SetSecurityDescriptorOwner 758->761 759->757 762 74795b-74796b GetAce 759->762 760->754 761->760 763 74790b-747910 SetFileSecurityA 761->763 764 747971-74797e 762->764 765 747a2a 762->765 763->760 766 747980-747992 EqualSid 764->766 767 7479ae-7479b1 764->767 768 747a2d-747a37 765->768 771 747994-747997 766->771 772 747999-74799b 766->772 769 7479b3-7479bd 767->769 770 7479be-7479d0 EqualSid 767->770 768->762 773 747a3d-747a41 768->773 769->770 774 7479e5 770->774 775 7479d2-7479e3 770->775 771->766 771->772 772->767 776 74799d-7479ac DeleteAce 772->776 773->757 777 747a43-747a54 LocalAlloc 773->777 779 7479ea-7479ed 774->779 775->779 776->768 777->757 778 747a56-747a60 InitializeSecurityDescriptor 777->778 780 747a86-747a87 LocalFree 778->780 781 747a62-747a71 SetSecurityDescriptorDacl 778->781 782 7479ef-7479f5 779->782 783 7479f8-7479fb 779->783 780->757 781->780 784 747a73-747a81 SetFileSecurityA 781->784 782->783 785 747a03-747a0e 783->785 786 7479fd-747a01 783->786 784->780 787 747a83 784->787 788 747a10-747a17 785->788 789 747a19-747a24 785->789 786->765 786->785 787->780 790 747a27 788->790 789->790 790->765
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0074782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00747866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00747878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0074789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00747F63,?), ref: 007478B8
                                                                                            • EqualSid.ADVAPI32(?,00747F63), ref: 007478D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 007478E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 007478F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00747901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00747910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00747917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00747933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00747963
                                                                                            • EqualSid.ADVAPI32(?,00747F63), ref: 0074798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 007479A3
                                                                                            • EqualSid.ADVAPI32(?,00747F63), ref: 007479C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00747A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00747A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00747A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00747A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00747A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: b7ec7c55789a6d37fb9ccfd24e9de27479b4bd8fe11f108a1862bd9ed254a734
                                                                                            • Instruction ID: f7576826dd4122d9d69d519d5719d16c982f09e2044f3b6c49a3cb3fd2605e7e
                                                                                            • Opcode Fuzzy Hash: b7ec7c55789a6d37fb9ccfd24e9de27479b4bd8fe11f108a1862bd9ed254a734
                                                                                            • Instruction Fuzzy Hash: A6813B71E0421AEBDB25CFA4CD44FEEBBB8EF08341F14816AE505E2150D7789A41CBA4

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 748328-74833e call 747dd6 794 748340-748343 791->794 795 748348-748356 call 746ec3 791->795 797 74877b-74877d 794->797 799 74835c-748378 call 7473ff 795->799 800 74846b-748474 795->800 810 748464-748466 799->810 811 74837e-748384 799->811 802 7485c2-7485ce 800->802 803 74847a-748480 800->803 805 748615-748620 802->805 806 7485d0-7485da call 74675c 802->806 803->802 807 748486-7484ba call 742544 RegOpenKeyExA 803->807 808 748626-74864c GetTempPathA call 748274 call 74eca5 805->808 809 7486a7-7486b0 call 746ba7 805->809 818 7485df-7485eb 806->818 824 7484c0-7484db RegQueryValueExA 807->824 825 748543-748571 call 742544 RegOpenKeyExA 807->825 846 748671-7486a4 call 742544 call 74ef00 call 74ee2a 808->846 847 74864e-74866f call 74eca5 808->847 826 7486b6-7486bd call 747e2f 809->826 827 748762 809->827 817 748779-74877a 810->817 811->810 816 74838a-74838d 811->816 816->810 822 748393-748399 816->822 817->797 818->805 823 7485ed-7485ef 818->823 829 74839c-7483a1 822->829 823->805 830 7485f1-7485fa 823->830 832 748521-74852d RegCloseKey 824->832 833 7484dd-7484e1 824->833 852 7485a5-7485b7 call 74ee2a 825->852 853 748573-74857b 825->853 858 7486c3-74873b call 74ee2a * 2 lstrcpyA lstrlenA call 747fcf CreateProcessA 826->858 859 74875b-74875c DeleteFileA 826->859 836 748768-74876b 827->836 829->829 838 7483a3-7483af 829->838 830->805 840 7485fc-74860f call 7424c2 830->840 832->825 839 74852f-748541 call 74eed1 832->839 833->832 834 7484e3-7484e6 833->834 834->832 842 7484e8-7484f6 call 74ebcc 834->842 844 748776-748778 836->844 845 74876d-748775 call 74ec2e 836->845 848 7483b1 838->848 849 7483b3-7483ba 838->849 839->825 839->852 840->805 840->836 842->832 875 7484f8-748513 RegQueryValueExA 842->875 844->817 845->844 846->809 847->846 848->849 864 748450-74845f call 74ee2a 849->864 865 7483c0-7483fb call 742544 RegOpenKeyExA 849->865 852->802 876 7485b9-7485c1 call 74ec2e 852->876 855 74857e-748583 853->855 855->855 866 748585-74859f RegSetValueExA RegCloseKey 855->866 899 74873d-74874d CloseHandle * 2 858->899 900 74874f-74875a call 747ee6 call 747ead 858->900 859->827 864->802 865->864 885 7483fd-74841c RegQueryValueExA 865->885 866->852 875->832 881 748515-74851e call 74ec2e 875->881 876->802 881->832 886 74842d-748441 RegSetValueExA 885->886 887 74841e-748421 885->887 894 748447-74844a RegCloseKey 886->894 887->886 893 748423-748426 887->893 893->886 897 748428-74842b 893->897 894->864 897->886 897->894 899->836 900->859
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,00750750,?,?,00000000,localcfg,00000000), ref: 007483F3
                                                                                            • RegQueryValueExA.KERNELBASE(00750750,?,00000000,?,00748893,?,?,?,00000000,00000103,00750750,?,?,00000000,localcfg,00000000), ref: 00748414
                                                                                            • RegSetValueExA.KERNELBASE(00750750,?,00000000,00000004,00748893,00000004,?,?,00000000,00000103,00750750,?,?,00000000,localcfg,00000000), ref: 00748441
                                                                                            • RegCloseKey.ADVAPI32(00750750,?,?,00000000,00000103,00750750,?,?,00000000,localcfg,00000000), ref: 0074844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe$localcfg
                                                                                            • API String ID: 237177642-2907806470
                                                                                            • Opcode ID: 67a53b5d4b70968d686b0aa1a7d2eb9a13600648dda1d3f280b7767e17e0f5d6
                                                                                            • Instruction ID: 206fe837bd3d523cb773d054ce0d417554721bc4d6a373a549ce71c868bffbd6
                                                                                            • Opcode Fuzzy Hash: 67a53b5d4b70968d686b0aa1a7d2eb9a13600648dda1d3f280b7767e17e0f5d6
                                                                                            • Instruction Fuzzy Hash: CDC1D1B1D4024DFEEB51AFA4DC89EEEBBBCEB05301F144465F504A2092EB784E45CB62

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 929 741d96-741dce call 74ee2a GetVersionExA 932 741de0 929->932 933 741dd0-741dde 929->933 934 741de3-741e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 741e24-741e59 call 74e819 * 2 934->935 936 741e16-741e21 GetCurrentProcess 934->936 941 741e7a-741ea0 call 74ea84 call 74e819 call 74199c 935->941 942 741e5b-741e77 call 74df70 * 2 935->942 936->935 953 741ea2-741ea6 941->953 954 741ea8 941->954 942->941 955 741eac-741ec1 call 74e819 953->955 954->955 958 741ee0-741ef6 call 74e819 955->958 959 741ec3-741ed3 call 74f04e call 74ea84 955->959 965 741f14-741f2b call 74e819 958->965 966 741ef8 call 741b71 958->966 967 741ed8-741ede 959->967 973 741f2d call 741bdf 965->973 974 741f49-741f65 call 74e819 965->974 970 741efd-741f11 call 74ea84 966->970 967->958 970->965 978 741f32-741f46 call 74ea84 973->978 981 741f67-741f77 call 74ea84 974->981 982 741f7a-741f8c call 7430b5 974->982 978->974 981->982 988 741f93-741f9a 982->988 989 741f8e-741f91 982->989 991 741fb7 988->991 992 741f9c-741fa3 call 746ec3 988->992 990 741fbb-741fc0 989->990 993 741fc2 990->993 994 741fc9-741fea GetTickCount 990->994 991->990 997 741fa5-741fac 992->997 998 741fae-741fb5 992->998 993->994 997->990 998->990
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00741DC6
                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 00741DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00741E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00741E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00741E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00741FC9
                                                                                              • Part of subcall function 00741BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00741C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 1a8c142cf9856789e143dc61785f30943363de3c268053086b9603d205382802
                                                                                            • Instruction ID: 943a89624fb0821d2bed93d5f3f10312198197564bc16afb9916450990c79b7b
                                                                                            • Opcode Fuzzy Hash: 1a8c142cf9856789e143dc61785f30943363de3c268053086b9603d205382802
                                                                                            • Instruction Fuzzy Hash: 2F51C6B0904344AFE330AF758C89F6BBAECFB45705F44491DF98A42142D7BCA948C7A5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 999 7473ff-747419 1000 74741d-747422 999->1000 1001 74741b 999->1001 1002 747424 1000->1002 1003 747426-74742b 1000->1003 1001->1000 1002->1003 1004 747430-747435 1003->1004 1005 74742d 1003->1005 1006 747437 1004->1006 1007 74743a-747481 call 746dc2 call 742544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 747487-74749d call 74ee2a 1007->1012 1013 7477f9-7477fe call 74ee2a 1007->1013 1019 747703-74770e RegEnumKeyA 1012->1019 1018 747801 1013->1018 1020 747804-747808 1018->1020 1021 747714-74771d RegCloseKey 1019->1021 1022 7474a2-7474b1 call 746cad 1019->1022 1021->1018 1025 7474b7-7474cc call 74f1a5 1022->1025 1026 7476ed-747700 1022->1026 1025->1026 1029 7474d2-7474f8 RegOpenKeyExA 1025->1029 1026->1019 1030 747727-74772a 1029->1030 1031 7474fe-747530 call 742544 RegQueryValueExA 1029->1031 1032 747755-747764 call 74ee2a 1030->1032 1033 74772c-747740 call 74ef00 1030->1033 1031->1030 1039 747536-74753c 1031->1039 1044 7476df-7476e2 1032->1044 1041 747742-747745 RegCloseKey 1033->1041 1042 74774b-74774e 1033->1042 1043 74753f-747544 1039->1043 1041->1042 1046 7477ec-7477f7 RegCloseKey 1042->1046 1043->1043 1045 747546-74754b 1043->1045 1044->1026 1047 7476e4-7476e7 RegCloseKey 1044->1047 1045->1032 1048 747551-74756b call 74ee95 1045->1048 1046->1020 1047->1026 1048->1032 1051 747571-747593 call 742544 call 74ee95 1048->1051 1056 747753 1051->1056 1057 747599-7475a0 1051->1057 1056->1032 1058 7475a2-7475c6 call 74ef00 call 74ed03 1057->1058 1059 7475c8-7475d7 call 74ed03 1057->1059 1065 7475d8-7475da 1058->1065 1059->1065 1067 7475dc 1065->1067 1068 7475df-747623 call 74ee95 call 742544 call 74ee95 call 74ee2a 1065->1068 1067->1068 1077 747626-74762b 1068->1077 1077->1077 1078 74762d-747634 1077->1078 1079 747637-74763c 1078->1079 1079->1079 1080 74763e-747642 1079->1080 1081 747644-747656 call 74ed77 1080->1081 1082 74765c-747673 call 74ed23 1080->1082 1081->1082 1087 747769-74777c call 74ef00 1081->1087 1088 747675-74767e 1082->1088 1089 747680 1082->1089 1094 7477e3-7477e6 RegCloseKey 1087->1094 1091 747683-74768e call 746cad 1088->1091 1089->1091 1096 747694-7476bf call 74f1a5 call 746c96 1091->1096 1097 747722-747725 1091->1097 1094->1046 1103 7476c1-7476c7 1096->1103 1104 7476d8 1096->1104 1099 7476dd 1097->1099 1099->1044 1103->1104 1105 7476c9-7476d2 1103->1105 1104->1099 1105->1104 1106 74777e-747797 GetFileAttributesExA 1105->1106 1107 747799 1106->1107 1108 74779a-74779f 1106->1108 1107->1108 1109 7477a1 1108->1109 1110 7477a3-7477a8 1108->1110 1109->1110 1111 7477c4-7477c8 1110->1111 1112 7477aa-7477c0 call 74ee08 1110->1112 1114 7477d7-7477dc 1111->1114 1115 7477ca-7477d6 call 74ef00 1111->1115 1112->1111 1118 7477e0-7477e2 1114->1118 1119 7477de 1114->1119 1115->1114 1118->1094 1119->1118
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00747472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 007474F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00747528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0074764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 007476E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00747706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00747717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00747745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 007477EF
                                                                                              • Part of subcall function 0074F1A5: lstrlenA.KERNEL32(000000C8,000000E4,007522F8,000000C8,00747150,?), ref: 0074F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0074778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 007477E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 0b39a9cd6bc8c4487988c6f2fd6e3e2295f6c0761f75d37d0e019041e078f252
                                                                                            • Instruction ID: 31ac7c265e1bddee758144752881f7946fc3c680505fe198adbec94de5f674cb
                                                                                            • Opcode Fuzzy Hash: 0b39a9cd6bc8c4487988c6f2fd6e3e2295f6c0761f75d37d0e019041e078f252
                                                                                            • Instruction Fuzzy Hash: F8C1BF72904209EFEB269BA4DC49FEEBBB9EF45310F1000A5F504E6191EB79DE54CB60

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1121 74675c-746778 1122 746784-7467a2 CreateFileA 1121->1122 1123 74677a-74677e SetFileAttributesA 1121->1123 1124 7467a4-7467b2 CreateFileA 1122->1124 1125 7467b5-7467b8 1122->1125 1123->1122 1124->1125 1126 7467c5-7467c9 1125->1126 1127 7467ba-7467bf SetFileAttributesA 1125->1127 1128 746977-746986 1126->1128 1129 7467cf-7467df GetFileSize 1126->1129 1127->1126 1130 7467e5-7467e7 1129->1130 1131 74696b 1129->1131 1130->1131 1132 7467ed-74680b ReadFile 1130->1132 1133 74696e-746971 FindCloseChangeNotification 1131->1133 1132->1131 1134 746811-746824 SetFilePointer 1132->1134 1133->1128 1134->1131 1135 74682a-746842 ReadFile 1134->1135 1135->1131 1136 746848-746861 SetFilePointer 1135->1136 1136->1131 1137 746867-746876 1136->1137 1138 7468d5-7468df 1137->1138 1139 746878-74688f ReadFile 1137->1139 1138->1133 1142 7468e5-7468eb 1138->1142 1140 746891-74689e 1139->1140 1141 7468d2 1139->1141 1145 7468b7-7468ba 1140->1145 1146 7468a0-7468b5 1140->1146 1141->1138 1143 7468f0-7468fe call 74ebcc 1142->1143 1144 7468ed 1142->1144 1143->1131 1152 746900-74690b SetFilePointer 1143->1152 1144->1143 1148 7468bd-7468c3 1145->1148 1146->1148 1150 7468c5 1148->1150 1151 7468c8-7468ce 1148->1151 1150->1151 1151->1139 1153 7468d0 1151->1153 1154 74690d-746920 ReadFile 1152->1154 1155 74695a-746969 call 74ec2e 1152->1155 1153->1138 1154->1155 1156 746922-746958 1154->1156 1155->1133 1156->1133
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0074677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0074679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 007467B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 007467BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 007467D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00748244,00000000,?,76230F10,00000000), ref: 00746807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0074681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0074683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0074685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00748244,00000000,?,76230F10,00000000), ref: 0074688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00746906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00748244,00000000,?,76230F10,00000000), ref: 0074691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,76230F10,00000000), ref: 00746971
                                                                                              • Part of subcall function 0074EC2E: GetProcessHeap.KERNEL32(00000000,'t,00000000,0074EA27,00000000), ref: 0074EC41
                                                                                              • Part of subcall function 0074EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0074EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: 4a2519ac14c047c4c489ef27131acacf2455cf8eca4d4046bc95d98405a9ad8c
                                                                                            • Instruction ID: cd5db214c0d37f0c793b9202b8b26b74edf3310002c59d6478c0daee676b5983
                                                                                            • Opcode Fuzzy Hash: 4a2519ac14c047c4c489ef27131acacf2455cf8eca4d4046bc95d98405a9ad8c
                                                                                            • Instruction Fuzzy Hash: 2D7127B1C0021EEFDF118FA4CC84AEEBBB9FB05314F10456AE915A6190E7749E92DB61

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1159 74f315-74f332 1160 74f334-74f336 1159->1160 1161 74f33b-74f372 call 74ee2a htons socket 1159->1161 1162 74f424-74f427 1160->1162 1165 74f374-74f37d closesocket 1161->1165 1166 74f382-74f39b ioctlsocket 1161->1166 1165->1162 1167 74f39d 1166->1167 1168 74f3aa-74f3f0 connect select 1166->1168 1169 74f39f-74f3a8 closesocket 1167->1169 1170 74f421 1168->1170 1171 74f3f2-74f401 __WSAFDIsSet 1168->1171 1172 74f423 1169->1172 1170->1172 1171->1169 1173 74f403-74f416 ioctlsocket call 74f26d 1171->1173 1172->1162 1175 74f41b-74f41f 1173->1175 1175->1172
                                                                                            APIs
                                                                                            • htons.WS2_32(0074CA1D), ref: 0074F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0074F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0074F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: c22351051781a70c067d4309e602906df20ef4d0ec687d2cdb72ebb8918e4472
                                                                                            • Instruction ID: 8859a36eb047dc380a8fc29599f90e7c661c080e9a75df3d656274595addef85
                                                                                            • Opcode Fuzzy Hash: c22351051781a70c067d4309e602906df20ef4d0ec687d2cdb72ebb8918e4472
                                                                                            • Instruction Fuzzy Hash: 11316972900219ABDB10DFA8DC899EF7BBCFF88350F108166F915E2150E7789A418BE5

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1176 74405e-74407b CreateEventA 1177 744084-7440a8 call 743ecd call 744000 1176->1177 1178 74407d-744081 1176->1178 1183 744130-74413e call 74ee2a 1177->1183 1184 7440ae-7440be call 74ee2a 1177->1184 1189 74413f-744165 call 743ecd CreateNamedPipeA 1183->1189 1184->1183 1190 7440c0-7440f1 call 74eca5 call 743f18 call 743f8c 1184->1190 1195 744167-744174 Sleep 1189->1195 1196 744188-744193 ConnectNamedPipe 1189->1196 1207 744127-74412a CloseHandle 1190->1207 1208 7440f3-7440ff 1190->1208 1195->1189 1200 744176-744182 CloseHandle 1195->1200 1198 744195-7441a5 GetLastError 1196->1198 1199 7441ab-7441c0 call 743f8c 1196->1199 1198->1199 1203 74425e-744265 DisconnectNamedPipe 1198->1203 1199->1196 1209 7441c2-7441f2 call 743f18 call 743f8c 1199->1209 1200->1196 1203->1196 1207->1183 1208->1207 1210 744101-744121 call 743f18 ExitProcess 1208->1210 1209->1203 1217 7441f4-744200 1209->1217 1217->1203 1218 744202-744215 call 743f8c 1217->1218 1218->1203 1221 744217-74421b 1218->1221 1221->1203 1222 74421d-744230 call 743f8c 1221->1222 1222->1203 1225 744232-744236 1222->1225 1225->1196 1226 74423c-744251 call 743f18 1225->1226 1229 744253-744259 1226->1229 1230 74426a-744276 CloseHandle * 2 call 74e318 1226->1230 1229->1196 1232 74427b 1230->1232 1232->1232
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00744070
                                                                                            • ExitProcess.KERNEL32 ref: 00744121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: 594e97614b51fe0a6d6576d6a9d7dcdcd30a76666907a4ebbee2d93f5aa05df8
                                                                                            • Instruction ID: de742be1640aee1b0e77a11f2424409365b743243d690276cc50f1efdd11bff3
                                                                                            • Opcode Fuzzy Hash: 594e97614b51fe0a6d6576d6a9d7dcdcd30a76666907a4ebbee2d93f5aa05df8
                                                                                            • Instruction Fuzzy Hash: DD518071D00219FAEB10ABA08C4AFFF7B7CEB11755F000065FA04B60D1E7788A45E7A1

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1233 742d21-742d44 GetModuleHandleA 1234 742d46-742d52 LoadLibraryA 1233->1234 1235 742d5b-742d69 GetProcAddress 1233->1235 1234->1235 1236 742d54-742d56 1234->1236 1235->1236 1237 742d6b-742d7b DnsQuery_A 1235->1237 1238 742dee-742df1 1236->1238 1237->1236 1239 742d7d-742d88 1237->1239 1240 742d8a-742d8b 1239->1240 1241 742deb 1239->1241 1242 742d90-742d95 1240->1242 1241->1238 1243 742d97-742daa GetProcessHeap HeapAlloc 1242->1243 1244 742de2-742de8 1242->1244 1245 742dac-742dd9 call 74ee2a lstrcpynA 1243->1245 1246 742dea 1243->1246 1244->1242 1244->1246 1249 742de0 1245->1249 1250 742ddb-742dde 1245->1250 1246->1241 1249->1244 1250->1244
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00742F01,?,007420FF,00752000), ref: 00742D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00742D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00742D61
                                                                                            • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00742D77
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00742D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00742DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00742DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 233223969-3847274415
                                                                                            • Opcode ID: 708f85fdde9936bdd48258ab8ab864f92cedf0e418156441666eb90b2e0d5b47
                                                                                            • Instruction ID: ca57a48834ac0d3482b528541e2920e5708f16869636be3abdb4d4e25cac0026
                                                                                            • Opcode Fuzzy Hash: 708f85fdde9936bdd48258ab8ab864f92cedf0e418156441666eb90b2e0d5b47
                                                                                            • Instruction Fuzzy Hash: EA219071E00629BBCB219F64DC44AEEBBB8EF08B51F514015F805E3151D7B89D968BD0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1251 7480c9-7480ed call 746ec3 1254 7480ef call 747ee6 1251->1254 1255 7480f9-748115 call 74704c 1251->1255 1258 7480f4 1254->1258 1260 748225-74822b 1255->1260 1261 74811b-748121 1255->1261 1258->1260 1263 74826c-748273 1260->1263 1264 74822d-748233 1260->1264 1261->1260 1262 748127-74812a 1261->1262 1262->1260 1265 748130-748167 call 742544 RegOpenKeyExA 1262->1265 1264->1263 1266 748235-74823f call 74675c 1264->1266 1272 748216-748222 call 74ee2a 1265->1272 1273 74816d-74818b RegQueryValueExA 1265->1273 1269 748244-74824b 1266->1269 1269->1263 1271 74824d-748269 call 7424c2 call 74ec2e 1269->1271 1271->1263 1272->1260 1275 7481f7-7481fe 1273->1275 1276 74818d-748191 1273->1276 1279 748200-748206 call 74ec2e 1275->1279 1280 74820d-748210 RegCloseKey 1275->1280 1276->1275 1281 748193-748196 1276->1281 1289 74820c 1279->1289 1280->1272 1281->1275 1285 748198-7481a8 call 74ebcc 1281->1285 1285->1280 1291 7481aa-7481c2 RegQueryValueExA 1285->1291 1289->1280 1291->1275 1292 7481c4-7481ca 1291->1292 1293 7481cd-7481d2 1292->1293 1293->1293 1294 7481d4-7481e5 call 74ebcc 1293->1294 1294->1280 1297 7481e7-7481f5 call 74ef00 1294->1297 1297->1289
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0074815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0074A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00748187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0074A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 007481BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00748210
                                                                                              • Part of subcall function 0074675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0074677E
                                                                                              • Part of subcall function 0074675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0074679A
                                                                                              • Part of subcall function 0074675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 007467B0
                                                                                              • Part of subcall function 0074675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 007467BF
                                                                                              • Part of subcall function 0074675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 007467D3
                                                                                              • Part of subcall function 0074675C: ReadFile.KERNELBASE(000000FF,?,00000040,00748244,00000000,?,76230F10,00000000), ref: 00746807
                                                                                              • Part of subcall function 0074675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0074681F
                                                                                              • Part of subcall function 0074675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0074683E
                                                                                              • Part of subcall function 0074675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0074685C
                                                                                              • Part of subcall function 0074EC2E: GetProcessHeap.KERNEL32(00000000,'t,00000000,0074EA27,00000000), ref: 0074EC41
                                                                                              • Part of subcall function 0074EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0074EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\qruvscyd\zgjedxxr.exe
                                                                                            • API String ID: 124786226-4236501990
                                                                                            • Opcode ID: e0d89aeea0c7dd00af7f2c2a586ed05b505dbf4ad25cae3140cd3132ac90aece
                                                                                            • Instruction ID: f555472a0985a3911b398a71de24b68731b008d33765db211d5e74ccac6e7b66
                                                                                            • Opcode Fuzzy Hash: e0d89aeea0c7dd00af7f2c2a586ed05b505dbf4ad25cae3140cd3132ac90aece
                                                                                            • Instruction Fuzzy Hash: F241A1B290520DFFEB51EBA09C85DFE776CEB15300F14446AF605A2012EBB85E45CB66

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1300 741ac3-741adc LoadLibraryA 1301 741ae2-741af3 GetProcAddress 1300->1301 1302 741b6b-741b70 1300->1302 1303 741af5-741b01 1301->1303 1304 741b6a 1301->1304 1305 741b1c-741b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 741b03-741b12 call 74ebed 1305->1306 1307 741b29-741b2b 1305->1307 1306->1307 1316 741b14-741b1b 1306->1316 1309 741b2d-741b32 1307->1309 1310 741b5b-741b5e 1307->1310 1312 741b69 1309->1312 1314 741b34-741b3b 1309->1314 1311 741b60-741b68 call 74ec2e 1310->1311 1310->1312 1311->1312 1312->1304 1317 741b54-741b59 1314->1317 1318 741b3d-741b52 1314->1318 1316->1305 1317->1310 1317->1314 1318->1317 1318->1318
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00741AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00741AE9
                                                                                            • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00741B20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 3646706440-1087626847
                                                                                            • Opcode ID: 9b4bba058a583f490f2b7bcd0aa3451a5a81d8e9b95f333d99c73ee13be1b6d9
                                                                                            • Instruction ID: 51d7cfa47dcf95d8ab3ca3c5111801ce4d218d2a8b8aabe9afdc3a9215ddd2c4
                                                                                            • Opcode Fuzzy Hash: 9b4bba058a583f490f2b7bcd0aa3451a5a81d8e9b95f333d99c73ee13be1b6d9
                                                                                            • Instruction Fuzzy Hash: 9E11E6B1E01238FFCB11ABA4DC89CEDFBBAEB44B11B954056E005E3141E7784E80CB94

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1320 74e3ca-74e3ee RegOpenKeyExA 1321 74e3f4-74e3fb 1320->1321 1322 74e528-74e52d 1320->1322 1323 74e3fe-74e403 1321->1323 1323->1323 1324 74e405-74e40f 1323->1324 1325 74e414-74e452 call 74ee08 call 74f1ed RegQueryValueExA 1324->1325 1326 74e411-74e413 1324->1326 1331 74e51d-74e527 RegCloseKey 1325->1331 1332 74e458-74e486 call 74f1ed RegQueryValueExA 1325->1332 1326->1325 1331->1322 1335 74e488-74e48a 1332->1335 1335->1331 1336 74e490-74e4a1 call 74db2e 1335->1336 1336->1331 1339 74e4a3-74e4a6 1336->1339 1340 74e4a9-74e4d3 call 74f1ed RegQueryValueExA 1339->1340 1343 74e4d5-74e4da 1340->1343 1344 74e4e8-74e4ea 1340->1344 1343->1344 1345 74e4dc-74e4e6 1343->1345 1344->1331 1346 74e4ec-74e516 call 742544 call 74e332 1344->1346 1345->1340 1345->1344 1346->1331
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,0074E5F2,00000000,00020119,0074E5F2,007522F8), ref: 0074E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0074E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0074E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0074E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0074E482
                                                                                            • RegQueryValueExA.ADVAPI32(0074E5F2,?,00000000,?,80000001,?), ref: 0074E4CF
                                                                                            • RegCloseKey.ADVAPI32(0074E5F2,?,?,?,?,000000C8,000000E4), ref: 0074E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: bb9f946a9ff6b0448bf5d8d7508d44219a9b75a5d23cd66d06f06ec9dfa00637
                                                                                            • Instruction ID: e2037664322b1a14a791c2a4155d37a241878a30c34b9da56093384613343b12
                                                                                            • Opcode Fuzzy Hash: bb9f946a9ff6b0448bf5d8d7508d44219a9b75a5d23cd66d06f06ec9dfa00637
                                                                                            • Instruction Fuzzy Hash: 254104B2D0021DEFEF119FD8DC85DEEBBB9FB04355F144466FA10A2160E3759A158BA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1351 74f26d-74f303 setsockopt * 5
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0074F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0074F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0074F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0074F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0074F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: cb323ba87601755a1050bf477bbe10e029fcb726ccf5d3441558fa4aff049da6
                                                                                            • Instruction ID: 1dc11a0ad71ee92da6f5c4b8a06d7da90a703cde32734e90f77b917c9e29f633
                                                                                            • Opcode Fuzzy Hash: cb323ba87601755a1050bf477bbe10e029fcb726ccf5d3441558fa4aff049da6
                                                                                            • Instruction Fuzzy Hash: E9110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1352 741bdf-741c04 call 741ac3 1354 741c09-741c0b 1352->1354 1355 741c0d-741c1d GetComputerNameA 1354->1355 1356 741c5a-741c5e 1354->1356 1357 741c45-741c57 GetVolumeInformationA 1355->1357 1358 741c1f-741c24 1355->1358 1357->1356 1358->1357 1359 741c26-741c3b 1358->1359 1359->1359 1360 741c3d-741c3f 1359->1360 1360->1357 1361 741c41-741c43 1360->1361 1361->1356
                                                                                            APIs
                                                                                              • Part of subcall function 00741AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00741AD4
                                                                                              • Part of subcall function 00741AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00741AE9
                                                                                              • Part of subcall function 00741AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00741B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00741C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00741C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2794401326-2393279970
                                                                                            • Opcode ID: cc8b58e42bfafb2179fbb8311fc02edf147883af2121f5146d1e8a34749b2035
                                                                                            • Instruction ID: 13525a1193ee8f6170e194c9de2c29c2ebf562c6ad00d53de7bf2639caad397c
                                                                                            • Opcode Fuzzy Hash: cc8b58e42bfafb2179fbb8311fc02edf147883af2121f5146d1e8a34749b2035
                                                                                            • Instruction Fuzzy Hash: 85018072A40218BBEB10EAE8CCC59EFBABDEB44755F504475E602E2140D2789E8486B0
                                                                                            APIs
                                                                                              • Part of subcall function 00741AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00741AD4
                                                                                              • Part of subcall function 00741AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00741AE9
                                                                                              • Part of subcall function 00741AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00741B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00741BA3
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00741EFD,00000000,00000000,00000000,00000000), ref: 00741BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2794401326-1857712256
                                                                                            • Opcode ID: f4f10ffb0e46a14d5a92ae93e8d12216bd5903f7381c2c294a219e14e29affe3
                                                                                            • Instruction ID: e0d2e01aebcd7a8582a17efc4c2846a0397abd37fa02339e0aafd076c2015034
                                                                                            • Opcode Fuzzy Hash: f4f10ffb0e46a14d5a92ae93e8d12216bd5903f7381c2c294a219e14e29affe3
                                                                                            • Instruction Fuzzy Hash: D9018BB2D00208BFEB00ABE9CC859EFFABCEB48760F150062A611E3180D6745E0886E0
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00742693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0074269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: b3393eb4a30dd52778755db6d9e206ac65f671ec02c53438fea5fde9c78c94fa
                                                                                            • Instruction ID: 705fca064d4f4ca33578ad6147ba755b4c061c1f09666afbadf5da19452dae42
                                                                                            • Opcode Fuzzy Hash: b3393eb4a30dd52778755db6d9e206ac65f671ec02c53438fea5fde9c78c94fa
                                                                                            • Instruction Fuzzy Hash: 83E0C2306041218FCB10CB28F848AC53BE4EF06331F428180F440C31A1DB78DC828786
                                                                                            APIs
                                                                                              • Part of subcall function 0074EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0074EC0A,00000000,80000001,?,0074DB55,7FFF0001), ref: 0074EBAD
                                                                                              • Part of subcall function 0074EBA0: HeapSize.KERNEL32(00000000,?,0074DB55,7FFF0001), ref: 0074EBB4
                                                                                            • GetProcessHeap.KERNEL32(00000000,'t,00000000,0074EA27,00000000), ref: 0074EC41
                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 0074EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$FreeSize
                                                                                            • String ID: 't
                                                                                            • API String ID: 1305341483-4091447706
                                                                                            • Opcode ID: 07eacb75295810b17f710dc2993a4ff5ccd855d01985120b6c99fd4efffcae34
                                                                                            • Instruction ID: 8a134cb4ca06d37d6b51831dca08c6b401904e396d2c16cb07a93920184cd1e7
                                                                                            • Opcode Fuzzy Hash: 07eacb75295810b17f710dc2993a4ff5ccd855d01985120b6c99fd4efffcae34
                                                                                            • Instruction Fuzzy Hash: 18C01232406B34ABC5512760BD0DFDF6B18EF45722F094409F4056605087A85C4086E6
                                                                                            APIs
                                                                                              • Part of subcall function 0074DD05: GetTickCount.KERNEL32 ref: 0074DD0F
                                                                                              • Part of subcall function 0074DD05: InterlockedExchange.KERNEL32(007536B4,00000001), ref: 0074DD44
                                                                                              • Part of subcall function 0074DD05: GetCurrentThreadId.KERNEL32 ref: 0074DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,0074A445), ref: 0074E558
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,76230F10,?,00000000,?,0074A445), ref: 0074E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,0074A445), ref: 0074E5B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID:
                                                                                            • API String ID: 3683885500-0
                                                                                            • Opcode ID: b05923f370becece29a7a352706a0a65ae984f19b75fc87feacb56719c03a1c0
                                                                                            • Instruction ID: 3c0ce1b8c90bb57b299e731834414f48bd43849b839694498ed42806d0daac3d
                                                                                            • Opcode Fuzzy Hash: b05923f370becece29a7a352706a0a65ae984f19b75fc87feacb56719c03a1c0
                                                                                            • Instruction Fuzzy Hash: A12129F2680304BAE2217B215C0FFEB7A0CEB51766F500558BE4DA11D3EBADD92181F1
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 007488A5
                                                                                              • Part of subcall function 0074F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0074E342,00000000,75B4EA50,80000001,00000000,0074E513,?,00000000,00000000,?,000000E4), ref: 0074F089
                                                                                              • Part of subcall function 0074F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0074E342,00000000,75B4EA50,80000001,00000000,0074E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0074F093
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$Sleep
                                                                                            • String ID: localcfg$rresolv
                                                                                            • API String ID: 1561729337-486471987
                                                                                            • Opcode ID: f03a307dd70bc83aaa52221a8af0499bd223cff3fdf645e99c376ed2336bd319
                                                                                            • Instruction ID: 6515156e8e68144e72f91f2a8fd0e061e5079ea75ddb66d677839b0c8f364d7e
                                                                                            • Opcode Fuzzy Hash: f03a307dd70bc83aaa52221a8af0499bd223cff3fdf645e99c376ed2336bd319
                                                                                            • Instruction Fuzzy Hash: EB21E331648304AAF354B764BD8BBAE3AECAB46721F904419F904960D3EFED454481E6
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,007522F8,007442B6,00000000,00000001,007522F8,00000000,?,007498FD), ref: 00744021
                                                                                            • GetLastError.KERNEL32(?,007498FD,00000001,00000100,007522F8,0074A3C7), ref: 0074402C
                                                                                            • Sleep.KERNEL32(000001F4,?,007498FD,00000001,00000100,007522F8,0074A3C7), ref: 00744046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: c1a004fd152cb1a2212a3d43878c1bf94682e7a20128a625925579cc845f346f
                                                                                            • Instruction ID: c1590dd4b15084a666ca3764df0cf69306f406d88c1165de698226decd2796f2
                                                                                            • Opcode Fuzzy Hash: c1a004fd152cb1a2212a3d43878c1bf94682e7a20128a625925579cc845f346f
                                                                                            • Instruction Fuzzy Hash: EDF0EC32240201AFD7318B34BC49B5A7361EB81731F268B64F3B5E20F0C7744891BB58
                                                                                            APIs
                                                                                            • GetEnvironmentVariableA.KERNEL32(0074DC19,?,00000104), ref: 0074DB7F
                                                                                            • lstrcpyA.KERNEL32(?,007528F8), ref: 0074DBA4
                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0074DBC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2536392590-0
                                                                                            • Opcode ID: 4fe8cd0409c5a39fab8c0ff50ff8ed87d12db7abe8b306c0070f0e9519c6be03
                                                                                            • Instruction ID: cea6232cc23c24615b87bcb635790c054d097499186e4491ccb5edb818d37865
                                                                                            • Opcode Fuzzy Hash: 4fe8cd0409c5a39fab8c0ff50ff8ed87d12db7abe8b306c0070f0e9519c6be03
                                                                                            • Instruction Fuzzy Hash: 60F0B4B0100309ABEF21DF64DC89FD93B69BB10718F104194BB95A40D0D7F6D945CF54
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0074EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0074EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0074EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 5f53a2b709500be125014b737c3ad6fa1a1f9554208868916acb873eccdd0af1
                                                                                            • Instruction ID: 815298b466d2e8bc65167f9f0ef8ad7c806b5ca7394b0eb7fc30861689df2ea1
                                                                                            • Opcode Fuzzy Hash: 5f53a2b709500be125014b737c3ad6fa1a1f9554208868916acb873eccdd0af1
                                                                                            • Instruction Fuzzy Hash: A4E09AF5810208BFE701ABB0DC4AEAB77BCEB08315F504654B915D60A0DAB49A048BA4
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 007430D8
                                                                                            • gethostbyname.WS2_32(?), ref: 007430E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynamegethostname
                                                                                            • String ID:
                                                                                            • API String ID: 3961807697-0
                                                                                            • Opcode ID: c2f8fe1633d4c46ff3c21576986ce425f2d35e816e0f47e2169cef87f41cc875
                                                                                            • Instruction ID: f1a703d6cacd7426f827d65f8253a06fa4b0971e7b655999be2d4603c2d34100
                                                                                            • Opcode Fuzzy Hash: c2f8fe1633d4c46ff3c21576986ce425f2d35e816e0f47e2169cef87f41cc875
                                                                                            • Instruction Fuzzy Hash: B0E09B719002199BDF00DBA8EC89FCA77ECFF04304F084161F945E3250EA78E50487D4
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,0074DB55,7FFF0001), ref: 0074EC13
                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,0074DB55,7FFF0001), ref: 0074EC1A
                                                                                              • Part of subcall function 0074EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0074EBFE,7FFF0001,?,0074DB55,7FFF0001), ref: 0074EBD3
                                                                                              • Part of subcall function 0074EBCC: RtlAllocateHeap.NTDLL(00000000,?,0074DB55,7FFF0001), ref: 0074EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1357844191-0
                                                                                            • Opcode ID: e520eb4702e740aa320a445380c5fc4a5dfdadf9ef2890365a8aad9f823b0131
                                                                                            • Instruction ID: 0918b0a48005736b1bb3dd6cae839c699a751562a249e88158f189dd5c05956b
                                                                                            • Opcode Fuzzy Hash: e520eb4702e740aa320a445380c5fc4a5dfdadf9ef2890365a8aad9f823b0131
                                                                                            • Instruction Fuzzy Hash: 07E01A32104618BADF022FA4EC09EED3B59EB04372F108025FA0D89061CB7A8990DA95
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0074EBFE,7FFF0001,?,0074DB55,7FFF0001), ref: 0074EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0074DB55,7FFF0001), ref: 0074EBDA
                                                                                              • Part of subcall function 0074EB74: GetProcessHeap.KERNEL32(00000000,00000000,0074EC28,00000000,?,0074DB55,7FFF0001), ref: 0074EB81
                                                                                              • Part of subcall function 0074EB74: HeapSize.KERNEL32(00000000,?,0074DB55,7FFF0001), ref: 0074EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: 9daba2c8241c59393a7d3db42ba400a3568d7fe5088d5d7f3cd6cab1bc97eb83
                                                                                            • Instruction ID: 5633e34e0db7c18561e341e4e2419b5cc0f72c23deeb6a5422b02cc093f78c68
                                                                                            • Opcode Fuzzy Hash: 9daba2c8241c59393a7d3db42ba400a3568d7fe5088d5d7f3cd6cab1bc97eb83
                                                                                            • Instruction Fuzzy Hash: 7BC08C32208720ABC60127B8BC0CEDE3E98EF083A3F048014FA09C2160CB784C40C7EB
                                                                                            APIs
                                                                                            • recv.WS2_32(000000C8,?,00000000,0074CA44), ref: 0074F476
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: recv
                                                                                            • String ID:
                                                                                            • API String ID: 1507349165-0
                                                                                            • Opcode ID: 483ab61a31478088aa13d047d4500b565aec78f0238fbee2eb9f16c50990e388
                                                                                            • Instruction ID: 9026619da52402de7050e1e9da7f9d5504860fa944a87b9c17222398a516221f
                                                                                            • Opcode Fuzzy Hash: 483ab61a31478088aa13d047d4500b565aec78f0238fbee2eb9f16c50990e388
                                                                                            • Instruction Fuzzy Hash: A0F01C7220159AAB9B119E9EDC84CEB3BAEFB89350B050532FA14D7110DB35E8218BA0
                                                                                            APIs
                                                                                            • closesocket.WS2_32(00000000), ref: 00741992
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesocket
                                                                                            • String ID:
                                                                                            • API String ID: 2781271927-0
                                                                                            • Opcode ID: eb5988d83949327dea88fb68cf8f53b23e16f8a2eab144ce02f5870c92ce1aa9
                                                                                            • Instruction ID: 604813f3838bdcadb8cdce81ccb4fa65a64ce4d7914bf209865ee5c68262b46b
                                                                                            • Opcode Fuzzy Hash: eb5988d83949327dea88fb68cf8f53b23e16f8a2eab144ce02f5870c92ce1aa9
                                                                                            • Instruction Fuzzy Hash: E9D012365487716A52113759BC094BFAB9CDF456B2B51842AFC48C0150DB38CC8187D5
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0074DDB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 1586166983-0
                                                                                            • Opcode ID: a7d20d66b5a590093c5412f8802a1d7bdc1ea65d9a6fafbac55070910460a929
                                                                                            • Instruction ID: fc76cd049c593ae651bf6963c8dfacf6bae46454eaf0a166b3a4d7ff26740321
                                                                                            • Opcode Fuzzy Hash: a7d20d66b5a590093c5412f8802a1d7bdc1ea65d9a6fafbac55070910460a929
                                                                                            • Instruction Fuzzy Hash: 48F08C31B00302DBCB30CE249884696B3E8EF86726F14483FE199D2190DB38DC55CFA1
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00749816,EntryPoint), ref: 0074638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00749816,EntryPoint), ref: 007463A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 007463CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 007463EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: a87a73218ef2e51517796c026303c8e70f8733ad6d6070fed52f1c41bb1f21df
                                                                                            • Instruction ID: 26edca8df76c316b8370d3fd62ce2c2510d4c2fdcb0545def7e20e575028b7a0
                                                                                            • Opcode Fuzzy Hash: a87a73218ef2e51517796c026303c8e70f8733ad6d6070fed52f1c41bb1f21df
                                                                                            • Instruction Fuzzy Hash: 9E11A3B1600219BFEB119F65DC49F9B3BA8EF057A5F104024F908E7290D7B4DC008AE5
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00741839,00749646), ref: 00741012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 007410C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 007410E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00741101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00741121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00741140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00741160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00741180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0074119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 007411BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 007411DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 007411FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0074121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 0776668359668d181b95f169626d5e5bbffd494db35bbd93022ed9bdbd0de2d5
                                                                                            • Instruction ID: 6032be3c7621e12257e2b4369f0c4dc603617cdbbbd389bcb91ccdca5f80d831
                                                                                            • Opcode Fuzzy Hash: 0776668359668d181b95f169626d5e5bbffd494db35bbd93022ed9bdbd0de2d5
                                                                                            • Instruction Fuzzy Hash: A15163F1642B05AAD7119BACAC407D236E877483ABF5483569420D21F0D7FCEAC5CB99
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0074B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0074B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0074B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0074B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0074B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0074B329
                                                                                            • wsprintfA.USER32 ref: 0074B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: a264362ceb34146cc636d6d4fbd3203244248c164fd5122da630323d4a50be31
                                                                                            • Instruction ID: 0a19368c7809bb3db6679d2653311b13d9f4101ea1f6ff5c8fb2506c52954f52
                                                                                            • Opcode Fuzzy Hash: a264362ceb34146cc636d6d4fbd3203244248c164fd5122da630323d4a50be31
                                                                                            • Instruction Fuzzy Hash: A7514EB1D0021CAADF14DFD5D8888EEBBB9FF49306F104569E901B6150D3B89A89CBE4
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: 6df9784ad66020c2f776bbda30b6dbfd6c2616b84aed628e23fb4f6dbf50c2d1
                                                                                            • Instruction ID: 2c6ebe7fda5674fd24e9e2bb110da1fc693a373c3aa2a4df8530af3b5d8f5051
                                                                                            • Opcode Fuzzy Hash: 6df9784ad66020c2f776bbda30b6dbfd6c2616b84aed628e23fb4f6dbf50c2d1
                                                                                            • Instruction Fuzzy Hash: 6C618CB2940208EFDB609FB4DC45FEA77E8FB09301F108069F968D2161EBB599548F51
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0074A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0074A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0074A893
                                                                                            • wsprintfA.USER32 ref: 0074A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0074A8D2
                                                                                            • wsprintfA.USER32 ref: 0074A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0074A97C
                                                                                            • wsprintfA.USER32 ref: 0074A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: 44879ab86375a17ed6be453c322c84d5ba85e64482496a196db4c1b3341cf61c
                                                                                            • Instruction ID: def3d78b64c13651af48221f2d909b1cf2a657ea711881bd4991329d652c12dc
                                                                                            • Opcode Fuzzy Hash: 44879ab86375a17ed6be453c322c84d5ba85e64482496a196db4c1b3341cf61c
                                                                                            • Instruction Fuzzy Hash: 58A106B1AC4319FBEF218A54DC89FEE3B69EB00305F248066F901A6091DBBD9D48C757
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0074139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00741571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-1839596206
                                                                                            • Opcode ID: ca18b5eea2810f101b8a1ff17f518d05290e3cf17f74f80597d2c6b13576cb57
                                                                                            • Instruction ID: c0ebe92a098a3d47c1e54fe5e04301c9f6686caf31b042ba9ecb5f0450d0a2a9
                                                                                            • Opcode Fuzzy Hash: ca18b5eea2810f101b8a1ff17f518d05290e3cf17f74f80597d2c6b13576cb57
                                                                                            • Instruction Fuzzy Hash: 30F1AEB55083419FD320EF64C888BABB7E4FB88345F50891DF596C72A0D7B8E984CB56
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00742A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00742A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00742AA0
                                                                                            • htons.WS2_32(00000000), ref: 00742ADB
                                                                                            • select.WS2_32 ref: 00742B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00742B4A
                                                                                            • htons.WS2_32(?), ref: 00742B71
                                                                                            • htons.WS2_32(?), ref: 00742B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00742BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: b755b798d45d952e27155fe36aeb9284332d1ed43396de9611476fad74122d91
                                                                                            • Instruction ID: c65cb03ad055c97316b5b75b1ce33532cb5083d0c045a89e47ebe6c9236a81ff
                                                                                            • Opcode Fuzzy Hash: b755b798d45d952e27155fe36aeb9284332d1ed43396de9611476fad74122d91
                                                                                            • Instruction Fuzzy Hash: C561D1719043059BC7209F65DC88B6FBBE8FB88391F514809F94997152D7B8D8528BE2
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 007470C2
                                                                                            • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0074719E
                                                                                            • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 007471B2
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00747208
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00747291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 007472C2
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 007472D0
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 00747314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0074738D
                                                                                            • RegCloseKey.ADVAPI32(76230F10), ref: 007473D8
                                                                                              • Part of subcall function 0074F1A5: lstrlenA.KERNEL32(000000C8,000000E4,007522F8,000000C8,00747150,?), ref: 0074F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 7c17dd184f5e1fc3f83b534e39ffa13f91f9d9134b4caf961e808a2c369ea07a
                                                                                            • Instruction ID: 8fdc9242097f3be5dfe8e36071c5c81bf40f6fbe340625248f712ef60b5bc20e
                                                                                            • Opcode Fuzzy Hash: 7c17dd184f5e1fc3f83b534e39ffa13f91f9d9134b4caf961e808a2c369ea07a
                                                                                            • Instruction Fuzzy Hash: 02B1A272908209EEDF189FA0DC49BEE77B8EF04311F100466F905E2090EB799A84CBA4
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0074AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0074ADA6
                                                                                              • Part of subcall function 0074AD08: gethostname.WS2_32(?,00000080), ref: 0074AD1C
                                                                                              • Part of subcall function 0074AD08: lstrlenA.KERNEL32(00000000), ref: 0074AD60
                                                                                              • Part of subcall function 0074AD08: lstrlenA.KERNEL32(00000000), ref: 0074AD69
                                                                                              • Part of subcall function 0074AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0074AD7F
                                                                                              • Part of subcall function 007430B5: gethostname.WS2_32(?,00000080), ref: 007430D8
                                                                                              • Part of subcall function 007430B5: gethostbyname.WS2_32(?), ref: 007430E2
                                                                                            • wsprintfA.USER32 ref: 0074AEA5
                                                                                              • Part of subcall function 0074A7A3: inet_ntoa.WS2_32(?), ref: 0074A7A9
                                                                                            • wsprintfA.USER32 ref: 0074AE4F
                                                                                            • wsprintfA.USER32 ref: 0074AE5E
                                                                                              • Part of subcall function 0074EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0074EF92
                                                                                              • Part of subcall function 0074EF7C: lstrlenA.KERNEL32(?), ref: 0074EF99
                                                                                              • Part of subcall function 0074EF7C: lstrlenA.KERNEL32(00000000), ref: 0074EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: 03b99a2b66dbca75497536ca81991080a7fc926f6bf2e7139f35f9fa9cad9608
                                                                                            • Instruction ID: ab69d51221bb2b242375e599b89f232db5eb1aabba7bc67b142f8148cc14cb6d
                                                                                            • Opcode Fuzzy Hash: 03b99a2b66dbca75497536ca81991080a7fc926f6bf2e7139f35f9fa9cad9608
                                                                                            • Instruction Fuzzy Hash: 474132B290021CBBDF25EFA0DC4AEEE3BADFF08310F14442AB91592151EB79D5588B61
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00742F0F,?,007420FF,00752000), ref: 00742E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00742F0F,?,007420FF,00752000), ref: 00742E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00742E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00742F0F,?,007420FF,00752000), ref: 00742E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00742F0F,?,007420FF,00752000), ref: 00742E4F
                                                                                            • htons.WS2_32(00000035), ref: 00742E88
                                                                                            • inet_addr.WS2_32(?), ref: 00742E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00742EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00742F0F,?,007420FF,00752000), ref: 00742EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00742F0F,?,007420FF,00752000), ref: 00742EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: bde68da43b218dd86be13a1a43a33c7eaac8241783a53489168fb1ea55483edd
                                                                                            • Instruction ID: 1a5c67082371cadf144ef8c0245da2349df1897a60907b638c19a722f334daec
                                                                                            • Opcode Fuzzy Hash: bde68da43b218dd86be13a1a43a33c7eaac8241783a53489168fb1ea55483edd
                                                                                            • Instruction Fuzzy Hash: 6E31D431A0071AABDF109BB89C4CAAE77B8AF04362F544115F924E7291EB78DD538B94
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00749DD7,?,00000022,?,?,00000000,00000001), ref: 00749340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00749DD7,?,00000022,?,?,00000000,00000001), ref: 0074936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00749DD7,?,00000022,?,?,00000000,00000001), ref: 00749375
                                                                                            • wsprintfA.USER32 ref: 007493CE
                                                                                            • wsprintfA.USER32 ref: 0074940C
                                                                                            • wsprintfA.USER32 ref: 0074948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 007494F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00749526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00749571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: 4459959eed57391a8a6878a14150f606025076bbf33135ce120579714d049960
                                                                                            • Instruction ID: 977e4c20a607c25454c33b6b298a8ff98badf1a044e035a0afd9860025e7cfa7
                                                                                            • Opcode Fuzzy Hash: 4459959eed57391a8a6878a14150f606025076bbf33135ce120579714d049960
                                                                                            • Instruction Fuzzy Hash: 75A17EB294020CEFEB21DFA0CC49FDF7BACEB05741F104066FA0592192E7B9D9558BA1
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00742078
                                                                                            • GetTickCount.KERNEL32 ref: 007420D4
                                                                                            • GetTickCount.KERNEL32 ref: 007420DB
                                                                                            • GetTickCount.KERNEL32 ref: 0074212B
                                                                                            • GetTickCount.KERNEL32 ref: 00742132
                                                                                            • GetTickCount.KERNEL32 ref: 00742142
                                                                                              • Part of subcall function 0074F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0074E342,00000000,75B4EA50,80000001,00000000,0074E513,?,00000000,00000000,?,000000E4), ref: 0074F089
                                                                                              • Part of subcall function 0074F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0074E342,00000000,75B4EA50,80000001,00000000,0074E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0074F093
                                                                                              • Part of subcall function 0074E854: lstrcpyA.KERNEL32(00000001,?,?,0074D8DF,00000001,localcfg,except_info,00100000,00750264), ref: 0074E88B
                                                                                              • Part of subcall function 0074E854: lstrlenA.KERNEL32(00000001,?,0074D8DF,00000001,localcfg,except_info,00100000,00750264), ref: 0074E899
                                                                                              • Part of subcall function 00741C5F: wsprintfA.USER32 ref: 00741CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: `|I$localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-346939463
                                                                                            • Opcode ID: bea5712f925f06a80719f3e99e6c4f15be37b177ecb5d18ba0836e24924fc791
                                                                                            • Instruction ID: 7b576cc13b94b5ae6feddd4e6270020d9c25b8068ed7f4dd9cbc2a8d00b0476d
                                                                                            • Opcode Fuzzy Hash: bea5712f925f06a80719f3e99e6c4f15be37b177ecb5d18ba0836e24924fc791
                                                                                            • Instruction Fuzzy Hash: 7A5126756043499EE728EF30ED4ABA63BD4BB02311F81402DF605861B3DBFC9857CA59
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0074B467
                                                                                              • Part of subcall function 0074EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0074EF92
                                                                                              • Part of subcall function 0074EF7C: lstrlenA.KERNEL32(?), ref: 0074EF99
                                                                                              • Part of subcall function 0074EF7C: lstrlenA.KERNEL32(00000000), ref: 0074EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: b1c492d66516574bbbdb0470cef3b2dcb77d2452fd34390244a25b90cf135323
                                                                                            • Instruction ID: 7ba4c4792d2677f7b668e815be2a78e79d4255f7a93f97fae5c713d0397d5a98
                                                                                            • Opcode Fuzzy Hash: b1c492d66516574bbbdb0470cef3b2dcb77d2452fd34390244a25b90cf135323
                                                                                            • Instruction Fuzzy Hash: 47413CF2540219BEDF01AAA4CCC6CFF7A6CFE49759B140525F904A2042EB78AE1997B1
                                                                                            APIs
                                                                                              • Part of subcall function 0074A4C7: GetTickCount.KERNEL32 ref: 0074A4D1
                                                                                              • Part of subcall function 0074A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0074A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0074C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0074C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0074C363
                                                                                            • GetTickCount.KERNEL32 ref: 0074C378
                                                                                            • GetTickCount.KERNEL32 ref: 0074C44D
                                                                                            • InterlockedIncrement.KERNEL32(0074C4E4), ref: 0074C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0074B535,00000000,?,0074C4E0), ref: 0074C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0074C4E0,00753588,00748810), ref: 0074C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: 02c1e4ee0ed01d9aa7184d5c795a227fb89514664e31ea6249bcf158520dd4e9
                                                                                            • Instruction ID: 8f6db7df2a7a469a8fb8adead990ae23f6e705a8294f0f0d5f63b982701c0660
                                                                                            • Opcode Fuzzy Hash: 02c1e4ee0ed01d9aa7184d5c795a227fb89514664e31ea6249bcf158520dd4e9
                                                                                            • Instruction Fuzzy Hash: 52517EB1601B418FD7658F69C6D552AFBE9FB48300B509D3EE18BC7A90D778F8448B11
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0074BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0074BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0074BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0074BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0074BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0074BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 07bc08ceb91ae2d0fdfa83bc9a83b561041abe5abbcab4f3e548f31efbd460b0
                                                                                            • Instruction ID: 160a191fd56de522cb04ebc673f58c02dacd536128565867a45d3dc6fc5c202a
                                                                                            • Opcode Fuzzy Hash: 07bc08ceb91ae2d0fdfa83bc9a83b561041abe5abbcab4f3e548f31efbd460b0
                                                                                            • Instruction Fuzzy Hash: 5A51D471A0031AEFDF118F64CC80BAA7BB9AF04345F044069EC49AB251E738ED59CF90
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00749A60,?,?,00749E9D), ref: 00746A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00749E9D,00749A60,?,?,?,007522F8,?,?,?,00749A60,?,?,00749E9D), ref: 00746ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00749A60,?,?,00749E9D), ref: 00746B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00749A60,?,?,00749E9D), ref: 00746B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00749A60,?,?,00749E9D), ref: 00746B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00749A60,?,?,00749E9D), ref: 00746B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00749A60,?,?,00749E9D), ref: 00746B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00749A60,?,?,00749E9D), ref: 00746B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00749A60,?,?,00749E9D,?,?,?,?,?,00749E9D,?,00000022,?), ref: 00746B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: b302da8c8b9ff42bdf93037ba5d98a2d78fa34bca4d8f00609f520c3a2923c2a
                                                                                            • Instruction ID: 1696f16341b438c88b31816bf6d66c4afd337652316c8e2e08dfca7fc0a82023
                                                                                            • Opcode Fuzzy Hash: b302da8c8b9ff42bdf93037ba5d98a2d78fa34bca4d8f00609f520c3a2923c2a
                                                                                            • Instruction Fuzzy Hash: 5E31F2F290024DEFDB01AFA48C84ADFBB79FB46310F248066E211E3251D7789945CBA6
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0074D7C3), ref: 00746F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0074D7C3), ref: 00746FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00746FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0074701F
                                                                                            • wsprintfA.USER32 ref: 00747036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: 697206ba0c10da8843f7b0794a4351dffbf489d0d1a4a03bd085d764ca93f459
                                                                                            • Instruction ID: 75f38e49a1ea1618bfeec084780a6e4d7c00ee3d4f10727686693c7e5c6145fd
                                                                                            • Opcode Fuzzy Hash: 697206ba0c10da8843f7b0794a4351dffbf489d0d1a4a03bd085d764ca93f459
                                                                                            • Instruction Fuzzy Hash: EF311872904219EBDB01DFA8D849ADE7BBCEF04314F048066F859DB151EB79DA08CB94
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,007522F8,000000E4,00746DDC,000000C8), ref: 00746CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00746CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00746D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00746D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 61e4e59f92a9dd5d64a0ed4ebdf8ecf13ed14982fcc7949b9756d3b61600edbe
                                                                                            • Instruction ID: f6909c89ae2f15eed41973a599f110c9195af1e6901b5ad2e71f9393c79bf294
                                                                                            • Opcode Fuzzy Hash: 61e4e59f92a9dd5d64a0ed4ebdf8ecf13ed14982fcc7949b9756d3b61600edbe
                                                                                            • Instruction Fuzzy Hash: E221C391B81344B9FB2157315C8EFFB2E4C9B53756F084094F844A6192DBDD888B86EA
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00749947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,007522F8), ref: 007497B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,007522F8), ref: 007497EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,007522F8), ref: 007497F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,007522F8), ref: 00749831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,007522F8), ref: 0074984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,007522F8), ref: 0074985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: 9b2fb64f92b8a62d6eb7784323e424cc05426744c6bacaa59d5d989374e16360
                                                                                            • Instruction ID: ba494e4480bbba754b6a679d2fef5101cd04ffe1370ec40bc1ef684e804e9b42
                                                                                            • Opcode Fuzzy Hash: 9b2fb64f92b8a62d6eb7784323e424cc05426744c6bacaa59d5d989374e16360
                                                                                            • Instruction Fuzzy Hash: 76212CB1D01229BBDB119FA1DC49EEF7BBCEF09751F004061FA19E1050EB789A44CBA5
                                                                                            APIs
                                                                                              • Part of subcall function 0074DD05: GetTickCount.KERNEL32 ref: 0074DD0F
                                                                                              • Part of subcall function 0074DD05: InterlockedExchange.KERNEL32(007536B4,00000001), ref: 0074DD44
                                                                                              • Part of subcall function 0074DD05: GetCurrentThreadId.KERNEL32 ref: 0074DD53
                                                                                              • Part of subcall function 0074DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0074DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00741E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0074EAAA,?,?), ref: 0074E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0074EAAA,?,?,00000001,?,00741E84,?), ref: 0074E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0074EAAA,?,?,00000001,?,00741E84,?,0000000A), ref: 0074E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0074EAAA,?,?,00000001,?,00741E84,?), ref: 0074E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: d1b485f135d6bf940a5e5a4eafc6ef60c1cf38ed95fadabf2dfdfac65a8e9b5b
                                                                                            • Instruction ID: af201eeb31a05bafcff3f698f5b0c6691a6af2d98796eda45cecb1dc0a12cdf4
                                                                                            • Opcode Fuzzy Hash: d1b485f135d6bf940a5e5a4eafc6ef60c1cf38ed95fadabf2dfdfac65a8e9b5b
                                                                                            • Instruction Fuzzy Hash: E2513F7290020AEFCB11EFA8C985DAEB7F9FF48314F14456AF405A3211EB78EA158B50
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 9d2c7b6fd84918aea63c342ae290b362e10ef552078919e879e3efd3aaa6fbec
                                                                                            • Instruction ID: fa73a7c3340eb1eb479990f8726f2564e16273f1e246bf360486bbcdbeebe39f
                                                                                            • Opcode Fuzzy Hash: 9d2c7b6fd84918aea63c342ae290b362e10ef552078919e879e3efd3aaa6fbec
                                                                                            • Instruction Fuzzy Hash: 7F21B772504215FFDB115BB0EDC9EDF7B6CEB053A1B208415F546E1090EB79EA00D6B9
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,007522F8), ref: 0074907B
                                                                                            • wsprintfA.USER32 ref: 007490E9
                                                                                            • CreateFileA.KERNEL32(007522F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0074910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00749122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0074912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00749134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 2f649c175912d2b1ac4d98ebd39db21322931a7bdc1f6bdab3a7af835ca9e2ed
                                                                                            • Instruction ID: abdc8ae31aa5ce6bd638e217aaf588bc45173ea8f4fc2c9e5d7bc648c518041f
                                                                                            • Opcode Fuzzy Hash: 2f649c175912d2b1ac4d98ebd39db21322931a7bdc1f6bdab3a7af835ca9e2ed
                                                                                            • Instruction Fuzzy Hash: 7411DAB2A40114BBF7246731DC0EFEF366DDBC4711F00C465BB0AA5091EBB84A1186B4
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0074DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0074DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0074DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0074E538,?,76230F10,?,00000000,?,0074A445), ref: 0074DD3B
                                                                                            • InterlockedExchange.KERNEL32(007536B4,00000001), ref: 0074DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0074DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: d6ad3c46829cbce5e96dc22e0a6d47819e10b90f480bfa47f9afff3d89850ee4
                                                                                            • Instruction ID: 2b149f85d37f32e01ff9acdf053397fe41b5aa23b43683d73cbaf4f59b60edff
                                                                                            • Opcode Fuzzy Hash: d6ad3c46829cbce5e96dc22e0a6d47819e10b90f480bfa47f9afff3d89850ee4
                                                                                            • Instruction Fuzzy Hash: 66F0E272604304AFC7905B65AC98BA93BA4E744393F00802AE50DC22B1C7BC5D498FAA
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0074AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0074AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0074AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0074AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 3fede5ed46b24b38fa36cc54054b280be346cd9b4592468a137130a329ec49cd
                                                                                            • Instruction ID: f3bb10444df706a718bb086a1b0263df33ac313d34148d8005edca335b1e1f36
                                                                                            • Opcode Fuzzy Hash: 3fede5ed46b24b38fa36cc54054b280be346cd9b4592468a137130a329ec49cd
                                                                                            • Instruction Fuzzy Hash: 18016D24EC42897DDF350628C844BF43F656B97706F104095E4C0CB55DDB5C98478FA7
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00744BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00744BEC
                                                                                            • Sleep.KERNEL32(00000000,?,%FROM_EMAIL,00745D02,00000000,?,0074B85C,?,00000080,?,00000000,00000000,?,%FROM_EMAIL), ref: 00744BF9
                                                                                            • InterlockedExchange.KERNEL32(02E1E1A8,00000001), ref: 00744C02
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 2207858713-2903620461
                                                                                            • Opcode ID: 301f3a6ac7e63fdd328417b5541f3e60ad649441401dd08f34826a3a2a8549fd
                                                                                            • Instruction ID: 3a08f20de9134144bd7904d449edc8c917082553071df8924c80e223e15b06a0
                                                                                            • Opcode Fuzzy Hash: 301f3a6ac7e63fdd328417b5541f3e60ad649441401dd08f34826a3a2a8549fd
                                                                                            • Instruction Fuzzy Hash: 57E0867224131457C61017A55C84F9A7798DB55363F164462FA0CD2190DA9ED84191F9
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,007498FD,00000001,00000100,007522F8,0074A3C7), ref: 00744290
                                                                                            • CloseHandle.KERNEL32(0074A3C7), ref: 007443AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 007443AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 17bfe351e62cebb2878cb4027543a222b5a118afbdc2365a674c51090d880247
                                                                                            • Instruction ID: 4a05774f486a4823a0300f1ddfb15f3814b29d42b1ed88e2ca749d9591d5032c
                                                                                            • Opcode Fuzzy Hash: 17bfe351e62cebb2878cb4027543a222b5a118afbdc2365a674c51090d880247
                                                                                            • Instruction Fuzzy Hash: 61418D71D00209FADF10ABA1CD8AFEFBBB8EF40325F104555F615B2191D7789A40EBA0
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,007464CF,00000000), ref: 0074609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,007464CF,00000000), ref: 007460C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0074614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0074619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: db6f8ac17046e7e8af85305ad69e9a4e133763b05312de6ec8c758185b2d96be
                                                                                            • Instruction ID: e03ab9f84b2a1ae12fd2cc6979472bde75610e13c845378ef6b6cbc72ddc8866
                                                                                            • Opcode Fuzzy Hash: db6f8ac17046e7e8af85305ad69e9a4e133763b05312de6ec8c758185b2d96be
                                                                                            • Instruction Fuzzy Hash: 2C418A71A0020AEFDB14CF68C884BA9B7B9FF15355F248068E816D7291E738ED40CB82
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fd9f78852fc7bdd37e5dc2fe4db5be01103fbd2d239ae61b374af70e22ff3591
                                                                                            • Instruction ID: 3f105c55e45ee2a67451ff0fdba121734d3e838538e26bf5eb0f134b06a1711d
                                                                                            • Opcode Fuzzy Hash: fd9f78852fc7bdd37e5dc2fe4db5be01103fbd2d239ae61b374af70e22ff3591
                                                                                            • Instruction Fuzzy Hash: 5A318071A00319EBDB109FA5CC85BBEB7F4FF48701F508456F945E6242E378DA928B54
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0074272E
                                                                                            • htons.WS2_32(00000001), ref: 00742752
                                                                                            • htons.WS2_32(0000000F), ref: 007427D5
                                                                                            • htons.WS2_32(00000001), ref: 007427E3
                                                                                            • sendto.WS2_32(?,00752BF8,00000009,00000000,00000010,00000010), ref: 00742802
                                                                                              • Part of subcall function 0074EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0074EBFE,7FFF0001,?,0074DB55,7FFF0001), ref: 0074EBD3
                                                                                              • Part of subcall function 0074EBCC: RtlAllocateHeap.NTDLL(00000000,?,0074DB55,7FFF0001), ref: 0074EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 218643df35618fb524edd572b1c7a4f20a9f14990f9676e3b1abd246398c926e
                                                                                            • Instruction ID: 8d37220e0c295dd7c90eb92158a3a6bcd08d0268010b56c32b1cd1f86ee39eb8
                                                                                            • Opcode Fuzzy Hash: 218643df35618fb524edd572b1c7a4f20a9f14990f9676e3b1abd246398c926e
                                                                                            • Instruction Fuzzy Hash: EB3156746403869FD7108F74DC80AA17B60EF1A328B19C06DE9558B323E7BA9883DB14
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,007522F8), ref: 0074915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00749166
                                                                                            • CharToOemA.USER32(?,?), ref: 00749174
                                                                                            • wsprintfA.USER32 ref: 007491A9
                                                                                              • Part of subcall function 00749064: GetTempPathA.KERNEL32(00000400,?,00000000,007522F8), ref: 0074907B
                                                                                              • Part of subcall function 00749064: wsprintfA.USER32 ref: 007490E9
                                                                                              • Part of subcall function 00749064: CreateFileA.KERNEL32(007522F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0074910E
                                                                                              • Part of subcall function 00749064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00749122
                                                                                              • Part of subcall function 00749064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0074912D
                                                                                              • Part of subcall function 00749064: CloseHandle.KERNEL32(00000000), ref: 00749134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 007491E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 2cb7df109ca666eb5e8e48374db8bb84d73ebab980ac67ff3165a87ace0dfd3d
                                                                                            • Instruction ID: ee263b9f8c2c50324df39c28f62049651298165b7980a07946aaee35ed0b5a8a
                                                                                            • Opcode Fuzzy Hash: 2cb7df109ca666eb5e8e48374db8bb84d73ebab980ac67ff3165a87ace0dfd3d
                                                                                            • Instruction Fuzzy Hash: 7C0196F69002187BDB2097518C4DEDF7B7CDB85702F000095BB49E2040DBB896858FB1
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00742491,?,?,?,0074E844,-00000030,?,?,?,00000001), ref: 00742429
                                                                                            • lstrlenA.KERNEL32(?,?,00742491,?,?,?,0074E844,-00000030,?,?,?,00000001,00741E3D,00000001,localcfg,lid_file_upd), ref: 0074243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00742452
                                                                                            • lstrlenA.KERNEL32(?,?,00742491,?,?,?,0074E844,-00000030,?,?,?,00000001,00741E3D,00000001,localcfg,lid_file_upd), ref: 00742467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: d924379bd6cc2fb3d6d2cadc5ae87ccc03f9a80bb2ed29997350f5d97323ac54
                                                                                            • Instruction ID: 836c115bdf6a6023ee752b8866622a85d0f1e18d505d75ce289fa3e8eccda202
                                                                                            • Opcode Fuzzy Hash: d924379bd6cc2fb3d6d2cadc5ae87ccc03f9a80bb2ed29997350f5d97323ac54
                                                                                            • Instruction Fuzzy Hash: 8C011A71600258AF8F11EF69CC809DE7BA9EF44394B41C425F859D7212E374EE618A94
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00746F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*pt), ref: 00746F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00746F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *pt
                                                                                            • API String ID: 3429775523-2999768823
                                                                                            • Opcode ID: b407cab65cae89217890c3985d08e19e7cd63a919b4d92b4b6167dd8077eba29
                                                                                            • Instruction ID: 56fe407b8dad48978b133c81b28d68f4581c26f74d82bc4ae2a3c9bcc512b460
                                                                                            • Opcode Fuzzy Hash: b407cab65cae89217890c3985d08e19e7cd63a919b4d92b4b6167dd8077eba29
                                                                                            • Instruction Fuzzy Hash: 8E0125B1901308EFDB10DFE4EC85AAD77F8FB05301F508469E505D2192E7785A48CB55
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 6e486b519d6ffee260d9369ed93cc2c27a60614a836fafbb5c006adbca890cfd
                                                                                            • Instruction ID: 8d521d9a8660a7dd57f648773b824ffe312a16b3ee5be0b87b4b411056518803
                                                                                            • Opcode Fuzzy Hash: 6e486b519d6ffee260d9369ed93cc2c27a60614a836fafbb5c006adbca890cfd
                                                                                            • Instruction Fuzzy Hash: 1E418D72A042989FDB21DFB98D44AEE3BE8AF49310F240056FDA4D3152D739DA05CFA0
                                                                                            APIs
                                                                                              • Part of subcall function 0074DD05: GetTickCount.KERNEL32 ref: 0074DD0F
                                                                                              • Part of subcall function 0074DD05: InterlockedExchange.KERNEL32(007536B4,00000001), ref: 0074DD44
                                                                                              • Part of subcall function 0074DD05: GetCurrentThreadId.KERNEL32 ref: 0074DD53
                                                                                            • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00745EC1), ref: 0074E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00745EC1), ref: 0074E6E9
                                                                                            • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,76230F10,00000000,?,00745EC1), ref: 0074E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: 89ABCDEF
                                                                                            • API String ID: 3343386518-71641322
                                                                                            • Opcode ID: 40afd523fe7feacca7b5dd13973bc63d08f74c45853544df22b66d92adec5793
                                                                                            • Instruction ID: c1a921b52a9ef4e1380fb8ef0baf0c103d7002c69629687f9d35785bf28fbbce
                                                                                            • Opcode Fuzzy Hash: 40afd523fe7feacca7b5dd13973bc63d08f74c45853544df22b66d92adec5793
                                                                                            • Instruction Fuzzy Hash: 2A31B031A00715DBCB328F64D884BAA77E4FF22335F11852EE45987591E7B8EC84CB82
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0074E2A3,00000000,00000000,00000000,00020106,00000000,0074E2A3,00000000,000000E4), ref: 0074E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0074E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,007522F8), ref: 0074E127
                                                                                            • RegDeleteValueA.ADVAPI32(0074E2A3,?,?,?,?,?,000000C8,007522F8), ref: 0074E158
                                                                                            • RegCloseKey.ADVAPI32(0074E2A3,?,?,?,?,000000C8,007522F8,?,?,?,?,?,?,?,?,0074E2A3), ref: 0074E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 4b52fd3d750dcd1e6d6495a25504ee2d3c168fc8b823e8d4a99e4fa521f58166
                                                                                            • Instruction ID: 1f4c4d14d743c036de3c8e009845da51cd859d806ed66953a0bda0b68d86d708
                                                                                            • Opcode Fuzzy Hash: 4b52fd3d750dcd1e6d6495a25504ee2d3c168fc8b823e8d4a99e4fa521f58166
                                                                                            • Instruction Fuzzy Hash: B9214A72A0021DEBDF209FA4DC89EDE7FB9EF09760F108061F904A6161E7758A54DBA0
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0074A3C7,00000000,00000000,000007D0,00000001), ref: 00743F44
                                                                                            • GetLastError.KERNEL32 ref: 00743F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00743F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00743F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 2ff3fdd0866f9f67c7009cb04c3e37182c2febc60fecbb9eef74a640d1889a36
                                                                                            • Instruction ID: fae679ef29249e8158e8178ebdf659be2782166f101268e92373331ed62efba0
                                                                                            • Opcode Fuzzy Hash: 2ff3fdd0866f9f67c7009cb04c3e37182c2febc60fecbb9eef74a640d1889a36
                                                                                            • Instruction Fuzzy Hash: 1801D372911209ABDB01DF90DD84BEF7BBCFB04356F104425FA09E2090D7789A148BA6
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0074A3C7,00000000,00000000,000007D0,00000001), ref: 00743FB8
                                                                                            • GetLastError.KERNEL32 ref: 00743FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00743FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00743FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: b95745cf26b099aa483877f10de4b5e5b5da83ebb7b175a9e77b4e6dbb683340
                                                                                            • Instruction ID: 826027662abf431a6bf49af815d378ceb7d0ecdb60294b92c9a4517757c1aee4
                                                                                            • Opcode Fuzzy Hash: b95745cf26b099aa483877f10de4b5e5b5da83ebb7b175a9e77b4e6dbb683340
                                                                                            • Instruction Fuzzy Hash: D601977291020AABDF11DF94DD45BEF7B7CFB14356F104052F90AE2050D774DA548BA5
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0074A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0074A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0074C2E9,0074C4E0,00000000,localcfg,?,0074C4E0,00753588,00748810), ref: 0074A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0074A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 673741ee453a93ea52dc6070d8a24eae427ae636baa9a579c4e5665dda7226e3
                                                                                            • Instruction ID: 75786bf85d87f658e0f27a28283fcb3142564ae1b40e15199c28523b9a1ba3ee
                                                                                            • Opcode Fuzzy Hash: 673741ee453a93ea52dc6070d8a24eae427ae636baa9a579c4e5665dda7226e3
                                                                                            • Instruction Fuzzy Hash: 0AE0263324030567C60017A9AC84FAF7388AB49762F054021FA08D3180D79EA84141FB
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00744E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00744EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00744EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00744EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 753ffb802348cc007dec894e6ef3466e98ac84bb0ec45b37a168529aa78a3171
                                                                                            • Instruction ID: 6470a91c9e86ba42b7e92560306bb5095182d25b6502038260537ac5356d6dac
                                                                                            • Opcode Fuzzy Hash: 753ffb802348cc007dec894e6ef3466e98ac84bb0ec45b37a168529aa78a3171
                                                                                            • Instruction Fuzzy Hash: CAE08C332013246BD62027BAAC84FAA6689AB96372F050532FB0DD2180DBDED85255F9
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00743103
                                                                                            • GetTickCount.KERNEL32 ref: 0074310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0074311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00743128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: ec5501fef1b455c95798d8421d5c6a90471153969e616d3f4c569ab5bff48e24
                                                                                            • Instruction ID: 2f0a7f8bc872da7b492a61375b66e478ff8109e92d689f74e177f940c3e87360
                                                                                            • Opcode Fuzzy Hash: ec5501fef1b455c95798d8421d5c6a90471153969e616d3f4c569ab5bff48e24
                                                                                            • Instruction Fuzzy Hash: ABE0C231200319EBDB002B75AD84F8A6B5ADF84762F114431F60DE60E0CAA84D0089B1
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00749A60,?,?,00000000,00000000,00749A60,?,00000000), ref: 007469F9
                                                                                            • WriteFile.KERNEL32(00749A60,?,00749A60,00000000,00000000), ref: 00746A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,kt
                                                                                            • API String ID: 3934441357-527917535
                                                                                            • Opcode ID: c3d6dda47f69b07bfcf60158f8b907c9dd69973f92f5be43693e6e858714fb84
                                                                                            • Instruction ID: bcab62a6cac23438ec3b5203256e07d63a074ec1003a6a644fefdbc61f3b1aee
                                                                                            • Opcode Fuzzy Hash: c3d6dda47f69b07bfcf60158f8b907c9dd69973f92f5be43693e6e858714fb84
                                                                                            • Instruction Fuzzy Hash: 53314B72A00609EFDB24DF68DD84BAAB7F4EF15315F11846AE805E7240D374EE54CBA2
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: 407b6948eada7cbe957acbe49a92000f2edc5b84398c8d7e9d37323ebe53d9aa
                                                                                            • Instruction ID: fb6bc0b5034b4b3a8023eb2ef1f6ff2dedfda14be5875267edd640f5e92a9243
                                                                                            • Opcode Fuzzy Hash: 407b6948eada7cbe957acbe49a92000f2edc5b84398c8d7e9d37323ebe53d9aa
                                                                                            • Instruction Fuzzy Hash: 93210532F02209AFDB508F64DC8559EB7B9EB24341B294099E401DB2A1CF3CE900CF56
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0074C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 1cf711220c5db904d744b7fd848615382ec48523a7ea7c6164c4802c016da425
                                                                                            • Instruction ID: 08fa802c0087dfbd5d2659ce760f65767225b800b20abc69c2083210e57021f7
                                                                                            • Opcode Fuzzy Hash: 1cf711220c5db904d744b7fd848615382ec48523a7ea7c6164c4802c016da425
                                                                                            • Instruction Fuzzy Hash: 2F116A72100100FFDB529BA9DD44E567FA6FF88319B34919CF6188E166D633D863DB50
                                                                                            APIs
                                                                                              • Part of subcall function 007430FA: GetTickCount.KERNEL32 ref: 00743103
                                                                                              • Part of subcall function 007430FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00743128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00743929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00743939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: 4ef20be1e286d4b249f173fcef8578e1119ea4e256202e7ee2a7ab31eb570b34
                                                                                            • Instruction ID: b49e83e535d09d41e4c45134386f80b2887fbd2a2b56c5ab973c0d7881e32d0e
                                                                                            • Opcode Fuzzy Hash: 4ef20be1e286d4b249f173fcef8578e1119ea4e256202e7ee2a7ab31eb570b34
                                                                                            • Instruction Fuzzy Hash: 4F113AB1910215EFD724DF19D485A9CF3F4FB0971AF10855EE84897292D7B8BA81CFA0
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0074BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0074ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00753640), ref: 0074ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 57d6e19310218088ef1e56ef687000854cb013d1546409dbe8ee05ee534c8b8c
                                                                                            • Instruction ID: 2d5d9b6c5add506a601d081e2a2404f0f257baf3f678dfd54c79c41f99d6f75f
                                                                                            • Opcode Fuzzy Hash: 57d6e19310218088ef1e56ef687000854cb013d1546409dbe8ee05ee534c8b8c
                                                                                            • Instruction Fuzzy Hash: 6B01B1B15483C4BFDB11CF18D881F967BA6EF25354F144488F98487253C3B8EA44CB92
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 007426C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 007426E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: 4f5e1b839335ffa500eda4b6dee40cf92618b26da34de3eb14255303c42c8983
                                                                                            • Instruction ID: 78436e620b10d823afb59471dd7dcdc403e7603a58058cee342e52faa3d34d94
                                                                                            • Opcode Fuzzy Hash: 4f5e1b839335ffa500eda4b6dee40cf92618b26da34de3eb14255303c42c8983
                                                                                            • Instruction Fuzzy Hash: 3EF03732248309BFEF006FA4EC09BEA379CEF05761F148425F908DA491DBB5D95197D9
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0074EB54,_alldiv,0074F0B7,80000001,00000000,00989680,00000000,?,?,?,0074E342,00000000,75B4EA50,80000001,00000000), ref: 0074EAF2
                                                                                            • GetProcAddress.KERNEL32(77310000,00000000), ref: 0074EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: edcc1ce952a88a034ec4e4218414d628a94ad4c40b69fd5b0d798287c33f15c8
                                                                                            • Instruction ID: dbd341efcc13cc844fc16df20376cd13c77bf6635dc70df48552c0168d6c4339
                                                                                            • Opcode Fuzzy Hash: edcc1ce952a88a034ec4e4218414d628a94ad4c40b69fd5b0d798287c33f15c8
                                                                                            • Instruction Fuzzy Hash: 1BD0C9B4600306AB8F124F649D0AEC976A8FB50753B80C019A40AC1160E7BCD859DA09
                                                                                            APIs
                                                                                              • Part of subcall function 00742D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00742F01,?,007420FF,00752000), ref: 00742D3A
                                                                                              • Part of subcall function 00742D21: LoadLibraryA.KERNEL32(?), ref: 00742D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00742F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00742F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000F.00000002.3356837829.0000000000740000.00000040.00000400.00020000.00000000.sdmp, Offset: 00740000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_15_2_740000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 781e4c1d1b91156e5f7131997a3947a77bd4a1de4254e3c75cfbda3905afb932
                                                                                            • Instruction ID: 0b9fa73e2b8b5e99e9918695847fed8fd7d1598f74fc218af123c5aea02a88b0
                                                                                            • Opcode Fuzzy Hash: 781e4c1d1b91156e5f7131997a3947a77bd4a1de4254e3c75cfbda3905afb932
                                                                                            • Instruction Fuzzy Hash: 5651DE7190021ADFDF01DF64D8889FAB7B5FF15300F104169EC9AC7221E7369A1ACB90