Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vekvtia.exe

Overview

General Information

Sample name:vekvtia.exe
Analysis ID:1503657
MD5:274d0ab4368246be7f22990d9d5cb4cf
SHA1:d34547e852863893aef034effc726bf2ee227d02
SHA256:21a5e8cf356706a639eee50ea97cecef91685eb906921245c314ac50950b9825
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • vekvtia.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\vekvtia.exe" MD5: 274D0AB4368246BE7F22990D9D5CB4CF)
    • cmd.exe (PID: 7120 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xembmrjv\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6476 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\igqrtpsy.exe" C:\Windows\SysWOW64\xembmrjv\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5040 cmdline: "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7108 cmdline: "C:\Windows\System32\sc.exe" description xembmrjv "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 320 cmdline: "C:\Windows\System32\sc.exe" start xembmrjv MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 3692 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • igqrtpsy.exe (PID: 5784 cmdline: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d"C:\Users\user\Desktop\vekvtia.exe" MD5: CA75AED3D5A70F14C63D2616B573BB74)
    • svchost.exe (PID: 3664 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 2372 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.2.vekvtia.exe.780e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.vekvtia.exe.780e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.igqrtpsy.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.igqrtpsy.exe.400000.0.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.igqrtpsy.exe.400000.0.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        System Summary

        barindex
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d"C:\Users\user\Desktop\vekvtia.exe", ParentImage: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe, ParentProcessId: 5784, ParentProcessName: igqrtpsy.exe, ProcessCommandLine: svchost.exe, ProcessId: 3664, ProcessName: svchost.exe
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\vekvtia.exe", ParentImage: C:\Users\user\Desktop\vekvtia.exe, ParentProcessId: 7152, ParentProcessName: vekvtia.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 5040, ProcessName: sc.exe
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.8.49, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 3664, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d"C:\Users\user\Desktop\vekvtia.exe", ParentImage: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe, ParentProcessId: 5784, ParentProcessName: igqrtpsy.exe, ProcessCommandLine: svchost.exe, ProcessId: 3664, ProcessName: svchost.exe
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 3664, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\xembmrjv
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\vekvtia.exe", ParentImage: C:\Users\user\Desktop\vekvtia.exe, ParentProcessId: 7152, ParentProcessName: vekvtia.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 5040, ProcessName: sc.exe
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 2372, ProcessName: svchost.exe
        No Suricata rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: jotunheim.name:443Avira URL Cloud: Label: malware
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Source: 12.3.igqrtpsy.exe.790000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Source: vekvtia.exeReversingLabs: Detection: 39%
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Source: C:\Users\user\AppData\Local\Temp\igqrtpsy.exeJoe Sandbox ML: detected
        Source: vekvtia.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Source: C:\Users\user\Desktop\vekvtia.exeUnpacked PE file: 0.2.vekvtia.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeUnpacked PE file: 12.2.igqrtpsy.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\vekvtia.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\xembmrjvJump to behavior

        Networking

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.79 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 67.195.204.79 67.195.204.79
        Source: Joe Sandbox ViewIP Address: 52.101.8.49 52.101.8.49
        Source: Joe Sandbox ViewIP Address: 94.100.180.31 94.100.180.31
        Source: Joe Sandbox ViewASN Name: YAHOO-3US YAHOO-3US
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: EUT-ASEUTIPNetworkRU EUT-ASEUTIPNetworkRU
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.5:49705 -> 52.101.8.49:25
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 67.195.204.79:25
        Source: global trafficTCP traffic: 192.168.2.5:49715 -> 142.251.168.26:25
        Source: global trafficTCP traffic: 192.168.2.5:49718 -> 94.100.180.31:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.770e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.vekvtia.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.790000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.igqrtpsy.exe.790000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.3e0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.3e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.790000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vekvtia.exe PID: 7152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: igqrtpsy.exe PID: 5784, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3664, type: MEMORYSTR

        System Summary

        barindex
        Source: 0.2.vekvtia.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.vekvtia.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.igqrtpsy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.igqrtpsy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.igqrtpsy.exe.770e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.igqrtpsy.exe.770e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.igqrtpsy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.igqrtpsy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.igqrtpsy.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.igqrtpsy.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.igqrtpsy.exe.770e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.igqrtpsy.exe.770e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.vekvtia.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.vekvtia.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.vekvtia.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.vekvtia.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.igqrtpsy.exe.790000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.igqrtpsy.exe.790000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.igqrtpsy.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.igqrtpsy.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.vekvtia.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.vekvtia.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.vekvtia.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.vekvtia.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.vekvtia.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.vekvtia.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 15.2.svchost.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 15.2.svchost.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 15.2.svchost.exe.3e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 15.2.svchost.exe.3e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.igqrtpsy.exe.790000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.igqrtpsy.exe.790000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2095880214.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2094240517.00000000007E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\xembmrjv\Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_003EC91315_2_003EC913
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: String function: 007827AB appears 35 times
        Source: vekvtia.exe, 00000000.00000002.2094263311.00000000008B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs vekvtia.exe
        Source: 0.2.vekvtia.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.vekvtia.exe.780e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.igqrtpsy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.igqrtpsy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.igqrtpsy.exe.770e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.igqrtpsy.exe.770e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.igqrtpsy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.igqrtpsy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.igqrtpsy.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.igqrtpsy.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.igqrtpsy.exe.770e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.igqrtpsy.exe.770e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.vekvtia.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.vekvtia.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.vekvtia.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.vekvtia.exe.7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.igqrtpsy.exe.790000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.igqrtpsy.exe.790000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.igqrtpsy.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.igqrtpsy.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.vekvtia.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.vekvtia.exe.7a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.vekvtia.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.vekvtia.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.vekvtia.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.vekvtia.exe.780e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 15.2.svchost.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 15.2.svchost.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 15.2.svchost.exe.3e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 15.2.svchost.exe.3e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.igqrtpsy.exe.790000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.igqrtpsy.exe.790000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2095880214.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2094240517.00000000007E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: classification engineClassification label: mal100.troj.evad.winEXE@23/3@9/5
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_007F9180 CreateToolhelp32Snapshot,Module32First,0_2_007F9180
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_003E9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_003E9A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1600:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1876:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03
        Source: C:\Users\user\Desktop\vekvtia.exeFile created: C:\Users\user\AppData\Local\Temp\igqrtpsy.exeJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: vekvtia.exeReversingLabs: Detection: 39%
        Source: C:\Users\user\Desktop\vekvtia.exeFile read: C:\Users\user\Desktop\vekvtia.exeJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14950
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-15091
        Source: unknownProcess created: C:\Users\user\Desktop\vekvtia.exe "C:\Users\user\Desktop\vekvtia.exe"
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xembmrjv\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\igqrtpsy.exe" C:\Windows\SysWOW64\xembmrjv\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description xembmrjv "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start xembmrjv
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d"C:\Users\user\Desktop\vekvtia.exe"
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xembmrjv\Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\igqrtpsy.exe" C:\Windows\SysWOW64\xembmrjv\Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description xembmrjv "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start xembmrjvJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: vekvtia.exeStatic file information: File size 10966528 > 1048576
        Source: C:\Users\user\Desktop\vekvtia.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation

        barindex
        Source: C:\Users\user\Desktop\vekvtia.exeUnpacked PE file: 0.2.vekvtia.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeUnpacked PE file: 12.2.igqrtpsy.exe.400000.0.unpack .text:ER;.data:W;.tuhorak:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Users\user\Desktop\vekvtia.exeUnpacked PE file: 0.2.vekvtia.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeUnpacked PE file: 12.2.igqrtpsy.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_007FC468 push 0000002Bh; iretd 0_2_007FC46E
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeCode function: 12_2_008F57C0 push 0000002Bh; iretd 12_2_008F57C6

        Persistence and Installation Behavior

        barindex
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\vekvtia.exeFile created: C:\Users\user\AppData\Local\Temp\igqrtpsy.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xembmrjvJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\vekvtia.exeJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,15_2_003E199C
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-16424
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_15-6408
        Source: C:\Users\user\Desktop\vekvtia.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15435
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_15-6126
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15466
        Source: C:\Users\user\Desktop\vekvtia.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16143
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_15-6416
        Source: C:\Users\user\Desktop\vekvtia.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-15189
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_15-7416
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-15107
        Source: C:\Users\user\Desktop\vekvtia.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14965
        Source: C:\Users\user\Desktop\vekvtia.exeAPI coverage: 5.9 %
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeAPI coverage: 4.4 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 4464Thread sleep count: 36 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 4464Thread sleep time: -36000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 0000000F.00000002.3294939661.0000000002C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV*U
        Source: C:\Users\user\Desktop\vekvtia.exeAPI call chain: ExitProcess graph end nodegraph_0-15396
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_15-6417

        Anti Debugging

        barindex
        Source: C:\Users\user\Desktop\vekvtia.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_0-16453
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_15-7651
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-16485
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_0078092B mov eax, dword ptr fs:[00000030h]0_2_0078092B
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00780D90 mov eax, dword ptr fs:[00000030h]0_2_00780D90
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_007F8A5D push dword ptr fs:[00000030h]0_2_007F8A5D
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeCode function: 12_2_0077092B mov eax, dword ptr fs:[00000030h]12_2_0077092B
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeCode function: 12_2_00770D90 mov eax, dword ptr fs:[00000030h]12_2_00770D90
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeCode function: 12_2_008F1DB5 push dword ptr fs:[00000030h]12_2_008F1DB5
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_003E9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,15_2_003E9A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 77.232.41.29 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.79 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 3E0000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3E0000 value starts with: 4D5AJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3E0000Jump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4D5008Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xembmrjv\Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\igqrtpsy.exe" C:\Windows\SysWOW64\xembmrjv\Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description xembmrjv "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start xembmrjvJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\vekvtia.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00407A95 RegOpenKeyExA,CreateThread,GetUserNameA,LookupAccountNameA,RegGetKeySecurity,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,RegOpenKeyExA,RegSetValueExA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegSetKeySecurity,LocalFree,RegCloseKey,0_2_00407A95
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: C:\Users\user\Desktop\vekvtia.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.770e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.vekvtia.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.790000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.igqrtpsy.exe.790000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.3e0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.3e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.790000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vekvtia.exe PID: 7152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: igqrtpsy.exe PID: 5784, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3664, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.770e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.vekvtia.exe.7a0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.790000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.igqrtpsy.exe.790000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vekvtia.exe.780e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.3e0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.svchost.exe.3e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.igqrtpsy.exe.790000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vekvtia.exe PID: 7152, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: igqrtpsy.exe PID: 5784, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3664, type: MEMORYSTR
        Source: C:\Users\user\Desktop\vekvtia.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 15_2_003E88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,15_2_003E88B0
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts
        41
        Native API
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        3
        Disable or Modify Tools
        OS Credential Dumping2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        1
        Ingress Tool Transfer
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter
        1
        Valid Accounts
        1
        Valid Accounts
        1
        Deobfuscate/Decode Files or Information
        LSASS Memory1
        Account Discovery
        Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution
        14
        Windows Service
        1
        Access Token Manipulation
        2
        Obfuscated Files or Information
        Security Account Manager1
        File and Directory Discovery
        SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service
        2
        Software Packing
        NTDS15
        System Information Discovery
        Distributed Component Object ModelInput Capture112
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection
        1
        DLL Side-Loading
        LSA Secrets111
        Security Software Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion
        Cached Domain Credentials11
        Virtualization/Sandbox Evasion
        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading
        DCSync1
        Process Discovery
        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts
        Proc Filesystem1
        System Owner/User Discovery
        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion
        /etc/passwd and /etc/shadow1
        System Network Configuration Discovery
        Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation
        Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection
        Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503657 Sample: vekvtia.exe Startdate: 03/09/2024 Architecture: WINDOWS Score: 100 51 yahoo.com 2->51 53 vanaheim.cn 2->53 55 6 other IPs or domains 2->55 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 9 other signatures 2->71 8 igqrtpsy.exe 2->8         started        11 vekvtia.exe 2 2->11         started        14 svchost.exe 2->14         started        signatures3 process4 file5 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Found API chain indicative of debugger detection 8->77 83 3 other signatures 8->83 16 svchost.exe 1 8->16         started        43 C:\Users\user\AppData\Local\...\igqrtpsy.exe, PE32 11->43 dropped 79 Uses netsh to modify the Windows network and firewall settings 11->79 81 Modifies the windows firewall 11->81 20 cmd.exe 1 11->20         started        23 netsh.exe 2 11->23         started        25 cmd.exe 2 11->25         started        27 3 other processes 11->27 signatures6 process7 dnsIp8 45 mta6.am0.yahoodns.net 67.195.204.79, 25 YAHOO-3US United States 16->45 47 microsoft-com.mail.protection.outlook.com 52.101.8.49, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->47 49 3 other IPs or domains 16->49 57 System process connects to network (likely due to code injection or exploit) 16->57 59 Found API chain indicative of debugger detection 16->59 61 Deletes itself after installation 16->61 63 Adds extensions / path to Windows Defender exclusion list (Registry) 16->63 41 C:\Windows\SysWOW64\...\igqrtpsy.exe (copy), PE32 20->41 dropped 29 conhost.exe 20->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        file9 signatures10 process11

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        vekvtia.exe39%ReversingLabs
        vekvtia.exe100%Joe Sandbox ML
        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\igqrtpsy.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        jotunheim.name:443100%Avira URL Cloudmalware
        vanaheim.cn:443100%Avira URL Cloudphishing
        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        67.195.204.79
        truetrue
          unknown
          mxs.mail.ru
          94.100.180.31
          truetrue
            unknown
            microsoft-com.mail.protection.outlook.com
            52.101.8.49
            truetrue
              unknown
              vanaheim.cn
              77.232.41.29
              truetrue
                unknown
                smtp.google.com
                142.251.168.26
                truefalse
                  unknown
                  google.com
                  unknown
                  unknowntrue
                    unknown
                    yahoo.com
                    unknown
                    unknowntrue
                      unknown
                      mail.ru
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: malware
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        67.195.204.79
                        mta6.am0.yahoodns.netUnited States
                        26101YAHOO-3UStrue
                        52.101.8.49
                        microsoft-com.mail.protection.outlook.comUnited States
                        8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                        142.251.168.26
                        smtp.google.comUnited States
                        15169GOOGLEUSfalse
                        77.232.41.29
                        vanaheim.cnRussian Federation
                        28968EUT-ASEUTIPNetworkRUtrue
                        94.100.180.31
                        mxs.mail.ruRussian Federation
                        47764MAILRU-ASMailRuRUtrue
                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1503657
                        Start date and time:2024-09-03 19:05:09 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 17s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:19
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:vekvtia.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@23/3@9/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 66
                        • Number of non-executed functions: 257
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.236.44.162, 20.70.246.20, 20.231.239.246, 20.112.250.133, 20.76.201.171
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: vekvtia.exe
                        TimeTypeDescription
                        13:06:48API Interceptor9x Sleep call for process: svchost.exe modified
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        67.195.204.79file.exeGet hashmaliciousPhorpiexBrowse
                          RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                            7b8wRbnmKu.exeGet hashmaliciousUnknownBrowse
                              file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                  l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                    data.log.exeGet hashmaliciousUnknownBrowse
                                      message.elm.exeGet hashmaliciousUnknownBrowse
                                        Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                          Update-KB5058-x86.exeGet hashmaliciousUnknownBrowse
                                            52.101.8.49Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                              .exeGet hashmaliciousUnknownBrowse
                                                ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                  kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                      L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                        file.exeGet hashmaliciousTofseeBrowse
                                                          mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                            U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                              bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                                77.232.41.29knkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                  foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                    UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                      bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                        94.100.180.31UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                          igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                            fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                              rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                setup.exeGet hashmaliciousTofseeBrowse
                                                                                  m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                                    SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                      vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                        AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            mxs.mail.ruknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                            • 94.100.180.31
                                                                                            bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                            • 94.100.180.31
                                                                                            fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                            • 94.100.180.31
                                                                                            SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            mta6.am0.yahoodns.netfoufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                            • 98.136.96.76
                                                                                            UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.204.77
                                                                                            SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.228.106
                                                                                            .exeGet hashmaliciousUnknownBrowse
                                                                                            • 98.136.96.76
                                                                                            Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.204.73
                                                                                            ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.204.74
                                                                                            rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                                            • 98.136.96.74
                                                                                            AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                            • 98.136.96.75
                                                                                            I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.228.110
                                                                                            OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.228.110
                                                                                            microsoft-com.mail.protection.outlook.comknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.11.0
                                                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.40.26
                                                                                            UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.40.26
                                                                                            bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.11.0
                                                                                            Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.8.49
                                                                                            igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.40.26
                                                                                            fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.42.0
                                                                                            SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.11.0
                                                                                            .exeGet hashmaliciousUnknownBrowse
                                                                                            • 52.101.40.26
                                                                                            Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.42.0
                                                                                            vanaheim.cnknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                            • 77.232.41.29
                                                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                            • 77.232.41.29
                                                                                            UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                            • 77.232.41.29
                                                                                            bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                            • 77.232.41.29
                                                                                            Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                            • 213.226.112.95
                                                                                            igvdwmhd.exeGet hashmaliciousTofseeBrowse
                                                                                            • 213.226.112.95
                                                                                            fdnoqmpv.exeGet hashmaliciousTofseeBrowse
                                                                                            • 213.226.112.95
                                                                                            SGn3RtDC8Y.exeGet hashmaliciousTofseeBrowse
                                                                                            • 213.226.112.95
                                                                                            Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                            • 213.226.112.95
                                                                                            ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                            • 213.226.112.95
                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            YAHOO-3USUUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.204.77
                                                                                            bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.204.77
                                                                                            firmware.armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                            • 74.6.99.126
                                                                                            Sm4Ty3Em4z.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.204.73
                                                                                            ewdWlNc8TL.exeGet hashmaliciousTofseeBrowse
                                                                                            • 67.195.204.74
                                                                                            arm7.elfGet hashmaliciousMiraiBrowse
                                                                                            • 98.139.166.43
                                                                                            https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                                            • 74.6.138.67
                                                                                            https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                                            • 74.6.138.67
                                                                                            https://www.ima-india.com/index.php?option=com_content&view=article&id=1092&Itemid=483Get hashmaliciousUnknownBrowse
                                                                                            • 74.6.138.65
                                                                                            D8OieODwpn.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                                            • 72.30.110.165
                                                                                            EUT-ASEUTIPNetworkRUknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                            • 77.232.41.29
                                                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                            • 77.232.41.29
                                                                                            UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                            • 77.232.41.29
                                                                                            bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                            • 77.232.41.29
                                                                                            Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                            • 77.232.42.234
                                                                                            Set-up.exeGet hashmaliciousCryptbotBrowse
                                                                                            • 77.232.42.234
                                                                                            file.exeGet hashmaliciousCryptbotBrowse
                                                                                            • 77.232.42.234
                                                                                            file.exeGet hashmaliciousCryptbotBrowse
                                                                                            • 77.232.42.234
                                                                                            file.exeGet hashmaliciousCryptbotBrowse
                                                                                            • 77.232.42.234
                                                                                            file.exeGet hashmaliciousCryptbotBrowse
                                                                                            • 77.232.42.234
                                                                                            MICROSOFT-CORP-MSN-AS-BLOCKUSknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.11.0
                                                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.40.26
                                                                                            UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                            • 52.101.40.26
                                                                                            Pensacola Country Club.pdfGet hashmaliciousUnknownBrowse
                                                                                            • 52.108.66.1
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 13.107.246.67
                                                                                            http://bestbuy.beautybyjoulexa.com.au/citrix/fxc/bWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                                                            • 20.190.160.20
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 13.107.246.60
                                                                                            http://www.harmonyhomesestateagency.comGet hashmaliciousUnknownBrowse
                                                                                            • 168.61.99.102
                                                                                            PossiblePhishing.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 13.107.246.60
                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                            • 13.107.246.60
                                                                                            MAILRU-ASMailRuRUknkduwqg.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            foufdsk.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            UUJycuNA6D.exeGet hashmaliciousTofseeBrowse
                                                                                            • 94.100.180.31
                                                                                            tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 5.181.61.0
                                                                                            tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                                                                                            • 5.181.61.0
                                                                                            bEsOrli29K.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            http://manga-netflix10737.tinyblogging.com.xx3.kz/Get hashmaliciousUnknownBrowse
                                                                                            • 94.100.180.209
                                                                                            SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                            • 188.93.63.129
                                                                                            SecuriteInfo.com.Trojan.Crypt.23519.13317.exeGet hashmaliciousUnknownBrowse
                                                                                            • 188.93.63.180
                                                                                            Eduhazqw4u.exeGet hashmaliciousTofseeBrowse
                                                                                            • 217.69.139.150
                                                                                            No context
                                                                                            No context
                                                                                            Process:C:\Users\user\Desktop\vekvtia.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):12936704
                                                                                            Entropy (8bit):4.596303678164068
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:4c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:41OZDisvwdaxO0PuG1R4CWs
                                                                                            MD5:CA75AED3D5A70F14C63D2616B573BB74
                                                                                            SHA1:4B27332D9E901CFA61A32E96E64BFF1EBCD6CE09
                                                                                            SHA-256:99CDFAFD7F532F87951A79A74A90B9F10DC8A5FFCB4915298D9BE610AB217EA4
                                                                                            SHA-512:D02AD32803E325411B9A0F30DF718B9F0120669DF9AD9243F8C8095F7CBBC868EB299BE693BE709B7B66E6ED5CC3805764303A0D4607E4B14FDE3C6CC9FEA254
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&..........v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\SysWOW64\cmd.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):12936704
                                                                                            Entropy (8bit):4.596303678164068
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:4c6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:41OZDisvwdaxO0PuG1R4CWs
                                                                                            MD5:CA75AED3D5A70F14C63D2616B573BB74
                                                                                            SHA1:4B27332D9E901CFA61A32E96E64BFF1EBCD6CE09
                                                                                            SHA-256:99CDFAFD7F532F87951A79A74A90B9F10DC8A5FFCB4915298D9BE610AB217EA4
                                                                                            SHA-512:D02AD32803E325411B9A0F30DF718B9F0120669DF9AD9243F8C8095F7CBBC868EB299BE693BE709B7B66E6ED5CC3805764303A0D4607E4B14FDE3C6CC9FEA254
                                                                                            Malicious:true
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e.............................l............@..................................p..........................................P........&...........................................................N..@............................................text............................... ..`.data............|..................@....tuhorak.............r..............@..@.rsrc....&..........v..............@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                            Process:C:\Windows\SysWOW64\netsh.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):3773
                                                                                            Entropy (8bit):4.7109073551842435
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                            MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                            SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                            SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                            SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                            Malicious:false
                                                                                            Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Entropy (8bit):4.608398278849609
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:vekvtia.exe
                                                                                            File size:10'966'528 bytes
                                                                                            MD5:274d0ab4368246be7f22990d9d5cb4cf
                                                                                            SHA1:d34547e852863893aef034effc726bf2ee227d02
                                                                                            SHA256:21a5e8cf356706a639eee50ea97cecef91685eb906921245c314ac50950b9825
                                                                                            SHA512:dab676f30f08c6719e26cc376c89803a14d89adf50c6ee31d941f724b3dae03ca1cce950a3dd7651e3ed5f40323b021c875cdd1dfbbba9952cd417d7a3f90e81
                                                                                            SSDEEP:6144:Sc6OZDisWsD0Td2HJxO+m8PuG1R4WnWjrsaz:S1OZDisvwdaxO0PuG1R4CWs
                                                                                            TLSH:7EB6537392E5BD54FA627A329E2FC6FC361EF951CD08379A2118BF0F2471162D1AA311
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`P..$1v.$1v.$1v.KG..81v.KG..>1v.KG..T1v.-I..#1v.$1w..1v.KG..%1v.KG..%1v.KG..%1v.Rich$1v.........PE..L....M.e...................
                                                                                            Icon Hash:cd4d3d2e4e054d03
                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Sep 3, 2024 19:06:06.144110918 CEST4970525192.168.2.552.101.8.49
                                                                                            Sep 3, 2024 19:06:07.146706104 CEST4970525192.168.2.552.101.8.49
                                                                                            Sep 3, 2024 19:06:09.146687031 CEST4970525192.168.2.552.101.8.49
                                                                                            Sep 3, 2024 19:06:09.241677999 CEST49706443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:06:09.241715908 CEST4434970677.232.41.29192.168.2.5
                                                                                            Sep 3, 2024 19:06:09.241792917 CEST49706443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:06:13.162341118 CEST4970525192.168.2.552.101.8.49
                                                                                            Sep 3, 2024 19:06:21.162314892 CEST4970525192.168.2.552.101.8.49
                                                                                            Sep 3, 2024 19:06:26.152616978 CEST4971425192.168.2.567.195.204.79
                                                                                            Sep 3, 2024 19:06:27.162405968 CEST4971425192.168.2.567.195.204.79
                                                                                            Sep 3, 2024 19:06:29.177975893 CEST4971425192.168.2.567.195.204.79
                                                                                            Sep 3, 2024 19:06:33.193589926 CEST4971425192.168.2.567.195.204.79
                                                                                            Sep 3, 2024 19:06:41.193597078 CEST4971425192.168.2.567.195.204.79
                                                                                            Sep 3, 2024 19:06:47.019665003 CEST4971525192.168.2.5142.251.168.26
                                                                                            Sep 3, 2024 19:06:48.021739006 CEST4971525192.168.2.5142.251.168.26
                                                                                            Sep 3, 2024 19:06:49.240818977 CEST49706443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:06:49.240900993 CEST4434970677.232.41.29192.168.2.5
                                                                                            Sep 3, 2024 19:06:49.240968943 CEST49706443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:06:49.350766897 CEST49716443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:06:49.350811005 CEST4434971677.232.41.29192.168.2.5
                                                                                            Sep 3, 2024 19:06:49.350877047 CEST49716443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:06:50.021733999 CEST4971525192.168.2.5142.251.168.26
                                                                                            Sep 3, 2024 19:06:54.021738052 CEST4971525192.168.2.5142.251.168.26
                                                                                            Sep 3, 2024 19:07:02.021806955 CEST4971525192.168.2.5142.251.168.26
                                                                                            Sep 3, 2024 19:07:07.038412094 CEST4971825192.168.2.594.100.180.31
                                                                                            Sep 3, 2024 19:07:08.037384033 CEST4971825192.168.2.594.100.180.31
                                                                                            Sep 3, 2024 19:07:10.037379026 CEST4971825192.168.2.594.100.180.31
                                                                                            Sep 3, 2024 19:07:14.052983999 CEST4971825192.168.2.594.100.180.31
                                                                                            Sep 3, 2024 19:07:22.068690062 CEST4971825192.168.2.594.100.180.31
                                                                                            Sep 3, 2024 19:07:29.350158930 CEST49716443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:07:29.350229025 CEST4434971677.232.41.29192.168.2.5
                                                                                            Sep 3, 2024 19:07:29.350325108 CEST49716443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:07:29.460329056 CEST49719443192.168.2.577.232.41.29
                                                                                            Sep 3, 2024 19:07:29.460369110 CEST4434971977.232.41.29192.168.2.5
                                                                                            Sep 3, 2024 19:07:29.460462093 CEST49719443192.168.2.577.232.41.29
                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Sep 3, 2024 19:06:05.887734890 CEST5558353192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:06:06.142760992 CEST53555831.1.1.1192.168.2.5
                                                                                            Sep 3, 2024 19:06:08.922777891 CEST5362053192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:06:09.237741947 CEST53536201.1.1.1192.168.2.5
                                                                                            Sep 3, 2024 19:06:26.132100105 CEST5510453192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:06:26.139076948 CEST53551041.1.1.1192.168.2.5
                                                                                            Sep 3, 2024 19:06:26.140149117 CEST4991653192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST53499161.1.1.1192.168.2.5
                                                                                            Sep 3, 2024 19:06:46.163031101 CEST6220953192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:06:47.011306047 CEST53622091.1.1.1192.168.2.5
                                                                                            Sep 3, 2024 19:06:47.012104034 CEST6152753192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:06:47.019150972 CEST53615271.1.1.1192.168.2.5
                                                                                            Sep 3, 2024 19:07:07.022238016 CEST6408453192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:07:07.030286074 CEST53640841.1.1.1192.168.2.5
                                                                                            Sep 3, 2024 19:07:07.030951977 CEST4924553192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:07:07.037951946 CEST53492451.1.1.1192.168.2.5
                                                                                            Sep 3, 2024 19:08:06.105032921 CEST6310853192.168.2.51.1.1.1
                                                                                            Sep 3, 2024 19:08:06.446161985 CEST53631081.1.1.1192.168.2.5
                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Sep 3, 2024 19:06:05.887734890 CEST192.168.2.51.1.1.10x453eStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:08.922777891 CEST192.168.2.51.1.1.10x9b29Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.132100105 CEST192.168.2.51.1.1.10x193fStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.140149117 CEST192.168.2.51.1.1.10x4ac8Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:46.163031101 CEST192.168.2.51.1.1.10x1fc3Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:47.012104034 CEST192.168.2.51.1.1.10x7a84Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:07:07.022238016 CEST192.168.2.51.1.1.10xa83eStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                            Sep 3, 2024 19:07:07.030951977 CEST192.168.2.51.1.1.10x6130Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:08:06.105032921 CEST192.168.2.51.1.1.10x67Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Sep 3, 2024 19:06:06.142760992 CEST1.1.1.1192.168.2.50x453eNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:06.142760992 CEST1.1.1.1192.168.2.50x453eNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:06.142760992 CEST1.1.1.1192.168.2.50x453eNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:06.142760992 CEST1.1.1.1192.168.2.50x453eNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:09.237741947 CEST1.1.1.1192.168.2.50x9b29No error (0)vanaheim.cn77.232.41.29A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.139076948 CEST1.1.1.1192.168.2.50x193fNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.139076948 CEST1.1.1.1192.168.2.50x193fNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.139076948 CEST1.1.1.1192.168.2.50x193fNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST1.1.1.1192.168.2.50x4ac8No error (0)mta6.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST1.1.1.1192.168.2.50x4ac8No error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST1.1.1.1192.168.2.50x4ac8No error (0)mta6.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST1.1.1.1192.168.2.50x4ac8No error (0)mta6.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST1.1.1.1192.168.2.50x4ac8No error (0)mta6.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST1.1.1.1192.168.2.50x4ac8No error (0)mta6.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST1.1.1.1192.168.2.50x4ac8No error (0)mta6.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:26.152061939 CEST1.1.1.1192.168.2.50x4ac8No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:47.011306047 CEST1.1.1.1192.168.2.50x1fc3No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:47.019150972 CEST1.1.1.1192.168.2.50x7a84No error (0)smtp.google.com142.251.168.26A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:47.019150972 CEST1.1.1.1192.168.2.50x7a84No error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:47.019150972 CEST1.1.1.1192.168.2.50x7a84No error (0)smtp.google.com142.250.110.26A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:47.019150972 CEST1.1.1.1192.168.2.50x7a84No error (0)smtp.google.com142.250.110.27A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:06:47.019150972 CEST1.1.1.1192.168.2.50x7a84No error (0)smtp.google.com142.251.168.27A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:07:07.030286074 CEST1.1.1.1192.168.2.50xa83eNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                            Sep 3, 2024 19:07:07.037951946 CEST1.1.1.1192.168.2.50x6130No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:07:07.037951946 CEST1.1.1.1192.168.2.50x6130No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:08:06.446161985 CEST1.1.1.1192.168.2.50x67No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:08:06.446161985 CEST1.1.1.1192.168.2.50x67No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:08:06.446161985 CEST1.1.1.1192.168.2.50x67No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                            Sep 3, 2024 19:08:06.446161985 CEST1.1.1.1192.168.2.50x67No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false

                                                                                            Click to jump to process

                                                                                            Click to jump to process

                                                                                            Click to dive into process behavior distribution

                                                                                            Click to jump to process

                                                                                            Target ID:0
                                                                                            Start time:13:06:00
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Users\user\Desktop\vekvtia.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\vekvtia.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:10'966'528 bytes
                                                                                            MD5 hash:274D0AB4368246BE7F22990D9D5CB4CF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2058051501.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                            • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2094240517.00000000007E9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            Target ID:2
                                                                                            Start time:13:06:01
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xembmrjv\
                                                                                            Imagebase:0x790000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:3
                                                                                            Start time:13:06:01
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff6d64d0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:4
                                                                                            Start time:13:06:02
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\igqrtpsy.exe" C:\Windows\SysWOW64\xembmrjv\
                                                                                            Imagebase:0x790000
                                                                                            File size:236'544 bytes
                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:5
                                                                                            Start time:13:06:02
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff6d64d0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:6
                                                                                            Start time:13:06:03
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\sc.exe" create xembmrjv binPath= "C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d\"C:\Users\user\Desktop\vekvtia.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                            Imagebase:0x890000
                                                                                            File size:61'440 bytes
                                                                                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            Target ID:7
                                                                                            Start time:13:06:03
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff6d64d0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:8
                                                                                            Start time:13:06:03
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\sc.exe" description xembmrjv "wifi internet conection"
                                                                                            Imagebase:0x890000
                                                                                            File size:61'440 bytes
                                                                                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            Target ID:9
                                                                                            Start time:13:06:03
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff6d64d0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:10
                                                                                            Start time:13:06:04
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\SysWOW64\sc.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\sc.exe" start xembmrjv
                                                                                            Imagebase:0x890000
                                                                                            File size:61'440 bytes
                                                                                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            Target ID:11
                                                                                            Start time:13:06:04
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff6d64d0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            Target ID:12
                                                                                            Start time:13:06:04
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe /d"C:\Users\user\Desktop\vekvtia.exe"
                                                                                            Imagebase:0x400000
                                                                                            File size:12'936'704 bytes
                                                                                            MD5 hash:CA75AED3D5A70F14C63D2616B573BB74
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2095674922.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2094722806.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                            • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2095880214.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                            Has exited:true

                                                                                            Target ID:13
                                                                                            Start time:13:06:04
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                            Imagebase:0x1080000
                                                                                            File size:82'432 bytes
                                                                                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            Target ID:14
                                                                                            Start time:13:06:04
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff6d64d0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:true

                                                                                            Target ID:15
                                                                                            Start time:13:06:04
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:svchost.exe
                                                                                            Imagebase:0xbe0000
                                                                                            File size:46'504 bytes
                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                            Has exited:false

                                                                                            Target ID:18
                                                                                            Start time:13:06:44
                                                                                            Start date:03/09/2024
                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                            Imagebase:0x7ff7e52b0000
                                                                                            File size:55'320 bytes
                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Has exited:false

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:3.7%
                                                                                              Dynamic/Decrypted Code Coverage:30.2%
                                                                                              Signature Coverage:27.3%
                                                                                              Total number of Nodes:1595
                                                                                              Total number of Limit Nodes:19
                                                                                              execution_graph 14933 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15052 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14933->15052 14935 409a95 14936 409aa3 GetModuleHandleA GetModuleFileNameA 14935->14936 14942 40a3c7 14935->14942 14949 409ac4 14936->14949 14937 40a41c CreateThread WSAStartup 15221 40e52e 14937->15221 16099 40405e CreateEventA 14937->16099 14938 409afd GetCommandLineA 14950 409b22 14938->14950 14939 40a406 DeleteFileA 14939->14942 14943 40a40d 14939->14943 14941 40a445 15240 40eaaf 14941->15240 14942->14937 14942->14939 14942->14943 14945 40a3ed GetLastError 14942->14945 14943->14937 14945->14943 14947 40a3f8 Sleep 14945->14947 14946 40a44d 15244 401d96 14946->15244 14947->14939 14949->14938 14953 409c0c 14950->14953 14960 409b47 14950->14960 14951 40a457 15292 4080c9 14951->15292 15053 4096aa 14953->15053 14964 409b96 lstrlenA 14960->14964 14967 409b58 14960->14967 14961 40a1d2 14968 40a1e3 GetCommandLineA 14961->14968 14962 409c39 14965 40a167 GetModuleHandleA GetModuleFileNameA 14962->14965 15059 404280 CreateEventA 14962->15059 14964->14967 14966 409c05 ExitProcess 14965->14966 14970 40a189 14965->14970 14967->14966 14974 40675c 21 API calls 14967->14974 14994 40a205 14968->14994 14970->14966 14976 40a1b2 GetDriveTypeA 14970->14976 14977 409be3 14974->14977 14976->14966 14979 40a1c5 14976->14979 14977->14966 15158 406a60 CreateFileA 14977->15158 15202 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14979->15202 14985 40a491 14986 40a49f GetTickCount 14985->14986 14988 40a4be Sleep 14985->14988 14993 40a4b7 GetTickCount 14985->14993 15338 40c913 14985->15338 14986->14985 14986->14988 14988->14985 14990 409ca0 GetTempPathA 14991 409e3e 14990->14991 14992 409cba 14990->14992 14997 409e6b GetEnvironmentVariableA 14991->14997 15001 409e04 14991->15001 15114 4099d2 lstrcpyA 14992->15114 14993->14988 14998 40a285 lstrlenA 14994->14998 15010 40a239 14994->15010 14997->15001 15002 409e7d 14997->15002 14998->15010 15197 40ec2e 15001->15197 15003 4099d2 16 API calls 15002->15003 15004 409e9d 15003->15004 15004->15001 15009 409eb0 lstrcpyA lstrlenA 15004->15009 15007 409d5f 15177 406cc9 15007->15177 15008 40a3c2 15214 4098f2 15008->15214 15012 409ef4 15009->15012 15210 406ec3 15010->15210 15016 406dc2 6 API calls 15012->15016 15020 409f03 15012->15020 15015 40a35f 15015->15008 15015->15015 15019 40a37b 15015->15019 15016->15020 15017 40a39d StartServiceCtrlDispatcherA 15017->15008 15018 409cf6 15121 409326 15018->15121 15019->15017 15021 409f32 RegOpenKeyExA 15020->15021 15023 409f0e 15020->15023 15022 409f48 RegSetValueExA RegCloseKey 15021->15022 15028 409f70 15021->15028 15022->15028 15023->15020 15026 409e0c DeleteFileA 15026->14991 15027 409dde GetFileAttributesExA 15027->15026 15029 409df7 15027->15029 15032 409f9d GetModuleHandleA GetModuleFileNameA 15028->15032 15029->15001 15031 409dff 15029->15031 15187 4096ff 15031->15187 15034 409fc2 15032->15034 15035 40a093 15032->15035 15034->15035 15041 409ff1 GetDriveTypeA 15034->15041 15036 40a103 CreateProcessA 15035->15036 15039 40a0a4 wsprintfA 15035->15039 15037 40a13a 15036->15037 15038 40a12a DeleteFileA 15036->15038 15037->15001 15044 4096ff 3 API calls 15037->15044 15038->15037 15193 402544 15039->15193 15041->15035 15042 40a00d 15041->15042 15046 40a02d lstrcatA 15042->15046 15043 40a0d3 lstrcatA 15195 40ee2a 15043->15195 15044->15001 15048 40a046 15046->15048 15049 40a052 lstrcatA 15048->15049 15050 40a064 lstrcatA 15048->15050 15049->15050 15050->15035 15051 40a081 lstrcatA 15050->15051 15051->15035 15052->14935 15054 4096b9 15053->15054 15441 4073ff 15054->15441 15056 4096e2 15057 4096f7 15056->15057 15461 40704c 15056->15461 15057->14961 15057->14962 15060 4042a5 15059->15060 15061 40429d 15059->15061 15486 403ecd 15060->15486 15061->14965 15086 40675c 15061->15086 15063 4042b0 15490 404000 15063->15490 15066 4043c1 CloseHandle 15066->15061 15067 4042ce 15496 403f18 WriteFile 15067->15496 15072 4043ba CloseHandle 15072->15066 15073 404318 15074 403f18 4 API calls 15073->15074 15075 404331 15074->15075 15076 403f18 4 API calls 15075->15076 15077 40434a 15076->15077 15504 40ebcc GetProcessHeap RtlAllocateHeap 15077->15504 15080 403f18 4 API calls 15081 404389 15080->15081 15082 40ec2e codecvt 4 API calls 15081->15082 15083 40438f 15082->15083 15084 403f8c 4 API calls 15083->15084 15085 40439f CloseHandle CloseHandle 15084->15085 15085->15061 15087 406784 CreateFileA 15086->15087 15088 40677a SetFileAttributesA 15086->15088 15089 4067a4 CreateFileA 15087->15089 15090 4067b5 15087->15090 15088->15087 15089->15090 15091 4067c5 15090->15091 15092 4067ba SetFileAttributesA 15090->15092 15093 406977 15091->15093 15094 4067cf GetFileSize 15091->15094 15092->15091 15093->14965 15093->14990 15093->14991 15095 4067e5 15094->15095 15113 406965 15094->15113 15097 4067ed ReadFile 15095->15097 15095->15113 15096 40696e FindCloseChangeNotification 15096->15093 15098 406811 SetFilePointer 15097->15098 15097->15113 15099 40682a ReadFile 15098->15099 15098->15113 15100 406848 SetFilePointer 15099->15100 15099->15113 15101 406867 15100->15101 15100->15113 15102 4068d5 15101->15102 15103 406878 ReadFile 15101->15103 15102->15096 15105 40ebcc 4 API calls 15102->15105 15104 4068d0 15103->15104 15106 406891 15103->15106 15104->15102 15107 4068f8 15105->15107 15106->15103 15106->15104 15108 406900 SetFilePointer 15107->15108 15107->15113 15109 40695a 15108->15109 15110 40690d ReadFile 15108->15110 15112 40ec2e codecvt 4 API calls 15109->15112 15110->15109 15111 406922 15110->15111 15111->15096 15112->15113 15113->15096 15115 4099eb 15114->15115 15116 409a2f lstrcatA 15115->15116 15117 40ee2a 15116->15117 15118 409a4b lstrcatA 15117->15118 15119 406a60 13 API calls 15118->15119 15120 409a60 15119->15120 15120->14991 15120->15018 15171 406dc2 15120->15171 15510 401910 15121->15510 15124 40934a GetModuleHandleA GetModuleFileNameA 15126 40937f 15124->15126 15127 4093a4 15126->15127 15128 4093d9 15126->15128 15129 4093c3 wsprintfA 15127->15129 15130 409401 wsprintfA 15128->15130 15131 409415 15129->15131 15130->15131 15134 406cc9 5 API calls 15131->15134 15154 4094a0 15131->15154 15133 4094ac 15135 40962f 15133->15135 15136 4094e8 RegOpenKeyExA 15133->15136 15140 409439 15134->15140 15142 409646 15135->15142 15540 401820 15135->15540 15138 409502 15136->15138 15139 4094fb 15136->15139 15144 40951f RegQueryValueExA 15138->15144 15139->15135 15143 40958a 15139->15143 15525 40ef1e lstrlenA 15140->15525 15151 4095d6 15142->15151 15520 4091eb 15142->15520 15143->15142 15147 409593 15143->15147 15148 409530 15144->15148 15149 409539 15144->15149 15146 409462 15152 40947e wsprintfA 15146->15152 15147->15151 15527 40f0e4 15147->15527 15150 40956e RegCloseKey 15148->15150 15153 409556 RegQueryValueExA 15149->15153 15150->15139 15151->15026 15151->15027 15152->15154 15153->15148 15153->15150 15512 406edd 15154->15512 15156 4095bb 15156->15151 15534 4018e0 15156->15534 15159 406b8c GetLastError 15158->15159 15160 406a8f GetDiskFreeSpaceA 15158->15160 15161 406b86 15159->15161 15162 406ac5 15160->15162 15170 406ad7 15160->15170 15161->14966 15588 40eb0e 15162->15588 15166 406b56 FindCloseChangeNotification 15166->15161 15169 406b65 GetLastError CloseHandle 15166->15169 15167 406b36 GetLastError CloseHandle 15168 406b7f DeleteFileA 15167->15168 15168->15161 15169->15168 15582 406987 15170->15582 15172 406dd7 15171->15172 15176 406e24 15171->15176 15173 406cc9 5 API calls 15172->15173 15174 406ddc 15173->15174 15174->15174 15175 406e02 GetVolumeInformationA 15174->15175 15174->15176 15175->15176 15176->15007 15178 406cdc GetModuleHandleA GetProcAddress 15177->15178 15179 406dbe lstrcpyA lstrcatA lstrcatA 15177->15179 15180 406d12 GetSystemDirectoryA 15178->15180 15183 406cfd 15178->15183 15179->15018 15181 406d27 GetWindowsDirectoryA 15180->15181 15182 406d1e 15180->15182 15184 406d42 15181->15184 15182->15181 15186 406d8b 15182->15186 15183->15180 15183->15186 15185 40ef1e lstrlenA 15184->15185 15185->15186 15186->15179 15188 402544 15187->15188 15189 40972d RegOpenKeyExA 15188->15189 15190 409740 15189->15190 15191 409765 15189->15191 15192 40974f RegDeleteValueA RegCloseKey 15190->15192 15191->15001 15192->15191 15194 402554 15193->15194 15194->15043 15194->15194 15196 40a0ec lstrcatA 15195->15196 15196->15036 15198 40ec37 15197->15198 15199 40a15d 15197->15199 15596 40eba0 15198->15596 15199->14965 15199->14966 15203 402544 15202->15203 15204 40919e wsprintfA 15203->15204 15205 4091bb 15204->15205 15599 409064 GetTempPathA 15205->15599 15208 4091d5 ShellExecuteA 15209 4091e7 15208->15209 15209->14966 15211 406ed5 15210->15211 15212 406ecc 15210->15212 15211->15015 15213 406e36 2 API calls 15212->15213 15213->15211 15216 4098f6 15214->15216 15215 404280 30 API calls 15215->15216 15216->15215 15217 409904 Sleep 15216->15217 15218 409915 15216->15218 15217->15216 15217->15218 15220 409947 15218->15220 15606 40977c 15218->15606 15220->14942 15628 40dd05 GetTickCount 15221->15628 15223 40e538 15635 40dbcf 15223->15635 15225 40e544 15226 40e555 GetFileSize 15225->15226 15230 40e5b8 15225->15230 15227 40e5b1 CloseHandle 15226->15227 15228 40e566 15226->15228 15227->15230 15645 40db2e 15228->15645 15654 40e3ca RegOpenKeyExA 15230->15654 15232 40e576 ReadFile 15232->15227 15234 40e58d 15232->15234 15649 40e332 15234->15649 15237 40e5f2 15238 40e3ca 19 API calls 15237->15238 15239 40e629 15237->15239 15238->15239 15239->14941 15241 40eabe 15240->15241 15243 40eaba 15240->15243 15242 40dd05 6 API calls 15241->15242 15241->15243 15242->15243 15243->14946 15245 40ee2a 15244->15245 15246 401db4 GetVersionExA 15245->15246 15247 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15246->15247 15249 401e24 15247->15249 15250 401e16 GetCurrentProcess 15247->15250 15707 40e819 15249->15707 15250->15249 15252 401e3d 15253 40e819 11 API calls 15252->15253 15254 401e4e 15253->15254 15255 401e77 15254->15255 15714 40df70 15254->15714 15723 40ea84 15255->15723 15258 401e6c 15261 40df70 12 API calls 15258->15261 15260 40e819 11 API calls 15262 401e93 15260->15262 15261->15255 15727 40199c inet_addr LoadLibraryA 15262->15727 15265 40e819 11 API calls 15266 401eb9 15265->15266 15267 40f04e 4 API calls 15266->15267 15274 401ed8 15266->15274 15270 401ec9 15267->15270 15268 40e819 11 API calls 15269 401eee 15268->15269 15279 401f0a 15269->15279 15740 401b71 15269->15740 15271 40ea84 30 API calls 15270->15271 15271->15274 15273 40e819 11 API calls 15276 401f23 15273->15276 15274->15268 15275 401efd 15277 40ea84 30 API calls 15275->15277 15278 401f3f 15276->15278 15744 401bdf 15276->15744 15277->15279 15281 40e819 11 API calls 15278->15281 15279->15273 15282 401f5e 15281->15282 15284 401f77 15282->15284 15286 40ea84 30 API calls 15282->15286 15751 4030b5 15284->15751 15285 40ea84 30 API calls 15285->15278 15286->15284 15290 406ec3 2 API calls 15291 401f8e GetTickCount 15290->15291 15291->14951 15293 406ec3 2 API calls 15292->15293 15294 4080eb 15293->15294 15295 4080f9 15294->15295 15296 4080ef 15294->15296 15297 40704c 16 API calls 15295->15297 15799 407ee6 15296->15799 15300 408110 15297->15300 15299 408269 CreateThread 15317 405e6c 15299->15317 16128 40877e 15299->16128 15302 408156 RegOpenKeyExA 15300->15302 15303 4080f4 15300->15303 15301 40675c 21 API calls 15307 408244 15301->15307 15302->15303 15304 40816d RegQueryValueExA 15302->15304 15303->15299 15303->15301 15305 4081f7 15304->15305 15306 40818d 15304->15306 15308 40820d RegCloseKey 15305->15308 15310 40ec2e codecvt 4 API calls 15305->15310 15306->15305 15311 40ebcc 4 API calls 15306->15311 15307->15299 15309 40ec2e codecvt 4 API calls 15307->15309 15308->15303 15309->15299 15316 4081dd 15310->15316 15312 4081a0 15311->15312 15312->15308 15313 4081aa RegQueryValueExA 15312->15313 15313->15305 15314 4081c4 15313->15314 15315 40ebcc 4 API calls 15314->15315 15315->15316 15316->15308 15867 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15317->15867 15319 405e71 15868 40e654 15319->15868 15321 405ec1 15322 403132 15321->15322 15323 40df70 12 API calls 15322->15323 15324 40313b 15323->15324 15325 40c125 15324->15325 15879 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15325->15879 15327 40c12d 15328 40e654 13 API calls 15327->15328 15329 40c2bd 15328->15329 15330 40e654 13 API calls 15329->15330 15331 40c2c9 15330->15331 15332 40e654 13 API calls 15331->15332 15333 40a47a 15332->15333 15334 408db1 15333->15334 15335 408dbc 15334->15335 15336 40e654 13 API calls 15335->15336 15337 408dec Sleep 15336->15337 15337->14985 15339 40c92f 15338->15339 15340 40c93c 15339->15340 15880 40c517 15339->15880 15342 40e819 11 API calls 15340->15342 15374 40ca2b 15340->15374 15343 40c96a 15342->15343 15344 40e819 11 API calls 15343->15344 15345 40c97d 15344->15345 15346 40e819 11 API calls 15345->15346 15347 40c990 15346->15347 15348 40c9aa 15347->15348 15349 40ebcc 4 API calls 15347->15349 15348->15374 15897 402684 15348->15897 15349->15348 15354 40ca26 15904 40c8aa 15354->15904 15357 40ca4b closesocket 15357->15354 15358 40ca44 15358->15357 15359 40ca83 15358->15359 15360 40ea84 30 API calls 15359->15360 15361 40caac 15360->15361 15362 40f04e 4 API calls 15361->15362 15363 40cab2 15362->15363 15364 40ea84 30 API calls 15363->15364 15365 40caca 15364->15365 15366 40ea84 30 API calls 15365->15366 15367 40cad9 15366->15367 15912 40c65c 15367->15912 15370 40cb60 closesocket 15370->15374 15372 40dad2 closesocket 15373 40e318 23 API calls 15372->15373 15373->15374 15374->14985 15375 40df4c 20 API calls 15435 40cb70 15375->15435 15380 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15380->15435 15381 40e654 13 API calls 15381->15435 15384 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15384->15435 15388 40ea84 30 API calls 15388->15435 15389 40cc1c GetTempPathA 15389->15435 15390 40d569 closesocket Sleep 15959 40e318 15390->15959 15391 40d815 wsprintfA 15391->15435 15392 407ead 6 API calls 15392->15435 15393 40c517 23 API calls 15393->15435 15395 40e8a1 30 API calls 15395->15435 15396 40d582 ExitProcess 15397 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15397->15435 15398 40cfe3 GetSystemDirectoryA 15398->15435 15399 40cfad GetEnvironmentVariableA 15399->15435 15400 40675c 21 API calls 15400->15435 15401 40d027 GetSystemDirectoryA 15401->15435 15402 40d105 lstrcatA 15402->15435 15403 40ef1e lstrlenA 15403->15435 15404 40cc9f CreateFileA 15405 40ccc6 WriteFile 15404->15405 15404->15435 15409 40cdcc CloseHandle 15405->15409 15410 40cced CloseHandle 15405->15410 15406 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15406->15435 15407 40d15b CreateFileA 15408 40d182 WriteFile CloseHandle 15407->15408 15407->15435 15408->15435 15409->15435 15415 40cd2f 15410->15415 15411 40d149 SetFileAttributesA 15411->15407 15412 40cd16 wsprintfA 15412->15415 15413 40d36e GetEnvironmentVariableA 15413->15435 15414 40d1bf SetFileAttributesA 15414->15435 15415->15412 15941 407fcf 15415->15941 15416 40d22d GetEnvironmentVariableA 15416->15435 15417 40d3af lstrcatA 15420 40d3f2 CreateFileA 15417->15420 15417->15435 15419 407fcf 64 API calls 15419->15435 15422 40d415 WriteFile CloseHandle 15420->15422 15420->15435 15422->15435 15423 40cd81 WaitForSingleObject CloseHandle CloseHandle 15426 40f04e 4 API calls 15423->15426 15424 40cda5 15425 407ee6 64 API calls 15424->15425 15427 40cdbd DeleteFileA 15425->15427 15426->15424 15427->15435 15428 40d4b1 CreateProcessA 15431 40d4e8 CloseHandle CloseHandle 15428->15431 15428->15435 15429 40d3e0 SetFileAttributesA 15429->15420 15430 40d26e lstrcatA 15432 40d2b1 CreateFileA 15430->15432 15430->15435 15431->15435 15432->15435 15436 40d2d8 WriteFile CloseHandle 15432->15436 15433 407ee6 64 API calls 15433->15435 15434 40d452 SetFileAttributesA 15434->15435 15435->15372 15435->15375 15435->15380 15435->15381 15435->15384 15435->15388 15435->15389 15435->15390 15435->15391 15435->15392 15435->15393 15435->15395 15435->15397 15435->15398 15435->15399 15435->15400 15435->15401 15435->15402 15435->15403 15435->15404 15435->15406 15435->15407 15435->15411 15435->15413 15435->15414 15435->15416 15435->15417 15435->15419 15435->15420 15435->15428 15435->15429 15435->15430 15435->15432 15435->15433 15435->15434 15438 40d29f SetFileAttributesA 15435->15438 15440 40d31d SetFileAttributesA 15435->15440 15920 40c75d 15435->15920 15932 407e2f 15435->15932 15954 407ead 15435->15954 15964 4031d0 15435->15964 15981 403c09 15435->15981 15991 403a00 15435->15991 15995 40e7b4 15435->15995 15998 40c06c 15435->15998 16004 406f5f GetUserNameA 15435->16004 16015 40e854 15435->16015 16025 407dd6 15435->16025 15436->15435 15438->15432 15440->15435 15442 40741b 15441->15442 15443 406dc2 6 API calls 15442->15443 15444 40743f 15443->15444 15445 407469 RegOpenKeyExA 15444->15445 15446 4077f9 15445->15446 15457 407487 ___ascii_stricmp 15445->15457 15446->15056 15447 407703 RegEnumKeyA 15448 407714 RegCloseKey 15447->15448 15447->15457 15448->15446 15449 40f1a5 lstrlenA 15449->15457 15450 4074d2 RegOpenKeyExA 15450->15457 15451 40772c 15453 407742 RegCloseKey 15451->15453 15454 40774b 15451->15454 15452 407521 RegQueryValueExA 15452->15457 15453->15454 15456 4077ec RegCloseKey 15454->15456 15455 4076e4 RegCloseKey 15455->15457 15456->15446 15457->15447 15457->15449 15457->15450 15457->15451 15457->15452 15457->15455 15459 40777e GetFileAttributesExA 15457->15459 15460 407769 15457->15460 15458 4077e3 RegCloseKey 15458->15456 15459->15460 15460->15458 15462 407073 15461->15462 15463 4070b9 RegOpenKeyExA 15462->15463 15464 4070d0 15463->15464 15478 4071b8 15463->15478 15465 406dc2 6 API calls 15464->15465 15468 4070d5 15465->15468 15466 40719b RegEnumValueA 15467 4071af RegCloseKey 15466->15467 15466->15468 15467->15478 15468->15466 15470 4071d0 15468->15470 15484 40f1a5 lstrlenA 15468->15484 15471 407205 RegCloseKey 15470->15471 15472 407227 15470->15472 15471->15478 15473 4072b8 ___ascii_stricmp 15472->15473 15474 40728e RegCloseKey 15472->15474 15475 4072cd RegCloseKey 15473->15475 15476 4072dd 15473->15476 15474->15478 15475->15478 15477 407311 RegCloseKey 15476->15477 15480 407335 15476->15480 15477->15478 15478->15057 15479 4073d5 RegCloseKey 15481 4073e4 15479->15481 15480->15479 15482 40737e GetFileAttributesExA 15480->15482 15483 407397 15480->15483 15482->15483 15483->15479 15485 40f1c3 15484->15485 15485->15468 15487 403ee2 15486->15487 15488 403edc 15486->15488 15487->15063 15489 406dc2 6 API calls 15488->15489 15489->15487 15491 40400b CreateFileA 15490->15491 15492 40402c GetLastError 15491->15492 15493 404052 15491->15493 15492->15493 15494 404037 15492->15494 15493->15061 15493->15066 15493->15067 15494->15493 15495 404041 Sleep 15494->15495 15495->15491 15495->15493 15497 403f7c 15496->15497 15498 403f4e GetLastError 15496->15498 15500 403f8c ReadFile 15497->15500 15498->15497 15499 403f5b WaitForSingleObject GetOverlappedResult 15498->15499 15499->15497 15501 403ff0 15500->15501 15502 403fc2 GetLastError 15500->15502 15501->15072 15501->15073 15502->15501 15503 403fcf WaitForSingleObject GetOverlappedResult 15502->15503 15503->15501 15507 40eb74 15504->15507 15508 40eb7b GetProcessHeap HeapSize 15507->15508 15509 404350 15507->15509 15508->15509 15509->15080 15511 401924 GetVersionExA 15510->15511 15511->15124 15513 406f55 15512->15513 15514 406eef AllocateAndInitializeSid 15512->15514 15513->15133 15515 406f44 15514->15515 15516 406f1c CheckTokenMembership 15514->15516 15515->15513 15546 406e36 GetUserNameW 15515->15546 15517 406f3b FreeSid 15516->15517 15518 406f2e 15516->15518 15517->15515 15518->15517 15521 40920e 15520->15521 15524 409308 15520->15524 15522 4092f1 Sleep 15521->15522 15523 4092bf ShellExecuteA 15521->15523 15521->15524 15522->15521 15523->15521 15523->15524 15524->15151 15526 40ef32 15525->15526 15526->15146 15528 40f0f1 15527->15528 15529 40f0ed 15527->15529 15530 40f119 15528->15530 15531 40f0fa lstrlenA SysAllocStringByteLen 15528->15531 15529->15156 15533 40f11c MultiByteToWideChar 15530->15533 15532 40f117 15531->15532 15531->15533 15532->15156 15533->15532 15535 401820 17 API calls 15534->15535 15536 4018f2 15535->15536 15537 4018f9 15536->15537 15549 401280 15536->15549 15537->15151 15539 401908 15539->15151 15561 401000 15540->15561 15542 401839 15543 401851 GetCurrentProcess 15542->15543 15544 40183d 15542->15544 15545 401864 15543->15545 15544->15142 15545->15142 15547 406e97 15546->15547 15548 406e5f LookupAccountNameW 15546->15548 15547->15513 15548->15547 15550 4012e1 15549->15550 15551 4016f9 GetLastError 15550->15551 15557 4013a8 15550->15557 15560 401699 15551->15560 15552 401570 lstrlenW 15552->15557 15553 4015be GetStartupInfoW 15553->15557 15554 4015ff CreateProcessWithLogonW 15555 4016bf GetLastError 15554->15555 15556 40163f WaitForSingleObject 15554->15556 15555->15560 15556->15557 15558 401659 CloseHandle 15556->15558 15557->15552 15557->15553 15557->15554 15559 401668 CloseHandle 15557->15559 15557->15560 15558->15557 15559->15557 15560->15539 15562 40100d LoadLibraryA 15561->15562 15577 401023 15561->15577 15564 401021 15562->15564 15562->15577 15563 4010b5 GetProcAddress 15565 4010d1 GetProcAddress 15563->15565 15566 40127b 15563->15566 15564->15542 15565->15566 15567 4010f0 GetProcAddress 15565->15567 15566->15542 15567->15566 15568 401110 GetProcAddress 15567->15568 15568->15566 15569 401130 GetProcAddress 15568->15569 15569->15566 15570 40114f GetProcAddress 15569->15570 15570->15566 15571 40116f GetProcAddress 15570->15571 15571->15566 15572 40118f GetProcAddress 15571->15572 15572->15566 15573 4011ae GetProcAddress 15572->15573 15573->15566 15574 4011ce GetProcAddress 15573->15574 15574->15566 15575 4011ee GetProcAddress 15574->15575 15575->15566 15576 401209 GetProcAddress 15575->15576 15576->15566 15578 401225 GetProcAddress 15576->15578 15577->15563 15581 4010ae 15577->15581 15578->15566 15579 401241 GetProcAddress 15578->15579 15579->15566 15580 40125c GetProcAddress 15579->15580 15580->15566 15581->15542 15584 4069b9 WriteFile 15582->15584 15585 406a3c 15584->15585 15587 4069ff 15584->15587 15585->15166 15585->15167 15586 406a10 WriteFile 15586->15585 15586->15587 15587->15585 15587->15586 15589 40eb17 15588->15589 15590 40eb21 15588->15590 15592 40eae4 15589->15592 15590->15170 15593 40eb02 GetProcAddress 15592->15593 15594 40eaed LoadLibraryA 15592->15594 15593->15590 15594->15593 15595 40eb01 15594->15595 15595->15590 15597 40eba7 GetProcessHeap HeapSize 15596->15597 15598 40ebbf GetProcessHeap HeapFree 15596->15598 15597->15598 15598->15199 15600 40908d 15599->15600 15601 4090e2 wsprintfA 15600->15601 15602 40ee2a 15601->15602 15603 4090fd CreateFileA 15602->15603 15604 40911a lstrlenA WriteFile CloseHandle 15603->15604 15605 40913f 15603->15605 15604->15605 15605->15208 15605->15209 15607 40ee2a 15606->15607 15608 409794 CreateProcessA 15607->15608 15609 4097bb 15608->15609 15610 4097c2 15608->15610 15609->15220 15611 4097d4 GetThreadContext 15610->15611 15612 409801 15611->15612 15613 4097f5 15611->15613 15620 40637c 15612->15620 15614 4097f6 TerminateProcess 15613->15614 15614->15609 15616 409816 15616->15614 15617 40981e WriteProcessMemory 15616->15617 15617->15613 15618 40983b SetThreadContext 15617->15618 15618->15613 15619 409858 ResumeThread 15618->15619 15619->15609 15621 406386 15620->15621 15622 40638a GetModuleHandleA VirtualAlloc 15620->15622 15621->15616 15623 4063b6 15622->15623 15627 4063f5 15622->15627 15624 4063be VirtualAllocEx 15623->15624 15625 4063d6 15624->15625 15624->15627 15626 4063df WriteProcessMemory 15625->15626 15626->15627 15627->15616 15629 40dd41 InterlockedExchange 15628->15629 15630 40dd20 GetCurrentThreadId 15629->15630 15631 40dd4a 15629->15631 15632 40dd53 GetCurrentThreadId 15630->15632 15633 40dd2e GetTickCount 15630->15633 15631->15632 15632->15223 15633->15631 15634 40dd39 Sleep 15633->15634 15634->15629 15636 40dbf0 15635->15636 15668 40db67 GetEnvironmentVariableA 15636->15668 15638 40dcda 15638->15225 15639 40dc19 15639->15638 15640 40db67 3 API calls 15639->15640 15641 40dc5c 15640->15641 15641->15638 15642 40db67 3 API calls 15641->15642 15643 40dc9b 15642->15643 15643->15638 15644 40db67 3 API calls 15643->15644 15644->15638 15646 40db55 15645->15646 15647 40db3a 15645->15647 15646->15227 15646->15232 15672 40ebed 15647->15672 15681 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15649->15681 15651 40e3be 15651->15227 15652 40e342 15652->15651 15684 40de24 15652->15684 15655 40e528 15654->15655 15656 40e3f4 15654->15656 15655->15237 15657 40e434 RegQueryValueExA 15656->15657 15658 40e51d RegCloseKey 15657->15658 15659 40e458 15657->15659 15658->15655 15660 40e46e RegQueryValueExA 15659->15660 15660->15659 15661 40e488 15660->15661 15661->15658 15662 40db2e 8 API calls 15661->15662 15663 40e499 15662->15663 15663->15658 15664 40e4b9 RegQueryValueExA 15663->15664 15665 40e4e8 15663->15665 15664->15663 15664->15665 15665->15658 15666 40e332 14 API calls 15665->15666 15667 40e513 15666->15667 15667->15658 15669 40db89 lstrcpyA CreateFileA 15668->15669 15670 40dbca 15668->15670 15669->15639 15670->15639 15673 40ec01 15672->15673 15674 40ebf6 15672->15674 15676 40eba0 codecvt 2 API calls 15673->15676 15675 40ebcc 4 API calls 15674->15675 15678 40ebfe 15675->15678 15677 40ec0a GetProcessHeap HeapReAlloc 15676->15677 15679 40eb74 2 API calls 15677->15679 15678->15646 15680 40ec28 15679->15680 15680->15646 15695 40eb41 15681->15695 15685 40de3a 15684->15685 15690 40de4e 15685->15690 15699 40dd84 15685->15699 15688 40ebed 8 API calls 15693 40def6 15688->15693 15689 40de9e 15689->15688 15689->15690 15690->15652 15691 40de76 15703 40ddcf 15691->15703 15693->15690 15694 40ddcf lstrcmpA 15693->15694 15694->15690 15696 40eb54 15695->15696 15697 40eb4a 15695->15697 15696->15652 15698 40eae4 2 API calls 15697->15698 15698->15696 15700 40ddc5 15699->15700 15701 40dd96 15699->15701 15700->15689 15700->15691 15701->15700 15702 40ddad lstrcmpiA 15701->15702 15702->15700 15702->15701 15704 40dddd 15703->15704 15706 40de20 15703->15706 15705 40ddfa lstrcmpA 15704->15705 15704->15706 15705->15704 15706->15690 15708 40dd05 6 API calls 15707->15708 15709 40e821 15708->15709 15710 40dd84 lstrcmpiA 15709->15710 15711 40e82c 15710->15711 15712 40e844 15711->15712 15755 402480 15711->15755 15712->15252 15715 40dd05 6 API calls 15714->15715 15716 40df7c 15715->15716 15717 40dd84 lstrcmpiA 15716->15717 15718 40df89 15717->15718 15719 40ddcf lstrcmpA 15718->15719 15720 40ec2e codecvt 4 API calls 15718->15720 15721 40dd84 lstrcmpiA 15718->15721 15722 40dfc4 15718->15722 15719->15718 15720->15718 15721->15718 15722->15258 15724 40ea98 15723->15724 15764 40e8a1 15724->15764 15726 401e84 15726->15260 15728 4019d5 GetProcAddress GetProcAddress GetProcAddress 15727->15728 15731 4019ce 15727->15731 15729 401ab3 FreeLibrary 15728->15729 15730 401a04 15728->15730 15729->15731 15730->15729 15732 401a14 GetProcessHeap 15730->15732 15731->15265 15732->15731 15734 401a2e HeapAlloc 15732->15734 15734->15731 15735 401a42 15734->15735 15736 401a52 HeapReAlloc 15735->15736 15738 401a62 15735->15738 15736->15738 15737 401aa1 FreeLibrary 15737->15731 15738->15737 15739 401a96 HeapFree 15738->15739 15739->15737 15792 401ac3 LoadLibraryA 15740->15792 15743 401bcf 15743->15275 15745 401ac3 12 API calls 15744->15745 15746 401c09 15745->15746 15747 401c41 15746->15747 15748 401c0d GetComputerNameA 15746->15748 15747->15285 15749 401c45 GetVolumeInformationA 15748->15749 15750 401c1f 15748->15750 15749->15747 15750->15747 15750->15749 15752 40ee2a 15751->15752 15753 4030d0 gethostname gethostbyname 15752->15753 15754 401f82 15753->15754 15754->15290 15754->15291 15758 402419 lstrlenA 15755->15758 15757 402491 15757->15712 15759 402474 15758->15759 15760 40243d lstrlenA 15758->15760 15759->15757 15761 402464 lstrlenA 15760->15761 15762 40244e lstrcmpiA 15760->15762 15761->15759 15761->15760 15762->15761 15763 40245c 15762->15763 15763->15759 15763->15761 15765 40dd05 6 API calls 15764->15765 15766 40e8b4 15765->15766 15767 40dd84 lstrcmpiA 15766->15767 15768 40e8c0 15767->15768 15769 40e8c8 lstrcpynA 15768->15769 15779 40e90a 15768->15779 15770 40e8f5 15769->15770 15785 40df4c 15770->15785 15771 402419 4 API calls 15772 40e926 lstrlenA lstrlenA 15771->15772 15774 40e94c lstrlenA 15772->15774 15776 40e96a 15772->15776 15774->15776 15775 40e901 15777 40dd84 lstrcmpiA 15775->15777 15778 40ebcc 4 API calls 15776->15778 15780 40ea27 15776->15780 15777->15779 15781 40e98f 15778->15781 15779->15771 15779->15780 15780->15726 15781->15780 15782 40df4c 20 API calls 15781->15782 15783 40ea1e 15782->15783 15784 40ec2e codecvt 4 API calls 15783->15784 15784->15780 15786 40dd05 6 API calls 15785->15786 15787 40df51 15786->15787 15788 40f04e 4 API calls 15787->15788 15789 40df58 15788->15789 15790 40de24 10 API calls 15789->15790 15791 40df63 15790->15791 15791->15775 15793 401ae2 GetProcAddress 15792->15793 15797 401b68 GetComputerNameA GetVolumeInformationA 15792->15797 15794 401af5 15793->15794 15793->15797 15795 40ebed 8 API calls 15794->15795 15796 401b29 15794->15796 15795->15794 15796->15797 15798 40ec2e codecvt 4 API calls 15796->15798 15797->15743 15798->15797 15800 406ec3 2 API calls 15799->15800 15801 407ef4 15800->15801 15802 4073ff 17 API calls 15801->15802 15811 407fc9 15801->15811 15803 407f16 15802->15803 15803->15811 15812 407809 GetUserNameA 15803->15812 15805 407f63 15806 40ef1e lstrlenA 15805->15806 15805->15811 15807 407fa6 15806->15807 15808 40ef1e lstrlenA 15807->15808 15809 407fb7 15808->15809 15836 407a95 RegOpenKeyExA 15809->15836 15811->15303 15813 40783d LookupAccountNameA 15812->15813 15814 407a8d 15812->15814 15813->15814 15815 407874 GetLengthSid GetFileSecurityA 15813->15815 15814->15805 15815->15814 15816 4078a8 GetSecurityDescriptorOwner 15815->15816 15817 4078c5 EqualSid 15816->15817 15818 40791d GetSecurityDescriptorDacl 15816->15818 15817->15818 15819 4078dc LocalAlloc 15817->15819 15818->15814 15834 407941 15818->15834 15819->15818 15820 4078ef InitializeSecurityDescriptor 15819->15820 15821 407916 LocalFree 15820->15821 15822 4078fb SetSecurityDescriptorOwner 15820->15822 15821->15818 15822->15821 15824 40790b SetFileSecurityA 15822->15824 15823 40795b GetAce 15823->15834 15824->15821 15825 407980 EqualSid 15825->15834 15826 407a3d 15826->15814 15829 407a43 LocalAlloc 15826->15829 15827 4079be EqualSid 15827->15834 15828 40799d DeleteAce 15828->15834 15829->15814 15830 407a56 InitializeSecurityDescriptor 15829->15830 15831 407a62 SetSecurityDescriptorDacl 15830->15831 15832 407a86 LocalFree 15830->15832 15831->15832 15833 407a73 SetFileSecurityA 15831->15833 15832->15814 15833->15832 15835 407a83 15833->15835 15834->15814 15834->15823 15834->15825 15834->15826 15834->15827 15834->15828 15835->15832 15837 407ac4 15836->15837 15838 407acb GetUserNameA 15836->15838 15837->15811 15839 407da7 RegCloseKey 15838->15839 15840 407aed LookupAccountNameA 15838->15840 15839->15837 15840->15839 15841 407b24 RegGetKeySecurity 15840->15841 15841->15839 15842 407b49 GetSecurityDescriptorOwner 15841->15842 15843 407b63 EqualSid 15842->15843 15844 407bb8 GetSecurityDescriptorDacl 15842->15844 15843->15844 15846 407b74 LocalAlloc 15843->15846 15845 407da6 15844->15845 15851 407bdc 15844->15851 15845->15839 15846->15844 15847 407b8a InitializeSecurityDescriptor 15846->15847 15849 407bb1 LocalFree 15847->15849 15850 407b96 SetSecurityDescriptorOwner 15847->15850 15848 407bf8 GetAce 15848->15851 15849->15844 15850->15849 15852 407ba6 RegSetKeySecurity 15850->15852 15851->15845 15851->15848 15853 407c1d EqualSid 15851->15853 15854 407c5f EqualSid 15851->15854 15855 407cd9 15851->15855 15856 407c3a DeleteAce 15851->15856 15852->15849 15853->15851 15854->15851 15855->15845 15857 407d5a LocalAlloc 15855->15857 15859 407cf2 RegOpenKeyExA 15855->15859 15856->15851 15857->15845 15858 407d70 InitializeSecurityDescriptor 15857->15858 15860 407d7c SetSecurityDescriptorDacl 15858->15860 15861 407d9f LocalFree 15858->15861 15859->15857 15864 407d0f 15859->15864 15860->15861 15862 407d8c RegSetKeySecurity 15860->15862 15861->15845 15862->15861 15863 407d9c 15862->15863 15863->15861 15865 407d43 RegSetValueExA 15864->15865 15865->15857 15866 407d54 15865->15866 15866->15857 15867->15319 15869 40dd05 6 API calls 15868->15869 15872 40e65f 15869->15872 15870 40e6a5 15871 40ebcc 4 API calls 15870->15871 15875 40e6f5 15870->15875 15874 40e6b0 15871->15874 15872->15870 15873 40e68c lstrcmpA 15872->15873 15873->15872 15874->15875 15877 40e6b7 15874->15877 15878 40e6e0 lstrcpynA 15874->15878 15876 40e71d lstrcmpA 15875->15876 15875->15877 15876->15875 15877->15321 15878->15875 15879->15327 15881 40c525 15880->15881 15882 40c532 15880->15882 15881->15882 15884 40ec2e codecvt 4 API calls 15881->15884 15883 40c548 15882->15883 16032 40e7ff 15882->16032 15886 40e7ff lstrcmpiA 15883->15886 15894 40c54f 15883->15894 15884->15882 15887 40c615 15886->15887 15888 40ebcc 4 API calls 15887->15888 15887->15894 15888->15894 15889 40c5d1 15892 40ebcc 4 API calls 15889->15892 15891 40e819 11 API calls 15893 40c5b7 15891->15893 15892->15894 15895 40f04e 4 API calls 15893->15895 15894->15340 15896 40c5bf 15895->15896 15896->15883 15896->15889 15898 402692 inet_addr 15897->15898 15899 40268e 15897->15899 15898->15899 15900 40269e gethostbyname 15898->15900 15901 40f428 15899->15901 15900->15899 16035 40f315 15901->16035 15906 40c8d2 15904->15906 15905 40c907 15905->15374 15906->15905 15907 40c517 23 API calls 15906->15907 15907->15905 15908 40f43e 15909 40f473 recv 15908->15909 15910 40f458 15909->15910 15911 40f47c 15909->15911 15910->15909 15910->15911 15911->15358 15913 40c670 15912->15913 15914 40c67d 15912->15914 15915 40ebcc 4 API calls 15913->15915 15916 40ebcc 4 API calls 15914->15916 15918 40c699 15914->15918 15915->15914 15916->15918 15917 40c6f3 15917->15370 15917->15435 15918->15917 15919 40c73c send 15918->15919 15919->15917 15921 40c770 15920->15921 15922 40c77d 15920->15922 15923 40ebcc 4 API calls 15921->15923 15924 40c799 15922->15924 15925 40ebcc 4 API calls 15922->15925 15923->15922 15926 40c7b5 15924->15926 15928 40ebcc 4 API calls 15924->15928 15925->15924 15927 40f43e recv 15926->15927 15929 40c7cb 15927->15929 15928->15926 15930 40f43e recv 15929->15930 15931 40c7d3 15929->15931 15930->15931 15931->15435 16048 407db7 15932->16048 15935 407e70 15937 407e96 15935->15937 15939 40f04e 4 API calls 15935->15939 15936 40f04e 4 API calls 15938 407e4c 15936->15938 15937->15435 15938->15935 15940 40f04e 4 API calls 15938->15940 15939->15937 15940->15935 15942 406ec3 2 API calls 15941->15942 15943 407fdd 15942->15943 15944 4073ff 17 API calls 15943->15944 15953 4080c2 CreateProcessA 15943->15953 15945 407fff 15944->15945 15946 407809 21 API calls 15945->15946 15945->15953 15947 40804d 15946->15947 15948 40ef1e lstrlenA 15947->15948 15947->15953 15949 40809e 15948->15949 15950 40ef1e lstrlenA 15949->15950 15951 4080af 15950->15951 15952 407a95 24 API calls 15951->15952 15952->15953 15953->15423 15953->15424 15955 407db7 2 API calls 15954->15955 15956 407eb8 15955->15956 15957 40f04e 4 API calls 15956->15957 15958 407ece DeleteFileA 15957->15958 15958->15435 15960 40dd05 6 API calls 15959->15960 15961 40e31d 15960->15961 16052 40e177 15961->16052 15963 40e326 15963->15396 15965 4031f3 15964->15965 15975 4031ec 15964->15975 15966 40ebcc 4 API calls 15965->15966 15973 4031fc 15966->15973 15967 403459 15970 40f04e 4 API calls 15967->15970 15968 40349d 15969 40ec2e codecvt 4 API calls 15968->15969 15969->15975 15971 40345f 15970->15971 15972 4030fa 4 API calls 15971->15972 15972->15975 15974 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15973->15974 15973->15975 15976 40344d 15973->15976 15979 40344b 15973->15979 15980 403141 lstrcmpiA 15973->15980 16078 4030fa GetTickCount 15973->16078 15974->15973 15975->15435 15977 40ec2e codecvt 4 API calls 15976->15977 15977->15979 15979->15967 15979->15968 15980->15973 15982 4030fa 4 API calls 15981->15982 15983 403c1a 15982->15983 15987 403ce6 15983->15987 16083 403a72 15983->16083 15986 403a72 9 API calls 15990 403c5e 15986->15990 15987->15435 15988 403a72 9 API calls 15988->15990 15989 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15989->15990 15990->15987 15990->15988 15990->15989 15992 403a10 15991->15992 15993 4030fa 4 API calls 15992->15993 15994 403a1a 15993->15994 15994->15435 15996 40dd05 6 API calls 15995->15996 15997 40e7be 15996->15997 15997->15435 15999 40c105 15998->15999 16000 40c07e wsprintfA 15998->16000 15999->15435 16092 40bfce GetTickCount wsprintfA 16000->16092 16002 40c0ef 16093 40bfce GetTickCount wsprintfA 16002->16093 16005 407047 16004->16005 16006 406f88 LookupAccountNameA 16004->16006 16005->15435 16008 407025 16006->16008 16009 406fcb 16006->16009 16010 406edd 5 API calls 16008->16010 16011 406fdb ConvertSidToStringSidA 16009->16011 16012 40702a wsprintfA 16010->16012 16011->16008 16013 406ff1 16011->16013 16012->16005 16013->16013 16014 407013 LocalFree 16013->16014 16014->16008 16016 40dd05 6 API calls 16015->16016 16017 40e85c 16016->16017 16018 40dd84 lstrcmpiA 16017->16018 16019 40e867 16018->16019 16020 40e885 lstrcpyA 16019->16020 16094 4024a5 16019->16094 16097 40dd69 16020->16097 16026 407db7 2 API calls 16025->16026 16027 407de1 16026->16027 16028 407e16 16027->16028 16029 40f04e 4 API calls 16027->16029 16028->15435 16030 407df2 16029->16030 16030->16028 16031 40f04e 4 API calls 16030->16031 16031->16028 16033 40dd84 lstrcmpiA 16032->16033 16034 40c58e 16033->16034 16034->15883 16034->15889 16034->15891 16036 40f33b 16035->16036 16043 40ca1d 16035->16043 16037 40f347 htons socket 16036->16037 16038 40f382 ioctlsocket 16037->16038 16039 40f374 closesocket 16037->16039 16040 40f3aa connect select 16038->16040 16041 40f39d 16038->16041 16039->16043 16040->16043 16044 40f3f2 __WSAFDIsSet 16040->16044 16042 40f39f closesocket 16041->16042 16042->16043 16043->15354 16043->15908 16044->16042 16045 40f403 ioctlsocket 16044->16045 16047 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16045->16047 16047->16043 16049 407dc8 InterlockedExchange 16048->16049 16050 407dc0 Sleep 16049->16050 16051 407dd4 16049->16051 16050->16049 16051->15935 16051->15936 16053 40e184 16052->16053 16054 40e2e4 16053->16054 16055 40e223 16053->16055 16068 40dfe2 16053->16068 16054->15963 16055->16054 16057 40dfe2 8 API calls 16055->16057 16062 40e23c 16057->16062 16058 40e1be 16058->16055 16059 40dbcf 3 API calls 16058->16059 16061 40e1d6 16059->16061 16060 40e21a CloseHandle 16060->16055 16061->16055 16061->16060 16063 40e1f9 WriteFile 16061->16063 16062->16054 16072 40e095 RegCreateKeyExA 16062->16072 16063->16060 16065 40e213 16063->16065 16065->16060 16066 40e2a3 16066->16054 16067 40e095 4 API calls 16066->16067 16067->16054 16069 40dffc 16068->16069 16071 40e024 16068->16071 16070 40db2e 8 API calls 16069->16070 16069->16071 16070->16071 16071->16058 16073 40e172 16072->16073 16075 40e0c0 16072->16075 16073->16066 16074 40e13d 16076 40e14e RegDeleteValueA RegCloseKey 16074->16076 16075->16074 16077 40e115 RegSetValueExA 16075->16077 16076->16073 16077->16074 16077->16075 16079 403122 InterlockedExchange 16078->16079 16080 40312e 16079->16080 16081 40310f GetTickCount 16079->16081 16080->15973 16081->16080 16082 40311a Sleep 16081->16082 16082->16079 16084 40f04e 4 API calls 16083->16084 16091 403a83 16084->16091 16085 403ac1 16085->15986 16085->15987 16086 403be6 16087 40ec2e codecvt 4 API calls 16086->16087 16087->16085 16088 403bc0 16088->16086 16090 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16088->16090 16089 403b66 lstrlenA 16089->16085 16089->16091 16090->16088 16091->16085 16091->16088 16091->16089 16092->16002 16093->15999 16095 402419 4 API calls 16094->16095 16096 4024b6 16095->16096 16096->16020 16098 40dd79 lstrlenA 16097->16098 16098->15435 16100 404084 16099->16100 16101 40407d 16099->16101 16102 403ecd 6 API calls 16100->16102 16103 40408f 16102->16103 16104 404000 3 API calls 16103->16104 16105 404095 16104->16105 16106 404130 16105->16106 16111 403f18 4 API calls 16105->16111 16107 403ecd 6 API calls 16106->16107 16108 404159 CreateNamedPipeA 16107->16108 16109 404167 Sleep 16108->16109 16110 404188 ConnectNamedPipe 16108->16110 16109->16106 16112 404176 CloseHandle 16109->16112 16114 404195 GetLastError 16110->16114 16119 4041ab 16110->16119 16113 4040da 16111->16113 16112->16110 16115 403f8c 4 API calls 16113->16115 16116 40425e DisconnectNamedPipe 16114->16116 16114->16119 16117 4040ec 16115->16117 16116->16110 16118 404127 CloseHandle 16117->16118 16120 404101 16117->16120 16118->16106 16119->16110 16119->16116 16123 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16119->16123 16124 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16119->16124 16125 40426a CloseHandle CloseHandle 16119->16125 16121 403f18 4 API calls 16120->16121 16122 40411c ExitProcess 16121->16122 16123->16119 16124->16119 16126 40e318 23 API calls 16125->16126 16127 40427b 16126->16127 16127->16127 16129 408791 16128->16129 16130 40879f 16128->16130 16131 40f04e 4 API calls 16129->16131 16132 4087bc 16130->16132 16133 40f04e 4 API calls 16130->16133 16131->16130 16134 40e819 11 API calls 16132->16134 16133->16132 16135 4087d7 16134->16135 16148 408803 16135->16148 16150 4026b2 gethostbyaddr 16135->16150 16138 4087eb 16140 40e8a1 30 API calls 16138->16140 16138->16148 16140->16148 16143 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16143->16148 16144 40e819 11 API calls 16144->16148 16145 4088a0 Sleep 16145->16148 16146 4026b2 2 API calls 16146->16148 16148->16143 16148->16144 16148->16145 16148->16146 16149 40e8a1 30 API calls 16148->16149 16155 408cee 16148->16155 16163 40c4d6 16148->16163 16166 40c4e2 16148->16166 16169 402011 16148->16169 16204 408328 16148->16204 16149->16148 16151 4026fb 16150->16151 16152 4026cd 16150->16152 16151->16138 16153 4026e1 inet_ntoa 16152->16153 16154 4026de 16152->16154 16153->16154 16154->16138 16156 408d02 GetTickCount 16155->16156 16157 408dae 16155->16157 16156->16157 16160 408d19 16156->16160 16157->16148 16158 408da1 GetTickCount 16158->16157 16160->16158 16162 408d89 16160->16162 16256 40a677 16160->16256 16259 40a688 16160->16259 16162->16158 16267 40c2dc 16163->16267 16167 40c2dc 142 API calls 16166->16167 16168 40c4ec 16167->16168 16168->16148 16170 402020 16169->16170 16172 40202e 16169->16172 16171 40f04e 4 API calls 16170->16171 16171->16172 16173 40f04e 4 API calls 16172->16173 16174 40204b 16172->16174 16173->16174 16175 40206e GetTickCount 16174->16175 16177 40f04e 4 API calls 16174->16177 16176 4020db GetTickCount 16175->16176 16186 402090 16175->16186 16179 402132 GetTickCount GetTickCount 16176->16179 16188 4020e7 16176->16188 16180 402068 16177->16180 16178 4020d4 GetTickCount 16178->16176 16181 40f04e 4 API calls 16179->16181 16180->16175 16184 402159 16181->16184 16182 40212b GetTickCount 16182->16179 16183 402684 2 API calls 16183->16186 16187 4021b4 16184->16187 16190 40e854 13 API calls 16184->16190 16186->16178 16186->16183 16193 4020ce 16186->16193 16596 401978 16186->16596 16189 40f04e 4 API calls 16187->16189 16188->16182 16195 401978 15 API calls 16188->16195 16196 402125 16188->16196 16601 402ef8 16188->16601 16192 4021d1 16189->16192 16194 40218e 16190->16194 16197 4021f2 16192->16197 16200 40ea84 30 API calls 16192->16200 16193->16178 16198 40e819 11 API calls 16194->16198 16195->16188 16196->16182 16197->16148 16199 40219c 16198->16199 16199->16187 16609 401c5f 16199->16609 16201 4021ec 16200->16201 16202 40f04e 4 API calls 16201->16202 16202->16197 16205 407dd6 6 API calls 16204->16205 16206 40833c 16205->16206 16207 406ec3 2 API calls 16206->16207 16214 408340 16206->16214 16208 40834f 16207->16208 16209 40835c 16208->16209 16212 40846b 16208->16212 16210 4073ff 17 API calls 16209->16210 16218 408373 16210->16218 16211 40675c 21 API calls 16229 4085df 16211->16229 16215 4084a7 RegOpenKeyExA 16212->16215 16242 408450 16212->16242 16213 408626 GetTempPathA 16217 408638 16213->16217 16214->16148 16219 4084c0 RegQueryValueExA 16215->16219 16220 40852f 16215->16220 16681 406ba7 IsBadCodePtr 16217->16681 16218->16214 16236 4083ea RegOpenKeyExA 16218->16236 16218->16242 16222 408521 RegCloseKey 16219->16222 16223 4084dd 16219->16223 16225 408564 RegOpenKeyExA 16220->16225 16232 4085a5 16220->16232 16221 4086ad 16224 408762 16221->16224 16226 407e2f 6 API calls 16221->16226 16222->16220 16223->16222 16231 40ebcc 4 API calls 16223->16231 16224->16214 16228 40ec2e codecvt 4 API calls 16224->16228 16230 408573 16225->16230 16225->16232 16233 4086bb 16226->16233 16227 40875b DeleteFileA 16227->16224 16228->16214 16229->16213 16229->16217 16229->16224 16230->16230 16234 408585 RegSetValueExA RegCloseKey 16230->16234 16235 4084f0 16231->16235 16238 40ec2e codecvt 4 API calls 16232->16238 16232->16242 16233->16227 16243 4086e0 lstrcpyA lstrlenA 16233->16243 16234->16232 16235->16222 16237 4084f8 RegQueryValueExA 16235->16237 16239 4083fd RegQueryValueExA 16236->16239 16236->16242 16237->16222 16240 408515 16237->16240 16238->16242 16244 40842d RegSetValueExA 16239->16244 16245 40841e 16239->16245 16241 40ec2e codecvt 4 API calls 16240->16241 16246 40851d 16241->16246 16242->16211 16242->16229 16247 407fcf 64 API calls 16243->16247 16248 408447 RegCloseKey 16244->16248 16245->16244 16245->16248 16246->16222 16249 408719 CreateProcessA 16247->16249 16248->16242 16250 40873d CloseHandle CloseHandle 16249->16250 16251 40874f 16249->16251 16250->16224 16252 407ee6 64 API calls 16251->16252 16253 408754 16252->16253 16254 407ead 6 API calls 16253->16254 16255 40875a 16254->16255 16255->16227 16262 40a63d 16256->16262 16258 40a685 16258->16160 16260 40a63d GetTickCount 16259->16260 16261 40a696 16260->16261 16261->16160 16263 40a645 16262->16263 16264 40a64d 16262->16264 16263->16258 16265 40a66e 16264->16265 16266 40a65e GetTickCount 16264->16266 16265->16258 16266->16265 16283 40a4c7 GetTickCount 16267->16283 16270 40c300 GetTickCount 16272 40c337 16270->16272 16271 40c326 16271->16272 16273 40c32b GetTickCount 16271->16273 16277 40c363 GetTickCount 16272->16277 16282 40c45e 16272->16282 16273->16272 16274 40c4d2 16274->16148 16275 40c4ab InterlockedIncrement CreateThread 16275->16274 16276 40c4cb CloseHandle 16275->16276 16288 40b535 16275->16288 16276->16274 16278 40c373 16277->16278 16277->16282 16279 40c378 GetTickCount 16278->16279 16280 40c37f 16278->16280 16279->16280 16281 40c43b GetTickCount 16280->16281 16281->16282 16282->16274 16282->16275 16284 40a4f7 InterlockedExchange 16283->16284 16285 40a500 16284->16285 16286 40a4e4 GetTickCount 16284->16286 16285->16270 16285->16271 16285->16282 16286->16285 16287 40a4ef Sleep 16286->16287 16287->16284 16289 40b566 16288->16289 16290 40ebcc 4 API calls 16289->16290 16291 40b587 16290->16291 16292 40ebcc 4 API calls 16291->16292 16319 40b590 16292->16319 16293 40bdcd InterlockedDecrement 16294 40bde2 16293->16294 16296 40ec2e codecvt 4 API calls 16294->16296 16297 40bdea 16296->16297 16298 40ec2e codecvt 4 API calls 16297->16298 16300 40bdf2 16298->16300 16299 40bdb7 Sleep 16299->16319 16301 40be05 16300->16301 16303 40ec2e codecvt 4 API calls 16300->16303 16302 40bdcc 16302->16293 16303->16301 16304 40ebed 8 API calls 16304->16319 16307 40b6b6 lstrlenA 16307->16319 16308 4030b5 2 API calls 16308->16319 16309 40b6ed lstrcpyA 16363 405ce1 16309->16363 16310 40e819 11 API calls 16310->16319 16313 40b731 lstrlenA 16313->16319 16314 40b71f lstrcmpA 16314->16313 16314->16319 16315 40b772 GetTickCount 16315->16319 16316 40bd49 InterlockedIncrement 16457 40a628 16316->16457 16319->16293 16319->16299 16319->16302 16319->16304 16319->16307 16319->16308 16319->16309 16319->16310 16319->16313 16319->16314 16319->16315 16319->16316 16320 40bc5b InterlockedIncrement 16319->16320 16321 40b7ce InterlockedIncrement 16319->16321 16324 40b912 GetTickCount 16319->16324 16325 40b826 InterlockedIncrement 16319->16325 16326 40b932 GetTickCount 16319->16326 16327 40bcdc closesocket 16319->16327 16329 405ce1 23 API calls 16319->16329 16330 4038f0 6 API calls 16319->16330 16333 40a7c1 22 API calls 16319->16333 16335 40bba6 InterlockedIncrement 16319->16335 16337 40bc4c closesocket 16319->16337 16338 40ab81 lstrcpynA InterlockedIncrement 16319->16338 16340 40ba71 wsprintfA 16319->16340 16342 40ef1e lstrlenA 16319->16342 16343 405ded 12 API calls 16319->16343 16344 40a688 GetTickCount 16319->16344 16345 403e10 16319->16345 16348 403e4f 16319->16348 16351 40384f 16319->16351 16371 40a7a3 inet_ntoa 16319->16371 16378 40abee 16319->16378 16390 401feb GetTickCount 16319->16390 16411 403cfb 16319->16411 16414 40b3c5 16319->16414 16445 40ab81 16319->16445 16320->16319 16373 40acd7 16321->16373 16324->16319 16325->16315 16326->16319 16328 40bc6d InterlockedIncrement 16326->16328 16327->16319 16328->16319 16329->16319 16330->16319 16333->16319 16335->16319 16337->16319 16338->16319 16391 40a7c1 16340->16391 16342->16319 16343->16319 16344->16319 16346 4030fa 4 API calls 16345->16346 16347 403e1d 16346->16347 16347->16319 16349 4030fa 4 API calls 16348->16349 16350 403e5c 16349->16350 16350->16319 16352 4030fa 4 API calls 16351->16352 16353 403863 16352->16353 16354 4038b9 16353->16354 16355 403889 16353->16355 16362 4038b2 16353->16362 16466 4035f9 16354->16466 16460 403718 16355->16460 16360 403718 6 API calls 16360->16362 16361 4035f9 6 API calls 16361->16362 16362->16319 16364 405cf4 16363->16364 16365 405cec 16363->16365 16367 404bd1 4 API calls 16364->16367 16472 404bd1 GetTickCount 16365->16472 16368 405d02 16367->16368 16477 405472 16368->16477 16372 40a7b9 16371->16372 16372->16319 16374 40f315 14 API calls 16373->16374 16375 40aceb 16374->16375 16376 40f315 14 API calls 16375->16376 16377 40acff 16375->16377 16376->16377 16377->16319 16379 40abfb 16378->16379 16382 40ac65 16379->16382 16542 402f22 16379->16542 16381 40f315 14 API calls 16381->16382 16382->16381 16383 40ac6f 16382->16383 16384 40ac8a 16382->16384 16386 40ab81 2 API calls 16383->16386 16384->16319 16385 40ac23 16385->16382 16388 402684 2 API calls 16385->16388 16387 40ac81 16386->16387 16550 4038f0 16387->16550 16388->16385 16390->16319 16392 40a87d lstrlenA send 16391->16392 16393 40a7df 16391->16393 16394 40a899 16392->16394 16395 40a8bf 16392->16395 16393->16392 16400 40a7fa wsprintfA 16393->16400 16402 40a80a 16393->16402 16403 40a8f2 16393->16403 16397 40a8a5 wsprintfA 16394->16397 16410 40a89e 16394->16410 16398 40a8c4 send 16395->16398 16395->16403 16396 40a978 recv 16396->16403 16404 40a982 16396->16404 16397->16410 16399 40a8d8 wsprintfA 16398->16399 16398->16403 16399->16410 16400->16402 16401 40a9b0 wsprintfA 16401->16410 16402->16392 16403->16396 16403->16401 16403->16404 16405 4030b5 2 API calls 16404->16405 16404->16410 16406 40ab05 16405->16406 16407 40e819 11 API calls 16406->16407 16408 40ab17 16407->16408 16409 40a7a3 inet_ntoa 16408->16409 16409->16410 16410->16319 16412 4030fa 4 API calls 16411->16412 16413 403d0b 16412->16413 16413->16319 16415 405ce1 23 API calls 16414->16415 16416 40b3e6 16415->16416 16417 405ce1 23 API calls 16416->16417 16419 40b404 16417->16419 16418 40b440 16421 40ef7c 3 API calls 16418->16421 16419->16418 16420 40ef7c 3 API calls 16419->16420 16422 40b42b 16420->16422 16423 40b458 wsprintfA 16421->16423 16424 40ef7c 3 API calls 16422->16424 16425 40ef7c 3 API calls 16423->16425 16424->16418 16426 40b480 16425->16426 16427 40ef7c 3 API calls 16426->16427 16428 40b493 16427->16428 16429 40ef7c 3 API calls 16428->16429 16430 40b4bb 16429->16430 16564 40ad89 GetLocalTime SystemTimeToFileTime 16430->16564 16434 40b4cc 16435 40ef7c 3 API calls 16434->16435 16436 40b4dd 16435->16436 16437 40b211 7 API calls 16436->16437 16438 40b4ec 16437->16438 16439 40ef7c 3 API calls 16438->16439 16440 40b4fd 16439->16440 16441 40b211 7 API calls 16440->16441 16442 40b509 16441->16442 16443 40ef7c 3 API calls 16442->16443 16444 40b51a 16443->16444 16444->16319 16446 40abe9 GetTickCount 16445->16446 16447 40ab8c 16445->16447 16450 40a51d 16446->16450 16447->16446 16448 40aba8 lstrcpynA 16447->16448 16449 40abe1 InterlockedIncrement 16447->16449 16448->16447 16449->16447 16451 40a4c7 4 API calls 16450->16451 16452 40a52c 16451->16452 16453 40a542 GetTickCount 16452->16453 16455 40a539 GetTickCount 16452->16455 16453->16455 16456 40a56c 16455->16456 16456->16319 16458 40a4c7 4 API calls 16457->16458 16459 40a633 16458->16459 16459->16319 16461 40f04e 4 API calls 16460->16461 16463 40372a 16461->16463 16462 403847 16462->16360 16462->16362 16463->16462 16464 4037b3 GetCurrentThreadId 16463->16464 16464->16463 16465 4037c8 GetCurrentThreadId 16464->16465 16465->16463 16467 40f04e 4 API calls 16466->16467 16471 40360c 16467->16471 16468 4036f1 16468->16361 16468->16362 16469 4036da GetCurrentThreadId 16469->16468 16470 4036e5 GetCurrentThreadId 16469->16470 16470->16468 16471->16468 16471->16469 16473 404bff InterlockedExchange 16472->16473 16474 404c08 16473->16474 16475 404bec GetTickCount 16473->16475 16474->16364 16475->16474 16476 404bf7 Sleep 16475->16476 16476->16473 16498 404763 16477->16498 16479 405b58 16508 404699 16479->16508 16482 404763 lstrlenA 16483 405b6e 16482->16483 16529 404f9f 16483->16529 16485 405b79 16485->16319 16487 405549 lstrlenA 16497 40548a 16487->16497 16488 405472 13 API calls 16488->16497 16490 40558d lstrcpynA 16490->16497 16491 405a9f lstrcpyA 16491->16497 16492 404ae6 8 API calls 16492->16497 16493 405935 lstrcpynA 16493->16497 16494 404ae6 8 API calls 16495 405643 LoadLibraryW 16494->16495 16495->16497 16496 4058e7 lstrcpyA 16496->16497 16497->16479 16497->16488 16497->16490 16497->16491 16497->16492 16497->16493 16497->16494 16497->16496 16502 404ae6 16497->16502 16506 40ef7c lstrlenA lstrlenA lstrlenA 16497->16506 16500 40477a 16498->16500 16499 404859 16499->16497 16500->16499 16501 40480d lstrlenA 16500->16501 16501->16500 16503 404af3 16502->16503 16505 404b03 16502->16505 16504 40ebed 8 API calls 16503->16504 16504->16505 16505->16487 16507 40efb4 16506->16507 16507->16497 16534 4045b3 16508->16534 16511 4045b3 7 API calls 16512 4046c6 16511->16512 16513 4045b3 7 API calls 16512->16513 16514 4046d8 16513->16514 16515 4045b3 7 API calls 16514->16515 16516 4046ea 16515->16516 16517 4045b3 7 API calls 16516->16517 16518 4046ff 16517->16518 16519 4045b3 7 API calls 16518->16519 16520 404711 16519->16520 16521 4045b3 7 API calls 16520->16521 16522 404723 16521->16522 16523 40ef7c 3 API calls 16522->16523 16524 404735 16523->16524 16525 40ef7c 3 API calls 16524->16525 16526 40474a 16525->16526 16527 40ef7c 3 API calls 16526->16527 16528 40475c 16527->16528 16528->16482 16530 404fac 16529->16530 16533 404fb0 16529->16533 16530->16485 16531 404ffd 16531->16485 16532 404fd5 IsBadCodePtr 16532->16533 16533->16531 16533->16532 16535 4045c1 16534->16535 16538 4045c8 16534->16538 16536 40ebcc 4 API calls 16535->16536 16536->16538 16537 40ebcc 4 API calls 16540 4045e1 16537->16540 16538->16537 16538->16540 16539 404691 16539->16511 16540->16539 16541 40ef7c 3 API calls 16540->16541 16541->16540 16557 402d21 GetModuleHandleA 16542->16557 16545 402fcf GetProcessHeap HeapFree 16549 402f44 16545->16549 16546 402f4f 16548 402f6b GetProcessHeap HeapFree 16546->16548 16547 402f85 16547->16545 16547->16547 16548->16549 16549->16385 16551 403900 16550->16551 16552 403980 16550->16552 16553 4030fa 4 API calls 16551->16553 16552->16384 16556 40390a 16553->16556 16554 40391b GetCurrentThreadId 16554->16556 16555 403939 GetCurrentThreadId 16555->16556 16556->16552 16556->16554 16556->16555 16558 402d46 LoadLibraryA 16557->16558 16559 402d5b GetProcAddress 16557->16559 16558->16559 16560 402d54 16558->16560 16559->16560 16563 402d6b 16559->16563 16560->16546 16560->16547 16560->16549 16561 402d97 GetProcessHeap HeapAlloc 16561->16560 16561->16563 16562 402db5 lstrcpynA 16562->16563 16563->16560 16563->16561 16563->16562 16565 40adbf 16564->16565 16589 40ad08 gethostname 16565->16589 16568 4030b5 2 API calls 16569 40add3 16568->16569 16570 40a7a3 inet_ntoa 16569->16570 16571 40ade4 16569->16571 16570->16571 16572 40ae85 wsprintfA 16571->16572 16575 40ae36 wsprintfA wsprintfA 16571->16575 16573 40ef7c 3 API calls 16572->16573 16574 40aebb 16573->16574 16577 40ef7c 3 API calls 16574->16577 16576 40ef7c 3 API calls 16575->16576 16576->16571 16578 40aed2 16577->16578 16579 40b211 16578->16579 16580 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16579->16580 16581 40b2af GetLocalTime 16579->16581 16582 40b2d2 16580->16582 16581->16582 16583 40b2d9 SystemTimeToFileTime 16582->16583 16584 40b31c GetTimeZoneInformation 16582->16584 16585 40b2ec 16583->16585 16586 40b33a wsprintfA 16584->16586 16587 40b312 FileTimeToSystemTime 16585->16587 16586->16434 16587->16584 16590 40ad71 16589->16590 16595 40ad26 lstrlenA 16589->16595 16592 40ad85 16590->16592 16593 40ad79 lstrcpyA 16590->16593 16592->16568 16593->16592 16594 40ad68 lstrlenA 16594->16590 16595->16590 16595->16594 16597 40f428 14 API calls 16596->16597 16598 40198a 16597->16598 16599 401990 closesocket 16598->16599 16600 401998 16598->16600 16599->16600 16600->16186 16602 402d21 6 API calls 16601->16602 16603 402f01 16602->16603 16604 402f0f 16603->16604 16617 402df2 GetModuleHandleA 16603->16617 16606 402684 2 API calls 16604->16606 16608 402f1f 16604->16608 16607 402f1d 16606->16607 16607->16188 16608->16188 16610 401c80 16609->16610 16611 401d1c 16610->16611 16612 401cc2 wsprintfA 16610->16612 16616 401d79 16610->16616 16611->16611 16614 401d47 wsprintfA 16611->16614 16613 402684 2 API calls 16612->16613 16613->16610 16615 402684 2 API calls 16614->16615 16615->16616 16616->16187 16618 402e10 LoadLibraryA 16617->16618 16619 402e0b 16617->16619 16620 402e17 16618->16620 16619->16618 16619->16620 16621 402ef1 16620->16621 16622 402e28 GetProcAddress 16620->16622 16621->16604 16622->16621 16623 402e3e GetProcessHeap HeapAlloc 16622->16623 16624 402e62 16623->16624 16624->16621 16625 402ede GetProcessHeap HeapFree 16624->16625 16626 402e7f htons inet_addr 16624->16626 16627 402ea5 gethostbyname 16624->16627 16629 402ceb 16624->16629 16625->16621 16626->16624 16626->16627 16627->16624 16631 402cf2 16629->16631 16632 402d1c 16631->16632 16633 402d0e Sleep 16631->16633 16634 402a62 GetProcessHeap HeapAlloc 16631->16634 16632->16624 16633->16631 16633->16632 16635 402a92 16634->16635 16636 402a99 socket 16634->16636 16635->16631 16637 402cd3 GetProcessHeap HeapFree 16636->16637 16638 402ab4 16636->16638 16637->16635 16638->16637 16648 402abd 16638->16648 16639 402adb htons 16654 4026ff 16639->16654 16641 402b04 select 16641->16648 16642 402ca4 16643 402cb3 GetProcessHeap HeapFree closesocket 16642->16643 16643->16635 16644 402b3f recv 16644->16648 16645 402b66 htons 16645->16642 16645->16648 16646 402b87 htons 16646->16642 16646->16648 16648->16639 16648->16641 16648->16642 16648->16643 16648->16644 16648->16645 16648->16646 16649 402bf3 GetProcessHeap HeapAlloc 16648->16649 16651 402c17 htons 16648->16651 16653 402c4d GetProcessHeap HeapFree 16648->16653 16661 402923 16648->16661 16673 402904 16648->16673 16649->16648 16669 402871 16651->16669 16653->16648 16655 40271d 16654->16655 16656 402717 16654->16656 16658 40272b GetTickCount htons 16655->16658 16657 40ebcc 4 API calls 16656->16657 16657->16655 16659 4027cc htons htons sendto 16658->16659 16660 40278a 16658->16660 16659->16648 16660->16659 16662 402944 16661->16662 16664 40293d 16661->16664 16677 402816 htons 16662->16677 16664->16648 16665 402950 16665->16664 16666 402871 htons 16665->16666 16667 4029bd htons htons htons 16665->16667 16666->16665 16667->16664 16668 4029f6 GetProcessHeap HeapAlloc 16667->16668 16668->16664 16668->16665 16670 4028e3 16669->16670 16671 402889 16669->16671 16670->16648 16671->16670 16672 4028c3 htons 16671->16672 16672->16670 16672->16671 16674 402921 16673->16674 16675 402908 16673->16675 16674->16648 16676 402909 GetProcessHeap HeapFree 16675->16676 16676->16674 16676->16676 16678 40286b 16677->16678 16679 402836 16677->16679 16678->16665 16679->16678 16680 40285c htons 16679->16680 16680->16678 16680->16679 16682 406bc0 16681->16682 16683 406bbc 16681->16683 16684 40ebcc 4 API calls 16682->16684 16694 406bd4 16682->16694 16683->16221 16685 406be4 16684->16685 16686 406c07 CreateFileA 16685->16686 16687 406bfc 16685->16687 16685->16694 16689 406c34 WriteFile 16686->16689 16690 406c2a 16686->16690 16688 40ec2e codecvt 4 API calls 16687->16688 16688->16694 16692 406c49 CloseHandle DeleteFileA 16689->16692 16693 406c5a CloseHandle 16689->16693 16691 40ec2e codecvt 4 API calls 16690->16691 16691->16694 16692->16690 16695 40ec2e codecvt 4 API calls 16693->16695 16694->16221 16695->16694 14932 780920 TerminateProcess 16696 780005 16701 78092b GetPEB 16696->16701 16698 780030 16703 78003c 16698->16703 16702 780972 16701->16702 16702->16698 16704 780049 16703->16704 16718 780e0f SetErrorMode SetErrorMode 16704->16718 16709 780265 16710 7802ce VirtualProtect 16709->16710 16712 78030b 16710->16712 16711 780439 VirtualFree 16716 7805f4 LoadLibraryA 16711->16716 16717 7804be 16711->16717 16712->16711 16713 7804e3 LoadLibraryA 16713->16717 16715 7808c7 16716->16715 16717->16713 16717->16716 16719 780223 16718->16719 16720 780d90 16719->16720 16721 780dad 16720->16721 16722 780dbb GetPEB 16721->16722 16723 780238 VirtualAlloc 16721->16723 16722->16723 16723->16709 16724 7f89e0 16725 7f89ef 16724->16725 16728 7f9180 16725->16728 16729 7f919b 16728->16729 16730 7f91a4 CreateToolhelp32Snapshot 16729->16730 16731 7f91c0 Module32First 16729->16731 16730->16729 16730->16731 16732 7f91cf 16731->16732 16734 7f89f8 16731->16734 16735 7f8e3f 16732->16735 16736 7f8e6a 16735->16736 16737 7f8e7b VirtualAlloc 16736->16737 16738 7f8eb3 16736->16738 16737->16738 16738->16738 14901 407a95 RegOpenKeyExA 14902 407ac4 14901->14902 14903 407acb GetUserNameA 14901->14903 14904 407da7 RegCloseKey 14903->14904 14905 407aed LookupAccountNameA 14903->14905 14904->14902 14905->14904 14906 407b24 RegGetKeySecurity 14905->14906 14906->14904 14907 407b49 GetSecurityDescriptorOwner 14906->14907 14908 407b63 EqualSid 14907->14908 14909 407bb8 GetSecurityDescriptorDacl 14907->14909 14908->14909 14911 407b74 LocalAlloc 14908->14911 14910 407da6 14909->14910 14916 407bdc 14909->14916 14910->14904 14911->14909 14912 407b8a InitializeSecurityDescriptor 14911->14912 14914 407bb1 LocalFree 14912->14914 14915 407b96 SetSecurityDescriptorOwner 14912->14915 14913 407bf8 GetAce 14913->14916 14914->14909 14915->14914 14917 407ba6 RegSetKeySecurity 14915->14917 14916->14910 14916->14913 14918 407c1d EqualSid 14916->14918 14919 407c5f EqualSid 14916->14919 14920 407cd9 14916->14920 14921 407c3a DeleteAce 14916->14921 14917->14914 14918->14916 14919->14916 14920->14910 14922 407d5a LocalAlloc 14920->14922 14924 407cf2 RegOpenKeyExA 14920->14924 14921->14916 14922->14910 14923 407d70 InitializeSecurityDescriptor 14922->14923 14925 407d7c SetSecurityDescriptorDacl 14923->14925 14926 407d9f LocalFree 14923->14926 14924->14922 14929 407d0f 14924->14929 14925->14926 14927 407d8c RegSetKeySecurity 14925->14927 14926->14910 14927->14926 14928 407d9c 14927->14928 14928->14926 14930 407d43 RegSetValueExA 14929->14930 14930->14922 14931 407d54 14930->14931 14931->14922
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                              • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                              • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                              • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                              • ExitProcess.KERNEL32 ref: 00409C06
                                                                                              • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                              • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                              • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                              • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                              • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                              • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                              • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                              • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                              • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                              • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                              • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                              • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                              • wsprintfA.USER32 ref: 0040A0B6
                                                                                              • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                              • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                              • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                              • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                              • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                              • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                              • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                              • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                              • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                              • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                              • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                              • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                              • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                              • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                              • API String ID: 2089075347-2824936573
                                                                                              • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                              • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                              • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                              • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 267 407db4-407db6 265->267 268 407da7-407db3 RegCloseKey 266->268 269 407aed-407b1e LookupAccountNameA 266->269 268->267 269->268 270 407b24-407b43 RegGetKeySecurity 269->270 270->268 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 276 407b74-407b88 LocalAlloc 272->276 274 407da6 273->274 275 407bdc-407be1 273->275 274->268 275->274 277 407be7-407bf2 275->277 276->273 278 407b8a-407b94 InitializeSecurityDescriptor 276->278 277->274 279 407bf8-407c08 GetAce 277->279 280 407bb1-407bb2 LocalFree 278->280 281 407b96-407ba4 SetSecurityDescriptorOwner 278->281 282 407cc6 279->282 283 407c0e-407c1b 279->283 280->273 281->280 284 407ba6-407bab RegSetKeySecurity 281->284 285 407cc9-407cd3 282->285 286 407c1d-407c2f EqualSid 283->286 287 407c4f-407c52 283->287 284->280 285->279 288 407cd9-407cdc 285->288 289 407c31-407c34 286->289 290 407c36-407c38 286->290 291 407c54-407c5e 287->291 292 407c5f-407c71 EqualSid 287->292 288->274 293 407ce2-407ce8 288->293 289->286 289->290 290->287 294 407c3a-407c4d DeleteAce 290->294 291->292 295 407c73-407c84 292->295 296 407c86 292->296 297 407d5a-407d6e LocalAlloc 293->297 298 407cea-407cf0 293->298 294->285 299 407c8b-407c8e 295->299 296->299 297->274 302 407d70-407d7a InitializeSecurityDescriptor 297->302 298->297 303 407cf2-407d0d RegOpenKeyExA 298->303 300 407c90-407c96 299->300 301 407c9d-407c9f 299->301 300->301 304 407ca1-407ca5 301->304 305 407ca7-407cc3 301->305 306 407d7c-407d8a SetSecurityDescriptorDacl 302->306 307 407d9f-407da0 LocalFree 302->307 303->297 308 407d0f-407d16 303->308 304->282 304->305 305->282 306->307 309 407d8c-407d9a RegSetKeySecurity 306->309 307->274 310 407d19-407d1e 308->310 309->307 311 407d9c 309->311 310->310 312 407d20-407d52 call 402544 RegSetValueExA 310->312 311->307 312->297 315 407d54 312->315 315->297
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                              • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                              • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                              • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                              • String ID: D$PromptOnSecureDesktop
                                                                                              • API String ID: 2976863881-1403908072
                                                                                              • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                              • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                              • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                              • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 549 409326-409348 call 401910 GetVersionExA 552 409358-40935c 549->552 553 40934a-409356 549->553 554 409360-40937d GetModuleHandleA GetModuleFileNameA 552->554 553->554 555 409385-4093a2 554->555 556 40937f 554->556 557 4093a4-4093d7 call 402544 wsprintfA 555->557 558 4093d9-409412 call 402544 wsprintfA 555->558 556->555 563 409415-40942c call 40ee2a 557->563 558->563 566 4094a3-4094b3 call 406edd 563->566 567 40942e-409432 563->567 572 4094b9-4094f9 call 402544 RegOpenKeyExA 566->572 573 40962f-409632 566->573 567->566 569 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 567->569 569->566 583 409502-40952e call 402544 RegQueryValueExA 572->583 584 4094fb-409500 572->584 575 409634-409637 573->575 578 409639-40964a call 401820 575->578 579 40967b-409682 575->579 595 40964c-409662 578->595 596 40966d-409679 578->596 586 409683 call 4091eb 579->586 605 409530-409537 583->605 606 409539-409565 call 402544 RegQueryValueExA 583->606 589 40957a-40957f 584->589 592 409688-409690 586->592 593 409581-409584 589->593 594 40958a-40958d 589->594 600 409692 592->600 601 409698-4096a0 592->601 593->575 593->594 594->579 602 409593-40959a 594->602 603 409664-40966b 595->603 604 40962b-40962d 595->604 596->586 600->601 610 4096a2-4096a9 601->610 611 40961a-40961f 602->611 612 40959c-4095a1 602->612 603->604 604->610 607 40956e-409577 RegCloseKey 605->607 606->607 618 409567 606->618 607->589 615 409625 611->615 612->611 616 4095a3-4095c0 call 40f0e4 612->616 615->604 622 4095c2-4095db call 4018e0 616->622 623 40960c-409618 616->623 618->607 622->610 626 4095e1-4095f9 622->626 623->615 626->610 627 4095ff-409607 626->627 627->610
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                              • wsprintfA.USER32 ref: 004093CE
                                                                                              • wsprintfA.USER32 ref: 0040940C
                                                                                              • wsprintfA.USER32 ref: 0040948D
                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                              • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                              • String ID: PromptOnSecureDesktop$runas
                                                                                              • API String ID: 3696105349-2220793183
                                                                                              • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                              • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                              • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                              • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 666 406a60-406a89 CreateFileA 667 406b8c-406ba1 GetLastError 666->667 668 406a8f-406ac3 GetDiskFreeSpaceA 666->668 669 406ba3-406ba6 667->669 670 406ac5-406adc call 40eb0e 668->670 671 406b1d-406b34 call 406987 668->671 670->671 678 406ade 670->678 676 406b56-406b63 FindCloseChangeNotification 671->676 677 406b36-406b54 GetLastError CloseHandle 671->677 680 406b65-406b7d GetLastError CloseHandle 676->680 681 406b86-406b8a 676->681 679 406b7f-406b80 DeleteFileA 677->679 682 406ae0-406ae5 678->682 683 406ae7-406afb call 40eca5 678->683 679->681 680->679 681->669 682->683 684 406afd-406aff 682->684 683->671 684->671 687 406b01 684->687 688 406b03-406b08 687->688 689 406b0a-406b17 call 40eca5 687->689 688->671 688->689 689->671
                                                                                              APIs
                                                                                              • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                              • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                              • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 1251348514-2980165447
                                                                                              • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                              • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                              • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                              • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$CountFileInformationSystemTickVolume
                                                                                              • String ID:
                                                                                              • API String ID: 1209300637-0
                                                                                              • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                              • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                              • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                              • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 821 78092b-780970 GetPEB 822 780972-780978 821->822 823 78097a-78098a call 780d35 822->823 824 78098c-78098e 822->824 823->824 830 780992-780994 823->830 824->822 826 780990 824->826 827 780996-780998 826->827 829 780a3b-780a3e 827->829 830->827 831 78099d-7809d3 830->831 832 7809dc-7809ee call 780d0c 831->832 835 7809f0-780a3a 832->835 836 7809d5-7809d8 832->836 835->829 836->832
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: .$GetProcAddress.$l
                                                                                              • API String ID: 0-2784972518
                                                                                              • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                              • Instruction ID: 1050865b8f551beb30e40799f8e93d2cdd75059be690525d97bedd8af62775e7
                                                                                              • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                              • Instruction Fuzzy Hash: 83318AB6900609CFDB10DF99C884AAEBBF9FF08324F25404AD841A7311D775EA49CBA4

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 880 7f9180-7f9199 881 7f919b-7f919d 880->881 882 7f919f 881->882 883 7f91a4-7f91b0 CreateToolhelp32Snapshot 881->883 882->883 884 7f91b2-7f91b8 883->884 885 7f91c0-7f91cd Module32First 883->885 884->885 890 7f91ba-7f91be 884->890 886 7f91cf-7f91d0 call 7f8e3f 885->886 887 7f91d6-7f91de 885->887 891 7f91d5 886->891 890->881 890->885 891->887
                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007F91A8
                                                                                              • Module32First.KERNEL32(00000000,00000224), ref: 007F91C8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094240517.00000000007E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007E9000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7e9000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 3833638111-0
                                                                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                              • Instruction ID: 23b77701c2cb9df66a99cd7a4542f63246313e6aaa0dc7651c79590a2e224c9a
                                                                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                              • Instruction Fuzzy Hash: DAF0623150071D6FD7203BB5988DBBA76E8AF49764F100539E742916C0DB74EC458A61
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                                • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                                • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$Process$AllocateSize
                                                                                              • String ID:
                                                                                              • API String ID: 2559512979-0
                                                                                              • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                              • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                              • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                              • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 336 407703-40770e RegEnumKeyA 329->336 335 407801 330->335 339 407804-407808 335->339 337 4074a2-4074b1 call 406cad 336->337 338 407714-40771d RegCloseKey 336->338 342 4074b7-4074cc call 40f1a5 337->342 343 4076ed-407700 337->343 338->335 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->336 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 356 407536-40753c 348->356 361 4076df-4076e2 349->361 358 407742-407745 RegCloseKey 350->358 359 40774b-40774e 350->359 360 40753f-407544 356->360 358->359 364 4077ec-4077f7 RegCloseKey 359->364 360->360 363 407546-40754b 360->363 361->343 362 4076e4-4076e7 RegCloseKey 361->362 362->343 363->349 365 407551-40756b call 40ee95 363->365 364->339 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 382 4075d8-4075da 375->382 376->382 384 4075dc 382->384 385 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 382->385 384->385 394 407626-40762b 385->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 406 407769-40777c call 40ef00 398->406 404 407680 399->404 405 407675-40767e 399->405 408 407683-40768e call 406cad 404->408 405->408 411 4077e3-4077e6 RegCloseKey 406->411 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 411->364 415 4076dd 413->415 420 4076c1-4076c7 414->420 421 4076d8 414->421 415->361 420->421 422 4076c9-4076d2 420->422 421->415 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 431 4077d7-4077dc 428->431 432 4077ca-4077d6 call 40ef00 428->432 429->428 435 4077e0-4077e2 431->435 436 4077de 431->436 432->431 435->411 436->435
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                              • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                              • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                              • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                                • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                              • String ID: "$PromptOnSecureDesktop
                                                                                              • API String ID: 3433985886-3108538426
                                                                                              • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                              • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                              • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                              • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 438 40704c-407071 439 407073 438->439 440 407075-40707a 438->440 439->440 441 40707c 440->441 442 40707e-407083 440->442 441->442 443 407085 442->443 444 407087-40708c 442->444 443->444 445 407090-4070ca call 402544 RegOpenKeyExA 444->445 446 40708e 444->446 449 4070d0-4070f6 call 406dc2 445->449 450 4071b8-4071c8 call 40ee2a 445->450 446->445 456 40719b-4071a9 RegEnumValueA 449->456 455 4071cb-4071cf 450->455 457 4070fb-4070fd 456->457 458 4071af-4071b2 RegCloseKey 456->458 459 40716e-407194 457->459 460 4070ff-407102 457->460 458->450 459->456 460->459 461 407104-407107 460->461 461->459 462 407109-40710d 461->462 462->459 463 40710f-407133 call 402544 call 40eed1 462->463 468 4071d0-407203 call 402544 call 40ee95 call 40ee2a 463->468 469 407139-407145 call 406cad 463->469 484 407205-407212 RegCloseKey 468->484 485 407227-40722e 468->485 475 407147-40715c call 40f1a5 469->475 476 40715e-40716b call 40ee2a 469->476 475->468 475->476 476->459 488 407222-407225 484->488 489 407214-407221 call 40ef00 484->489 486 407230-407256 call 40ef00 call 40ed23 485->486 487 40725b-40728c call 402544 call 40ee95 call 40ee2a 485->487 486->487 500 407258 486->500 503 4072b8-4072cb call 40ed77 487->503 504 40728e-40729a RegCloseKey 487->504 488->455 489->488 500->487 511 4072dd-4072f4 call 40ed23 503->511 512 4072cd-4072d8 RegCloseKey 503->512 505 4072aa-4072b3 504->505 506 40729c-4072a9 call 40ef00 504->506 505->455 506->505 515 407301 511->515 516 4072f6-4072ff 511->516 512->455 517 407304-40730f call 406cad 515->517 516->517 520 407311-40731d RegCloseKey 517->520 521 407335-40735d call 406c96 517->521 522 40732d-407330 520->522 523 40731f-40732c call 40ef00 520->523 528 4073d5-4073e2 RegCloseKey 521->528 529 40735f-407365 521->529 522->505 523->522 531 4073f2-4073f7 528->531 532 4073e4-4073f1 call 40ef00 528->532 529->528 530 407367-407370 529->530 530->528 533 407372-40737c 530->533 532->531 535 40739d-4073a2 533->535 536 40737e-407395 GetFileAttributesExA 533->536 539 4073a4 535->539 540 4073a6-4073a9 535->540 536->535 538 407397 536->538 538->535 539->540 541 4073b9-4073bc 540->541 542 4073ab-4073b8 call 40ef00 540->542 544 4073cb-4073cd 541->544 545 4073be-4073ca call 40ef00 541->545 542->541 544->528 545->544
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                              • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                              • RegCloseKey.KERNELBASE(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                              • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                                • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                              • String ID: $"$PromptOnSecureDesktop
                                                                                              • API String ID: 4293430545-98143240
                                                                                              • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                              • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                              • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                              • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 628 40675c-406778 629 406784-4067a2 CreateFileA 628->629 630 40677a-40677e SetFileAttributesA 628->630 631 4067a4-4067b2 CreateFileA 629->631 632 4067b5-4067b8 629->632 630->629 631->632 633 4067c5-4067c9 632->633 634 4067ba-4067bf SetFileAttributesA 632->634 635 406977-406986 633->635 636 4067cf-4067df GetFileSize 633->636 634->633 637 4067e5-4067e7 636->637 638 40696b 636->638 637->638 640 4067ed-40680b ReadFile 637->640 639 40696e-406971 FindCloseChangeNotification 638->639 639->635 640->638 641 406811-406824 SetFilePointer 640->641 641->638 642 40682a-406842 ReadFile 641->642 642->638 643 406848-406861 SetFilePointer 642->643 643->638 644 406867-406876 643->644 645 4068d5-4068df 644->645 646 406878-40688f ReadFile 644->646 645->639 647 4068e5-4068eb 645->647 648 406891-40689e 646->648 649 4068d2 646->649 650 4068f0-4068fe call 40ebcc 647->650 651 4068ed 647->651 652 4068a0-4068b5 648->652 653 4068b7-4068ba 648->653 649->645 650->638 660 406900-40690b SetFilePointer 650->660 651->650 654 4068bd-4068c3 652->654 653->654 656 4068c5 654->656 657 4068c8-4068ce 654->657 656->657 657->646 659 4068d0 657->659 659->645 661 40695a-406969 call 40ec2e 660->661 662 40690d-406920 ReadFile 660->662 661->639 662->661 663 406922-406958 662->663 663->639
                                                                                              APIs
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                              • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                              • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                              • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                              • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                              • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                              • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                              • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                              • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                              • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                                • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                              • String ID:
                                                                                              • API String ID: 1400801100-0
                                                                                              • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                              • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                              • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                              • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 692 78003c-780047 693 780049 692->693 694 78004c-780263 call 780a3f call 780e0f call 780d90 VirtualAlloc 692->694 693->694 709 78028b-780292 694->709 710 780265-780289 call 780a69 694->710 712 7802a1-7802b0 709->712 714 7802ce-7803c2 VirtualProtect call 780cce call 780ce7 710->714 712->714 715 7802b2-7802cc 712->715 721 7803d1-7803e0 714->721 715->712 722 780439-7804b8 VirtualFree 721->722 723 7803e2-780437 call 780ce7 721->723 725 7804be-7804cd 722->725 726 7805f4-7805fe 722->726 723->721 728 7804d3-7804dd 725->728 729 78077f-780789 726->729 730 780604-78060d 726->730 728->726 734 7804e3-780505 LoadLibraryA 728->734 732 78078b-7807a3 729->732 733 7807a6-7807b0 729->733 730->729 735 780613-780637 730->735 732->733 736 78086e-7808be LoadLibraryA 733->736 737 7807b6-7807cb 733->737 738 780517-780520 734->738 739 780507-780515 734->739 740 78063e-780648 735->740 744 7808c7-7808f9 736->744 741 7807d2-7807d5 737->741 742 780526-780547 738->742 739->742 740->729 743 78064e-78065a 740->743 745 780824-780833 741->745 746 7807d7-7807e0 741->746 747 78054d-780550 742->747 743->729 748 780660-78066a 743->748 751 7808fb-780901 744->751 752 780902-78091d 744->752 750 780839-78083c 745->750 753 7807e2 746->753 754 7807e4-780822 746->754 755 7805e0-7805ef 747->755 756 780556-78056b 747->756 749 78067a-780689 748->749 759 78068f-7806b2 749->759 760 780750-78077a 749->760 750->736 761 78083e-780847 750->761 751->752 753->745 754->741 755->728 757 78056d 756->757 758 78056f-78057a 756->758 757->755 762 78059b-7805bb 758->762 763 78057c-780599 758->763 764 7806ef-7806fc 759->764 765 7806b4-7806ed 759->765 760->740 766 780849 761->766 767 78084b-78086c 761->767 775 7805bd-7805db 762->775 763->775 769 78074b 764->769 770 7806fe-780748 764->770 765->764 766->736 767->750 769->749 770->769 775->747
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0078024D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID: cess$kernel32.dll
                                                                                              • API String ID: 4275171209-1230238691
                                                                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                              • Instruction ID: 11e41495bae7d7e4d724454cbfe7a509fbcdab37b2827ee2bc84ff87f4a961b5
                                                                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                              • Instruction Fuzzy Hash: 19527974A01229DFDBA4CF58C984BA8BBB1BF09304F1480D9E50DAB351DB34AE99DF54

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                                • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                                • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                                • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                                • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                                • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 4131120076-2980165447
                                                                                              • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                              • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                              • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                              • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 791 404000-404008 792 40400b-40402a CreateFileA 791->792 793 404057 792->793 794 40402c-404035 GetLastError 792->794 797 404059-40405c 793->797 795 404052 794->795 796 404037-40403a 794->796 799 404054-404056 795->799 796->795 798 40403c-40403f 796->798 797->799 798->797 800 404041-404050 Sleep 798->800 800->792 800->795
                                                                                              APIs
                                                                                              • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                              • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                              • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateErrorFileLastSleep
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 408151869-2980165447
                                                                                              • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                              • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                              • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                              • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 801 406987-4069b7 802 4069e0 801->802 803 4069b9-4069be 801->803 804 4069e4-4069fd WriteFile 802->804 803->802 805 4069c0-4069d0 803->805 806 406a4d-406a51 804->806 807 4069ff-406a02 804->807 808 4069d2 805->808 809 4069d5-4069de 805->809 811 406a53-406a56 806->811 812 406a59 806->812 807->806 810 406a04-406a08 807->810 808->809 809->804 813 406a0a-406a0d 810->813 814 406a3c-406a3e 810->814 811->812 815 406a5b-406a5f 812->815 816 406a10-406a2e WriteFile 813->816 814->815 817 406a40-406a4b 816->817 818 406a30-406a33 816->818 817->815 818->817 819 406a35-406a3a 818->819 819->814 819->816
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                              • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID: ,k@
                                                                                              • API String ID: 3934441357-1053005162
                                                                                              • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                              • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                              • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                              • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 838 4091eb-409208 839 409308 838->839 840 40920e-40921c call 40ed03 838->840 842 40930b-40930f 839->842 844 40921e-40922c call 40ed03 840->844 845 40923f-409249 840->845 844->845 852 40922e-409230 844->852 847 409250-409270 call 40ee08 845->847 848 40924b 845->848 853 409272-40927f 847->853 854 4092dd-4092e1 847->854 848->847 855 409233-409238 852->855 856 409281-409285 853->856 857 40929b-40929e 853->857 858 4092e3-4092e5 854->858 859 4092e7-4092e8 854->859 855->855 860 40923a-40923c 855->860 856->856 861 409287 856->861 863 4092a0 857->863 864 40928e-409293 857->864 858->859 862 4092ea-4092ef 858->862 859->854 860->845 861->857 867 4092f1-4092f6 Sleep 862->867 868 4092fc-409302 862->868 869 4092a8-4092ab 863->869 865 409295-409298 864->865 866 409289-40928c 864->866 865->869 870 40929a 865->870 866->864 866->870 867->868 868->839 868->840 871 4092a2-4092a5 869->871 872 4092ad-4092b0 869->872 870->857 873 4092b2 871->873 874 4092a7 871->874 872->873 875 4092bd 872->875 876 4092b5-4092b9 873->876 874->869 877 4092bf-4092db ShellExecuteA 875->877 876->876 878 4092bb 876->878 877->854 879 409310-409324 877->879 878->877 879->842
                                                                                              APIs
                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                              • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShellSleep
                                                                                              • String ID:
                                                                                              • API String ID: 4194306370-0
                                                                                              • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                              • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                              • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                              • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 893 780e0f-780e24 SetErrorMode * 2 894 780e2b-780e2c 893->894 895 780e26 893->895 895->894
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(00000400,?,?,00780223,?,?), ref: 00780E19
                                                                                              • SetErrorMode.KERNELBASE(00000000,?,?,00780223,?,?), ref: 00780E1E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                              • Instruction ID: c37cf524c63f5757edd935c017db940ef546b67fe649cc31a07347fd0354d86c
                                                                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                              • Instruction Fuzzy Hash: 77D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DD9080C774994047E5
                                                                                              APIs
                                                                                                • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                              • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                              • String ID:
                                                                                              • API String ID: 1823874839-0
                                                                                              • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                              • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                              • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                              • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                              APIs
                                                                                              • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00780929
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 560597551-0
                                                                                              • Opcode ID: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                              • Instruction ID: 46c7c7c6dcd93c711cbd188b681eb9ae36fa97d9339837816e323f92b9b16bc3
                                                                                              • Opcode Fuzzy Hash: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                              • Instruction Fuzzy Hash: 9F90043034437511DC3035DC0C01F4500133741734F7047307533DD1D0C54157004117
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007F8E90
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094240517.00000000007E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007E9000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7e9000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                              • Instruction ID: 88a0bfc114dd51a83fc6f64a0a528a9b0ceecf0d0b87d6e45d7edaa317cb5345
                                                                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                              • Instruction Fuzzy Hash: 9B113F79A00208EFDB01DF98C985E99BBF5AF08350F0580A4FA489B361D775EA50DF80
                                                                                              APIs
                                                                                              • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                              • closesocket.WS2_32(?), ref: 0040CB63
                                                                                              • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                              • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                              • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                              • wsprintfA.USER32 ref: 0040CD21
                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                              • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                              • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                              • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                              • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                              • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                              • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                              • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                              • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                              • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                              • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                              • closesocket.WS2_32(?), ref: 0040D56C
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                              • ExitProcess.KERNEL32 ref: 0040D583
                                                                                              • wsprintfA.USER32 ref: 0040D81F
                                                                                                • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                              • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                              • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                              • API String ID: 562065436-3791576231
                                                                                              • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                              • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                              • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                              • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                              • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                              • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                              • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                              • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                              • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                              • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                              • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                              • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                              • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                              • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                              • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                              • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                              • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                              • API String ID: 2238633743-3228201535
                                                                                              • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                              • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                              • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                              • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                              • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                              • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                              • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                              • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                              • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                              • wsprintfA.USER32 ref: 0040B3B7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                              • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                              • API String ID: 766114626-2976066047
                                                                                              • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                              • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                              • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                              • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                              APIs
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                              • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShelllstrlen
                                                                                              • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                              • API String ID: 1628651668-3716895483
                                                                                              • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                              • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                              • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                              • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                              • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                              • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                              • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                              • API String ID: 4207808166-1381319158
                                                                                              • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                              • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                              • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                              • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                              • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                              • htons.WS2_32(00000000), ref: 00402ADB
                                                                                              • select.WS2_32 ref: 00402B28
                                                                                              • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                              • htons.WS2_32(?), ref: 00402B71
                                                                                              • htons.WS2_32(?), ref: 00402B8C
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                              • String ID:
                                                                                              • API String ID: 1639031587-0
                                                                                              • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                              • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                              • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                              • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                              • ExitProcess.KERNEL32 ref: 00404121
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEventExitProcess
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 2404124870-2980165447
                                                                                              • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                              • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                              • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                              • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                              APIs
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                              • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                              • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                              • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Read$AddressLibraryLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 2438460464-0
                                                                                              • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                              • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                              • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                              • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                              APIs
                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                              • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                              • String ID: *p@
                                                                                              • API String ID: 3429775523-2474123842
                                                                                              • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                              • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                              • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                              • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                              • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                              • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 1965334864-0
                                                                                              • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                              • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                              • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                              • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 007865F6
                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00786610
                                                                                              • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00786631
                                                                                              • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00786652
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 1965334864-0
                                                                                              • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                              • Instruction ID: 9e22945f9bed584e372acad72256f75da19f8ea1f3e967655bd5b861a3def70b
                                                                                              • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                              • Instruction Fuzzy Hash: 4E11A3B1740258BFDB21AF65DC0AF9B3FA8EB047A5F104024F908E7251E7B5DD0087A4
                                                                                              APIs
                                                                                              • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                              • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                                • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                                • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3754425949-0
                                                                                              • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                              • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                              • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                              • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                              • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                              • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                              • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094240517.00000000007E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 007E9000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_7e9000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                              • Instruction ID: 8772643621437b5641f686dbfc2a84511aa7f315d499ec48aa13ff198121a0ad
                                                                                              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                              • Instruction Fuzzy Hash: D91170723401049FD784DF55DC81FA673EAFB89320B298056EA04CB315EA79EC02C760
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                              • Instruction ID: c137a415cd33a37c16b2a2ea5c25f585a778bfd2a950d56cefb96e01b2f897f6
                                                                                              • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                              • Instruction Fuzzy Hash: 0C01F272B406008FDF61EF60C805BAB33E5FB86306F0544A4D90A97282E378A8498BD0
                                                                                              APIs
                                                                                              • ExitProcess.KERNEL32 ref: 00789E6D
                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 00789FE1
                                                                                              • lstrcat.KERNEL32(?,?), ref: 00789FF2
                                                                                              • lstrcat.KERNEL32(?,0041070C), ref: 0078A004
                                                                                              • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0078A054
                                                                                              • DeleteFileA.KERNEL32(?), ref: 0078A09F
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0078A0D6
                                                                                              • lstrcpy.KERNEL32 ref: 0078A12F
                                                                                              • lstrlen.KERNEL32(00000022), ref: 0078A13C
                                                                                              • GetTempPathA.KERNEL32(000001F4,?), ref: 00789F13
                                                                                                • Part of subcall function 00787029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00787081
                                                                                                • Part of subcall function 00786F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wdlalqiu,00787043), ref: 00786F4E
                                                                                                • Part of subcall function 00786F30: GetProcAddress.KERNEL32(00000000), ref: 00786F55
                                                                                                • Part of subcall function 00786F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00786F7B
                                                                                                • Part of subcall function 00786F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00786F92
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0078A1A2
                                                                                              • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0078A1C5
                                                                                              • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0078A214
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0078A21B
                                                                                              • GetDriveTypeA.KERNEL32(?), ref: 0078A265
                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 0078A29F
                                                                                              • lstrcat.KERNEL32(?,00410A34), ref: 0078A2C5
                                                                                              • lstrcat.KERNEL32(?,00000022), ref: 0078A2D9
                                                                                              • lstrcat.KERNEL32(?,00410A34), ref: 0078A2F4
                                                                                              • wsprintfA.USER32 ref: 0078A31D
                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 0078A345
                                                                                              • lstrcat.KERNEL32(?,?), ref: 0078A364
                                                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0078A387
                                                                                              • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0078A398
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0078A1D1
                                                                                                • Part of subcall function 00789966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0078999D
                                                                                                • Part of subcall function 00789966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007899BD
                                                                                                • Part of subcall function 00789966: RegCloseKey.ADVAPI32(?), ref: 007899C6
                                                                                              • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0078A3DB
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0078A3E2
                                                                                              • GetDriveTypeA.KERNEL32(00000022), ref: 0078A41D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                              • String ID: "$"$"$D$P$\
                                                                                              • API String ID: 1653845638-2605685093
                                                                                              • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                              • Instruction ID: fcd6cfc1229646f162688ada09cd9548fc519c1614a6a490e657c959ea0a90b0
                                                                                              • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                              • Instruction Fuzzy Hash: F1F112B1D80259FFDF11EBA09C49EEF7BBCAB08300F1444A6F605E2141E7799A858F65
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00787D21
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 00787D46
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787D7D
                                                                                              • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00787DA2
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00787DC0
                                                                                              • EqualSid.ADVAPI32(?,?), ref: 00787DD1
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787DE5
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787DF3
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00787E03
                                                                                              • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00787E12
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00787E19
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00787E35
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                              • String ID: D$PromptOnSecureDesktop
                                                                                              • API String ID: 2976863881-1403908072
                                                                                              • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                              • Instruction ID: 5d765d5f1e80701d1017c59c09a3c21054aebdb72f923c3248f286917c5cb4fc
                                                                                              • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                              • Instruction Fuzzy Hash: B1A15C71940219AFDB11DFA1DD88FEEBBB9FB08300F148069F616E2150DB79CA85CB64
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                              • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                              • API String ID: 2400214276-165278494
                                                                                              • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                              • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                              • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                              • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                              APIs
                                                                                              • wsprintfA.USER32 ref: 0040A7FB
                                                                                              • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                              • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                              • wsprintfA.USER32 ref: 0040A8AF
                                                                                              • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                              • wsprintfA.USER32 ref: 0040A8E2
                                                                                              • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                              • wsprintfA.USER32 ref: 0040A9B9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$send$lstrlenrecv
                                                                                              • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                              • API String ID: 3650048968-2394369944
                                                                                              • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                              • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                              • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                              • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                              • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                              • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                              • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                              • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                              • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                              • String ID: D
                                                                                              • API String ID: 3722657555-2746444292
                                                                                              • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                              • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                              • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                              • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 00787A96
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787ACD
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00787ADF
                                                                                              • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00787B01
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00787B1F
                                                                                              • EqualSid.ADVAPI32(?,?), ref: 00787B39
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787B4A
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787B58
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00787B68
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00787B77
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00787B7E
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00787B9A
                                                                                              • GetAce.ADVAPI32(?,?,?), ref: 00787BCA
                                                                                              • EqualSid.ADVAPI32(?,?), ref: 00787BF1
                                                                                              • DeleteAce.ADVAPI32(?,?), ref: 00787C0A
                                                                                              • EqualSid.ADVAPI32(?,?), ref: 00787C2C
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00787CB1
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00787CBF
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00787CD0
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00787CE0
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00787CEE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                              • String ID: D
                                                                                              • API String ID: 3722657555-2746444292
                                                                                              • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                              • Instruction ID: e90db8605f24c7f4b8cdea20a8669ae03bab4930f35680131aa2d7c0f7e4d63d
                                                                                              • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                              • Instruction Fuzzy Hash: A1815C71944219AFDB11DFA4DD88FEEBBBCAF08340F24806AE506E7150D779CA41CB64
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                              • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                              • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                              • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseOpenQuery
                                                                                              • String ID: PromptOnSecureDesktop$localcfg
                                                                                              • API String ID: 237177642-1678164370
                                                                                              • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                              • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                              • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                              • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                              APIs
                                                                                              • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                              • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                              • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                              • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                              • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                              • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                              • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                              • API String ID: 835516345-270533642
                                                                                              • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                              • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                              • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                              • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0078865A
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0078867B
                                                                                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007886A8
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007886B1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseOpenQuery
                                                                                              • String ID: "$PromptOnSecureDesktop
                                                                                              • API String ID: 237177642-3108538426
                                                                                              • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                              • Instruction ID: e7fd308d00a54076d95c34a6a741fe4ef1c2517d2ffb4fe337ea5a89d3a2103d
                                                                                              • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                              • Instruction Fuzzy Hash: 13C1A0B1980108FEEB51BBA4DD89EEF7BBDEB04300F544076F605E6051EB784E948B66
                                                                                              APIs
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 00781601
                                                                                              • lstrlenW.KERNEL32(-00000003), ref: 007817D8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShelllstrlen
                                                                                              • String ID: $<$@$D
                                                                                              • API String ID: 1628651668-1974347203
                                                                                              • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                              • Instruction ID: 56effd8c578fc6a756252e3c3c41c79e8ba6b0f8186d24e4f90db8795d4cfe5d
                                                                                              • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                              • Instruction Fuzzy Hash: 2AF19EB15483419FD720EF64C888BABB7E8FB88300F90892DF596D7290D7B8D945CB56
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007876D9
                                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00787757
                                                                                              • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0078778F
                                                                                              • ___ascii_stricmp.LIBCMT ref: 007878B4
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0078794E
                                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0078796D
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0078797E
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 007879AC
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00787A56
                                                                                                • Part of subcall function 0078F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0078772A,?), ref: 0078F414
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007879F6
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00787A4D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                              • String ID: "$PromptOnSecureDesktop
                                                                                              • API String ID: 3433985886-3108538426
                                                                                              • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                              • Instruction ID: 052c9d4e6bbc6744200fa5f9b792f86a5469912d2ebfa4157b534f51d5ec58c3
                                                                                              • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                              • Instruction Fuzzy Hash: EFC1C172984209EFDB15ABA4DC49FEE7BB9EF45310F2040A1F505E6191EB79DA80CB60
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00782CED
                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 00782D07
                                                                                              • htons.WS2_32(00000000), ref: 00782D42
                                                                                              • select.WS2_32 ref: 00782D8F
                                                                                              • recv.WS2_32(?,00000000,00001000,00000000), ref: 00782DB1
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00782E62
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                              • String ID:
                                                                                              • API String ID: 127016686-0
                                                                                              • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                              • Instruction ID: e9ea1ebc2f37348c9937cc14dcfa3e73d43684d78d6910b0c3dceb79edd0491d
                                                                                              • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                              • Instruction Fuzzy Hash: 2C61C071544305AFC720BF64DC0CB6BBBF8EB48752F144819F98497152D7B9D882CBAA
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                              • wsprintfA.USER32 ref: 0040AEA5
                                                                                                • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                              • wsprintfA.USER32 ref: 0040AE4F
                                                                                              • wsprintfA.USER32 ref: 0040AE5E
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                              • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                              • API String ID: 3631595830-1816598006
                                                                                              • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                              • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                              • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                              • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                              • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                              • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                              • htons.WS2_32(00000035), ref: 00402E88
                                                                                              • inet_addr.WS2_32(?), ref: 00402E93
                                                                                              • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                              • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                              • String ID: GetNetworkParams$iphlpapi.dll
                                                                                              • API String ID: 929413710-2099955842
                                                                                              • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                              • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                              • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                              • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32(?), ref: 007895A7
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007895D5
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 007895DC
                                                                                              • wsprintfA.USER32 ref: 00789635
                                                                                              • wsprintfA.USER32 ref: 00789673
                                                                                              • wsprintfA.USER32 ref: 007896F4
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00789758
                                                                                              • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0078978D
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007897D8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 3696105349-2980165447
                                                                                              • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                              • Instruction ID: 42de77b672943b115824066a523765a322ec8d48bec6b8c15357696fcfb44a13
                                                                                              • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                              • Instruction Fuzzy Hash: 3BA182B198020CEFEB11EFA1CC49FEA3BACEB04741F144026FA15D6152E779D984CBA4
                                                                                              APIs
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmpi
                                                                                              • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                              • API String ID: 1586166983-142018493
                                                                                              • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                              • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                              • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                              • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                              APIs
                                                                                              • wsprintfA.USER32 ref: 0040B467
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$wsprintf
                                                                                              • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                              • API String ID: 1220175532-2340906255
                                                                                              • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                              • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                              • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                              • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32 ref: 0078202D
                                                                                              • GetSystemInfo.KERNEL32(?), ref: 0078204F
                                                                                              • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0078206A
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00782071
                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 00782082
                                                                                              • GetTickCount.KERNEL32 ref: 00782230
                                                                                                • Part of subcall function 00781E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00781E7C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                              • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                              • API String ID: 4207808166-1391650218
                                                                                              • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                              • Instruction ID: d5b8558eb34075505483270bd57c79bd25e7b725cbd892d881ef42fa46da7711
                                                                                              • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                              • Instruction Fuzzy Hash: D351B3B0980348AFE330BF758C8AF67BAECEB55704F00492DF99682143D7BDA9458765
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00402078
                                                                                              • GetTickCount.KERNEL32 ref: 004020D4
                                                                                              • GetTickCount.KERNEL32 ref: 004020DB
                                                                                              • GetTickCount.KERNEL32 ref: 0040212B
                                                                                              • GetTickCount.KERNEL32 ref: 00402132
                                                                                              • GetTickCount.KERNEL32 ref: 00402142
                                                                                                • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                                • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                                • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                              • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                              • API String ID: 3976553417-1522128867
                                                                                              • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                              • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                              • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                              • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                              APIs
                                                                                              • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                              • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                              • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: closesockethtonssocket
                                                                                              • String ID: time_cfg
                                                                                              • API String ID: 311057483-2401304539
                                                                                              • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                              • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                              • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                              • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                              APIs
                                                                                                • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                              • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                              • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                              • GetTickCount.KERNEL32 ref: 0040C363
                                                                                              • GetTickCount.KERNEL32 ref: 0040C378
                                                                                              • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                              • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                              • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 1553760989-1857712256
                                                                                              • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                              • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                              • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                              • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00783068
                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00783078
                                                                                              • GetProcAddress.KERNEL32(00000000,00410408), ref: 00783095
                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 007830B6
                                                                                              • htons.WS2_32(00000035), ref: 007830EF
                                                                                              • inet_addr.WS2_32(?), ref: 007830FA
                                                                                              • gethostbyname.WS2_32(?), ref: 0078310D
                                                                                              • HeapFree.KERNEL32(00000000), ref: 0078314D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                              • String ID: iphlpapi.dll
                                                                                              • API String ID: 2869546040-3565520932
                                                                                              • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                              • Instruction ID: 3bab4b7665f45b89bfc39abb1b2f357255c2d1f5fbfa5cb918e228851aa91b29
                                                                                              • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                              • Instruction Fuzzy Hash: 31318731E4060AABDB11ABBCDC4CAAE7778AF04F61F144125E518E7290DB7CDE418B54
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                              • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                              • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                              • String ID: DnsQuery_A$dnsapi.dll
                                                                                              • API String ID: 3560063639-3847274415
                                                                                              • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                              • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                              • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                              • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                              • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                              • API String ID: 1082366364-2834986871
                                                                                              • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                              • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                              • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                              • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                              • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                              • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                              • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                              • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                              • String ID: D$PromptOnSecureDesktop
                                                                                              • API String ID: 2981417381-1403908072
                                                                                              • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                              • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                              • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                              • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                              APIs
                                                                                              • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007867C3
                                                                                              • htonl.WS2_32(?), ref: 007867DF
                                                                                              • htonl.WS2_32(?), ref: 007867EE
                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007868F1
                                                                                              • ExitProcess.KERNEL32 ref: 007869BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Processhtonl$CurrentExitHugeRead
                                                                                              • String ID: except_info$localcfg
                                                                                              • API String ID: 1150517154-3605449297
                                                                                              • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                              • Instruction ID: e23bd7f508c8abb35fba742c0d6c65c3467317decb6e1f62545f3f6089b4f3d8
                                                                                              • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                              • Instruction Fuzzy Hash: EC615071940208EFDB60AFB4DC45FEA77E9FB08300F148069F96DD2161DB7599948F54
                                                                                              APIs
                                                                                              • htons.WS2_32(0078CC84), ref: 0078F5B4
                                                                                              • socket.WS2_32(00000002,00000001,00000000), ref: 0078F5CE
                                                                                              • closesocket.WS2_32(00000000), ref: 0078F5DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: closesockethtonssocket
                                                                                              • String ID: time_cfg
                                                                                              • API String ID: 311057483-2401304539
                                                                                              • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                              • Instruction ID: 601d0fa4c20371f1001b25fb6555c543218af509c7ea1819fd7a83ef71eb4bb1
                                                                                              • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                              • Instruction Fuzzy Hash: F6315A72A40118ABDB10EFA5DC89DEE7BBCEF88310F104566F915E3150E7749A818BA4
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                              • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                              • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                              • wsprintfA.USER32 ref: 00407036
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                              • String ID: /%d$|
                                                                                              • API String ID: 676856371-4124749705
                                                                                              • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                              • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                              • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                              • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(?), ref: 00782FA1
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00782FB1
                                                                                              • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00782FC8
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00783000
                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00783007
                                                                                              • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00783032
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                              • String ID: dnsapi.dll
                                                                                              • API String ID: 1242400761-3175542204
                                                                                              • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                              • Instruction ID: 6bd1a1b5ec82ea021da7d592a4b532bfc52a074098fa33ec8d8d825599d49567
                                                                                              • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                              • Instruction Fuzzy Hash: 6021A471980625BBCB21AB98DC489EEBBBDEF08B11F104421F901E7141D7B89E81C7D4
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Code
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 3609698214-2980165447
                                                                                              • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                              • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                              • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                              • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wdlalqiu,00787043), ref: 00786F4E
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00786F55
                                                                                              • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00786F7B
                                                                                              • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00786F92
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                              • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\wdlalqiu
                                                                                              • API String ID: 1082366364-582506354
                                                                                              • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                              • Instruction ID: 12a4025699fa090bce9363291915759317fb4ead2325f3cccc56c05a67a05c0c
                                                                                              • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                              • Instruction Fuzzy Hash: 5A21C2617C5344B9F7227331AC8DFBB2A4C8B52711F2840A5F644A5192DADDC8D6C36D
                                                                                              APIs
                                                                                              • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                              • wsprintfA.USER32 ref: 004090E9
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 2439722600-2980165447
                                                                                              • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                              • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                              • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                              • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                              APIs
                                                                                              • GetTempPathA.KERNEL32(00000400,?), ref: 007892E2
                                                                                              • wsprintfA.USER32 ref: 00789350
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00789375
                                                                                              • lstrlen.KERNEL32(?,?,00000000), ref: 00789389
                                                                                              • WriteFile.KERNEL32(00000000,?,00000000), ref: 00789394
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0078939B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 2439722600-2980165447
                                                                                              • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                              • Instruction ID: a677a98da3d9aee16c71f691049b3079da5b76deedd8fde0d690a343223b0933
                                                                                              • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                              • Instruction Fuzzy Hash: 071157B5780114BBE7607772EC0EFEF3A6DDBC5B11F008065BB09E5091EBB84A558764
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00789A18
                                                                                              • GetThreadContext.KERNEL32(?,?), ref: 00789A52
                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 00789A60
                                                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00789A98
                                                                                              • SetThreadContext.KERNEL32(?,00010002), ref: 00789AB5
                                                                                              • ResumeThread.KERNEL32(?), ref: 00789AC2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                              • String ID: D
                                                                                              • API String ID: 2981417381-2746444292
                                                                                              • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                              • Instruction ID: b15de8dc03c43e32fa077fe81270d95784aaea7327ae09b2603fa0f470c7e840
                                                                                              • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                              • Instruction Fuzzy Hash: FB213BB1A41219BBDB11ABA1DC09EEF7BBCEF04750F448061FA19E1150E7798A44CBA5
                                                                                              APIs
                                                                                              • inet_addr.WS2_32(004102D8), ref: 00781C18
                                                                                              • LoadLibraryA.KERNEL32(004102C8), ref: 00781C26
                                                                                              • GetProcessHeap.KERNEL32 ref: 00781C84
                                                                                              • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00781C9D
                                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00781CC1
                                                                                              • HeapFree.KERNEL32(?,00000000,00000000), ref: 00781D02
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00781D0B
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                              • String ID:
                                                                                              • API String ID: 2324436984-0
                                                                                              • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                              • Instruction ID: ad3110e32fe948610cd97040d80640b7f0850246609407a004ae0c5a5fe2ee87
                                                                                              • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                              • Instruction Fuzzy Hash: 8C314F32E40219BFCB11AFE4DC889FEBBB9EB45711B64447AE501A2110D7B94E81DBA4
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                              • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                              • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                              • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                              • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: QueryValue$CloseOpen
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 1586453840-2980165447
                                                                                              • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                              • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                              • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                              • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                              • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                              • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreateEvent
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 1371578007-2980165447
                                                                                              • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                              • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                              • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                              • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                              APIs
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00786CE4
                                                                                              • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00786D22
                                                                                              • GetLastError.KERNEL32 ref: 00786DA7
                                                                                              • CloseHandle.KERNEL32(?), ref: 00786DB5
                                                                                              • GetLastError.KERNEL32 ref: 00786DD6
                                                                                              • DeleteFileA.KERNEL32(?), ref: 00786DE7
                                                                                              • GetLastError.KERNEL32 ref: 00786DFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                              • String ID:
                                                                                              • API String ID: 3873183294-0
                                                                                              • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                              • Instruction ID: 63c244b3ab6a512c6fa3a06b18b7d64518628dcb37c5937cf447235420ea8759
                                                                                              • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                              • Instruction Fuzzy Hash: 2331FE76A40249BFCF01EFA49D48ADEBFB9EB48300F148466E211E3212D7748A858B61
                                                                                              APIs
                                                                                              • RegCreateKeyExA.ADVAPI32(80000001,0078E50A,00000000,00000000,00000000,00020106,00000000,0078E50A,00000000,000000E4), ref: 0078E319
                                                                                              • RegSetValueExA.ADVAPI32(0078E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0078E38E
                                                                                              • RegDeleteValueA.ADVAPI32(0078E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dx), ref: 0078E3BF
                                                                                              • RegCloseKey.ADVAPI32(0078E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dx,0078E50A), ref: 0078E3C8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseCreateDelete
                                                                                              • String ID: PromptOnSecureDesktop$Dx
                                                                                              • API String ID: 2667537340-1154937498
                                                                                              • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                              • Instruction ID: b9a742336527e5f60ba28222633e1201b5f99b874b97378a97f56ae149f20ed2
                                                                                              • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                              • Instruction Fuzzy Hash: CE213C71A4021DBBDF20AFA5EC89EEE7F79EF08750F048061F904E6161E7758A54D7A0
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                              • CharToOemA.USER32(?,?), ref: 00409174
                                                                                              • wsprintfA.USER32 ref: 004091A9
                                                                                                • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                                • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 3857584221-2980165447
                                                                                              • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                              • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                              • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                              • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007893C6
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 007893CD
                                                                                              • CharToOemA.USER32(?,?), ref: 007893DB
                                                                                              • wsprintfA.USER32 ref: 00789410
                                                                                                • Part of subcall function 007892CB: GetTempPathA.KERNEL32(00000400,?), ref: 007892E2
                                                                                                • Part of subcall function 007892CB: wsprintfA.USER32 ref: 00789350
                                                                                                • Part of subcall function 007892CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00789375
                                                                                                • Part of subcall function 007892CB: lstrlen.KERNEL32(?,?,00000000), ref: 00789389
                                                                                                • Part of subcall function 007892CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00789394
                                                                                                • Part of subcall function 007892CB: CloseHandle.KERNEL32(00000000), ref: 0078939B
                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00789448
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 3857584221-2980165447
                                                                                              • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                              • Instruction ID: cf521343015178553c3a1d2a393e6272c0b3de614ed31637e5ba322bc01a90f9
                                                                                              • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                              • Instruction Fuzzy Hash: B80152F6940158BBD721A7619D4DEDF377CDB95701F0040A1BB49E2080DAB897C58F75
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen
                                                                                              • String ID: $localcfg
                                                                                              • API String ID: 1659193697-2018645984
                                                                                              • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                              • Instruction ID: 8d1d207496ef616f35eceff2fca501376c02336d8d0640fbf19d9aaf779e6c9f
                                                                                              • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                              • Instruction Fuzzy Hash: 3D7109B1AC4304BAFF21BB54DC85FEE3B699B00715F244077F904E6091DA6E9D848767
                                                                                              APIs
                                                                                                • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                              • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                              • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                              • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                              • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                              • String ID: flags_upd$localcfg
                                                                                              • API String ID: 204374128-3505511081
                                                                                              • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                              • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                              • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                              • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                              APIs
                                                                                                • Part of subcall function 0078DF6C: GetCurrentThreadId.KERNEL32 ref: 0078DFBA
                                                                                              • lstrcmp.KERNEL32(00410178,00000000), ref: 0078E8FA
                                                                                              • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00786128), ref: 0078E950
                                                                                              • lstrcmp.KERNEL32(?,00000008), ref: 0078E989
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                              • String ID: A$ A$ A
                                                                                              • API String ID: 2920362961-1846390581
                                                                                              • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                              • Instruction ID: f3a78f06b441fe478f93ed133a6f2ae6492b7247684b4874492198e029fca0dd
                                                                                              • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                              • Instruction Fuzzy Hash: 05319031640705DBDB71AF24C888BAA7BE8EB15720F10852AE55587551D3B8FC80CB82
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Code
                                                                                              • String ID:
                                                                                              • API String ID: 3609698214-0
                                                                                              • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                              • Instruction ID: ad91502c918df71d043ef53d816e9cc1f178552f3268e5d244bc5e88c32108aa
                                                                                              • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                              • Instruction Fuzzy Hash: A5213876244219FFEB10ABA4EC49EDF3EADEB49760B208425F602D1091EB789A409774
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                              • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                              • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                              • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 3819781495-0
                                                                                              • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                              • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                              • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                              • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0078C6B4
                                                                                              • InterlockedIncrement.KERNEL32(0078C74B), ref: 0078C715
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0078C747), ref: 0078C728
                                                                                              • CloseHandle.KERNEL32(00000000,?,0078C747,00413588,00788A77), ref: 0078C733
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 1026198776-1857712256
                                                                                              • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                              • Instruction ID: 1e6f1576e2e50f53fadbf419bc5d0a0ece3ed34da1cb4f80c9286cd8a0785033
                                                                                              • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                              • Instruction Fuzzy Hash: FE5151B1A41B418FD7359F69C5C5526BBE9FB48300B50593EE18BC7A90E778F844CB20
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                                • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                                • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                                • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                                • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                                • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                                • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                                • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                                • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                                • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                                • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 124786226-2980165447
                                                                                              • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                              • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                              • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                              • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                              APIs
                                                                                              • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                              • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                              • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseCreateDelete
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 2667537340-2980165447
                                                                                              • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                              • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                              • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                              • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 007871E1
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00787228
                                                                                              • LocalFree.KERNEL32(?,?,?), ref: 00787286
                                                                                              • wsprintfA.USER32 ref: 0078729D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                              • String ID: |
                                                                                              • API String ID: 2539190677-2343686810
                                                                                              • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                              • Instruction ID: 69799ed38631098953583dc070a86043a87f163e39c50755d062a3815318b6fd
                                                                                              • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                              • Instruction Fuzzy Hash: 32311C72944208FFDB01EFA4DC49ADA7BBCEF04314F148066F959DB101EA79D648CB94
                                                                                              APIs
                                                                                              • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$gethostnamelstrcpy
                                                                                              • String ID: LocalHost
                                                                                              • API String ID: 3695455745-3154191806
                                                                                              • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                              • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                              • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                              • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0078B51A
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0078B529
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0078B548
                                                                                              • GetTimeZoneInformation.KERNEL32(?), ref: 0078B590
                                                                                              • wsprintfA.USER32 ref: 0078B61E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 4026320513-0
                                                                                              • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                              • Instruction ID: 335107ad3a58f150b19d811438a85d641bde38f5779872bf26dfccb59482764b
                                                                                              • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                              • Instruction Fuzzy Hash: 3F5100B1D4021DAACF14DFD5D8895EEBBB9BF48304F10816AF505B6150E7B84AC9CF98
                                                                                              APIs
                                                                                              • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00786303
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 0078632A
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 007863B1
                                                                                              • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00786405
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: HugeRead$AddressLibraryLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 3498078134-0
                                                                                              • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                              • Instruction ID: 0c689eb95139ecdefd35ad0e3403977c96828d2c5fd596ff35aa5357045fabaf
                                                                                              • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                              • Instruction Fuzzy Hash: A64168B1A40209FFDB14EF58C884AADB7B8FF04314F288069E909D7690E739EE40CB50
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                              • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                              • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                              • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                              APIs
                                                                                                • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                              • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                              • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                              • String ID: A$ A
                                                                                              • API String ID: 3343386518-686259309
                                                                                              • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                              • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                              • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                              • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0040272E
                                                                                              • htons.WS2_32(00000001), ref: 00402752
                                                                                              • htons.WS2_32(0000000F), ref: 004027D5
                                                                                              • htons.WS2_32(00000001), ref: 004027E3
                                                                                              • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                              • String ID:
                                                                                              • API String ID: 1128258776-0
                                                                                              • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                              • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                              • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                              • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                              • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                              • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                              • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                              • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                              • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                              • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                              • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                              • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                              • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$lstrcmpi
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 1808961391-1857712256
                                                                                              • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                              • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                              • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                              • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00000001,Dx,00000000,00000000,00000000), ref: 0078E470
                                                                                              • CloseHandle.KERNEL32(00000001,00000003), ref: 0078E484
                                                                                                • Part of subcall function 0078E2FC: RegCreateKeyExA.ADVAPI32(80000001,0078E50A,00000000,00000000,00000000,00020106,00000000,0078E50A,00000000,000000E4), ref: 0078E319
                                                                                                • Part of subcall function 0078E2FC: RegSetValueExA.ADVAPI32(0078E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0078E38E
                                                                                                • Part of subcall function 0078E2FC: RegDeleteValueA.ADVAPI32(0078E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dx), ref: 0078E3BF
                                                                                                • Part of subcall function 0078E2FC: RegCloseKey.ADVAPI32(0078E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dx,0078E50A), ref: 0078E3C8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                              • String ID: PromptOnSecureDesktop$Dx
                                                                                              • API String ID: 4151426672-1154937498
                                                                                              • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                              • Instruction ID: 62fbe1fc4a2e4788591fbd1af2e110fab4b62fc7066f466e4188aaaa918b071b
                                                                                              • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                              • Instruction Fuzzy Hash: 9F4198B1980214FAEB207B528C4AFEB3B6CEB14765F148035FE0D94192E7B98A50D7B5
                                                                                              APIs
                                                                                                • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                              • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 3683885500-2980165447
                                                                                              • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                              • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                              • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                              • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                              APIs
                                                                                                • Part of subcall function 0078DF6C: GetCurrentThreadId.KERNEL32 ref: 0078DFBA
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0078A6AC), ref: 0078E7BF
                                                                                              • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0078A6AC), ref: 0078E7EA
                                                                                              • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0078A6AC), ref: 0078E819
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 1396056608-2980165447
                                                                                              • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                              • Instruction ID: 3f9aba68736be6a9c1243481fc4e1dbd19a1d4730d4f98026fa4cc0a6f74dc65
                                                                                              • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                              • Instruction Fuzzy Hash: A621B7B1A80300BAE22077629C4FFEB3E5CDB65B61F100025FB0AA51D3FA9D995183B5
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                              • API String ID: 2574300362-1087626847
                                                                                              • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                              • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                              • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                              • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007876D9
                                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0078796D
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0078797E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseEnumOpen
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 1332880857-2980165447
                                                                                              • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                              • Instruction ID: 92098ff4450d991af6ce170486f9acc9a2d205519aabb7bda53b365209264477
                                                                                              • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                              • Instruction Fuzzy Hash: 0811DC70A44109AFDB12AFA9DC49FAFBF78EB91310F244161F512E6291E2B8CD40CB60
                                                                                              APIs
                                                                                                • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                              • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                              • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                              • String ID: hi_id$localcfg
                                                                                              • API String ID: 2777991786-2393279970
                                                                                              • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                              • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                              • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                              • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                              • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                              • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseDeleteOpenValue
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 849931509-2980165447
                                                                                              • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                              • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                              • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                              • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0078999D
                                                                                              • RegDeleteValueA.ADVAPI32(?,00000000), ref: 007899BD
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 007899C6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseDeleteOpenValue
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 849931509-2980165447
                                                                                              • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                              • Instruction ID: 54024b693421c58b2c84714dde59e94a8845f57556cf8652eac554d587a6f4d2
                                                                                              • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                              • Instruction Fuzzy Hash: A9F0C2B2680208BBF7107B51AC0BFDB3A2CDB94B15F100060FB05B5082F6E99A9183B9
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbynameinet_addr
                                                                                              • String ID: time_cfg$u6A
                                                                                              • API String ID: 1594361348-1940331995
                                                                                              • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                              • Instruction ID: f54e17db91bb3e2e18ff366680972cfd35442e7a55dfa0556563681848d8bc3e
                                                                                              • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                              • Instruction Fuzzy Hash: 9BE0C2306041119FCB00AB2CF848AC537E4EF0A331F008180F040D31A1C738DCC29740
                                                                                              APIs
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 007869E5
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 00786A26
                                                                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 00786A3A
                                                                                              • CloseHandle.KERNEL32(000000FF), ref: 00786BD8
                                                                                                • Part of subcall function 0078EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00781DCF,?), ref: 0078EEA8
                                                                                                • Part of subcall function 0078EE95: HeapFree.KERNEL32(00000000), ref: 0078EEAF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                              • String ID:
                                                                                              • API String ID: 3384756699-0
                                                                                              • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                              • Instruction ID: 98284cedbb5e0bdd830b2312c414fc7784c5483ff006d889c06aaf1529bf7221
                                                                                              • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                              • Instruction Fuzzy Hash: 167136B194021DFFDB10AFA4CC85AEEBBB9FB04314F20456AE515E6190D7389E92DB60
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf
                                                                                              • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                              • API String ID: 2111968516-120809033
                                                                                              • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                              • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                              • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                              • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                              • GetLastError.KERNEL32 ref: 00403F4E
                                                                                              • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3373104450-0
                                                                                              • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                              • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                              • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                              • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                              APIs
                                                                                              • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                              • GetLastError.KERNEL32 ref: 00403FC2
                                                                                              • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 888215731-0
                                                                                              • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                              • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                              • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                              • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007841AB
                                                                                              • GetLastError.KERNEL32 ref: 007841B5
                                                                                              • WaitForSingleObject.KERNEL32(?,?), ref: 007841C6
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007841D9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3373104450-0
                                                                                              • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                              • Instruction ID: 0e4109f3f68f01feb6924853711e7862713e3c47d7cb17c4899ed68bdf49b805
                                                                                              • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                              • Instruction Fuzzy Hash: A001A97691110EABDF01EF91ED88BEE7B6CEB18355F104061F901E2050D7B49A948BB9
                                                                                              APIs
                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0078421F
                                                                                              • GetLastError.KERNEL32 ref: 00784229
                                                                                              • WaitForSingleObject.KERNEL32(?,?), ref: 0078423A
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0078424D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 888215731-0
                                                                                              • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                              • Instruction ID: 349961e146e23fbe600ff5eecd25aa1a6ec98d1e63e6c483878e9f51718b02eb
                                                                                              • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                              • Instruction Fuzzy Hash: 5A01A57255510AABDF01EF90ED84BEE7BACFB08355F108461F901E2050D7B49A549BB6
                                                                                              APIs
                                                                                              • lstrcmp.KERNEL32(?,80000009), ref: 0078E066
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmp
                                                                                              • String ID: A$ A$ A
                                                                                              • API String ID: 1534048567-1846390581
                                                                                              • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                              • Instruction ID: 0c6a11cff764635da061b8444645764357d3c6bfcf441a47ddffcdc2cfb15445
                                                                                              • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                              • Instruction Fuzzy Hash: ADF06D322007169BCB20DF65DC84A92B7E9FB09321B648A2AE158D3060D3B9E898CB55
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                              • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                              • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                              • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                              • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                              • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                              • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                              • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                              • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                              • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                              • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                              • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                              • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                              • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                              • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00403103
                                                                                              • GetTickCount.KERNEL32 ref: 0040310F
                                                                                              • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                              • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                              • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                              • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                              • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                                • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                                • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                                • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                                • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 4151426672-2980165447
                                                                                              • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                              • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                              • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                              • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007883C6
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00788477
                                                                                                • Part of subcall function 007869C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007869E5
                                                                                                • Part of subcall function 007869C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00786A26
                                                                                                • Part of subcall function 007869C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00786A3A
                                                                                                • Part of subcall function 0078EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00781DCF,?), ref: 0078EEA8
                                                                                                • Part of subcall function 0078EE95: HeapFree.KERNEL32(00000000), ref: 0078EEAF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 359188348-2980165447
                                                                                              • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                              • Instruction ID: c9cf97f7ebe9aef36ac5b16251964888eef20f1adb5550a99368ffa7c3806934
                                                                                              • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                              • Instruction Fuzzy Hash: 4E4172B298014EBFEB50FFA09D85DFF776CEB04340F5444AAF509D6011FAB85A948B61
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,0078E859,00000000,00020119,0078E859,PromptOnSecureDesktop), ref: 0078E64D
                                                                                              • RegCloseKey.ADVAPI32(0078E859,?,?,?,?,000000C8,000000E4), ref: 0078E787
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseOpen
                                                                                              • String ID: PromptOnSecureDesktop
                                                                                              • API String ID: 47109696-2980165447
                                                                                              • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                              • Instruction ID: 7b8bdda5a7e4c4cf9f806ea7de3298b2719806932731a7afd300b02ae19375ba
                                                                                              • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                              • Instruction Fuzzy Hash: E14133B2D4021DFFDF11AFA8DC85DEEBBB9FB18304F104466EA00A6160E3759A158B60
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0078AFFF
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0078B00D
                                                                                                • Part of subcall function 0078AF6F: gethostname.WS2_32(?,00000080), ref: 0078AF83
                                                                                                • Part of subcall function 0078AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0078AFE6
                                                                                                • Part of subcall function 0078331C: gethostname.WS2_32(?,00000080), ref: 0078333F
                                                                                                • Part of subcall function 0078331C: gethostbyname.WS2_32(?), ref: 00783349
                                                                                                • Part of subcall function 0078AA0A: inet_ntoa.WS2_32(00000000), ref: 0078AA10
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                              • String ID: %OUTLOOK_BND_
                                                                                              • API String ID: 1981676241-3684217054
                                                                                              • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                              • Instruction ID: a5081ab1866e201947f4913d7becc379667e44a1ac24d862e467f7019fe34b7f
                                                                                              • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                              • Instruction Fuzzy Hash: D041007294024CEBDB25EFA0DC4AEEF3B6CFB08304F144426F92592152EB79D6548B55
                                                                                              APIs
                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00789536
                                                                                              • Sleep.KERNEL32(000001F4), ref: 0078955D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShellSleep
                                                                                              • String ID:
                                                                                              • API String ID: 4194306370-3916222277
                                                                                              • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                              • Instruction ID: 1c6550bddf4d4fdf82d514ccb3f21c13f3bb6e3bcb39c457d093c96d3ab24ce8
                                                                                              • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                              • Instruction Fuzzy Hash: 604109B19843846EEB77BB64D88C7F63BE49B02310F2C01A5D686971E2E67C4D918711
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0078B9D9
                                                                                              • InterlockedIncrement.KERNEL32(00413648), ref: 0078BA3A
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 0078BA94
                                                                                              • GetTickCount.KERNEL32 ref: 0078BB79
                                                                                              • GetTickCount.KERNEL32 ref: 0078BB99
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 0078BE15
                                                                                              • closesocket.WS2_32(00000000), ref: 0078BEB4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountIncrementInterlockedTick$closesocket
                                                                                              • String ID: %FROM_EMAIL
                                                                                              • API String ID: 1869671989-2903620461
                                                                                              • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                              • Instruction ID: 7c4d418ef009b8906e25c177d85b854f1ef8557d33eca62f119affb04f18dcf2
                                                                                              • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                              • Instruction Fuzzy Hash: E5317F71580248EFDF25EFA4DC89AEE77B8EB48700F204056FA2492161EB79DA85CF54
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 536389180-1857712256
                                                                                              • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                              • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                              • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                              • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                              APIs
                                                                                              Strings
                                                                                              • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTickwsprintf
                                                                                              • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                              • API String ID: 2424974917-1012700906
                                                                                              • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                              • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                              • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                              • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                              APIs
                                                                                                • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                              • String ID: %FROM_EMAIL
                                                                                              • API String ID: 3716169038-2903620461
                                                                                              • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                              • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                              • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                              • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(?,?), ref: 007870BC
                                                                                              • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007870F4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$AccountLookupUser
                                                                                              • String ID: |
                                                                                              • API String ID: 2370142434-2343686810
                                                                                              • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                              • Instruction ID: 07a87876702d130a63a1f1e3756ed7e6a6f820ffd8e55d68b8fb3d18a6f09ab7
                                                                                              • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                              • Instruction Fuzzy Hash: 2F113C72D4411CEBDF55DFD4DC88ADEB7BCAB44301F2441A6E512E6090E674DB88CBA0
                                                                                              APIs
                                                                                                • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                              • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                              • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 2777991786-1857712256
                                                                                              • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                              • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                              • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                              • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                              APIs
                                                                                              • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                              • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: IncrementInterlockedlstrcpyn
                                                                                              • String ID: %FROM_EMAIL
                                                                                              • API String ID: 224340156-2903620461
                                                                                              • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                              • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                              • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                              • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                              APIs
                                                                                              • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                              • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbyaddrinet_ntoa
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 2112563974-1857712256
                                                                                              • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                              • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                              • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                              • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbynameinet_addr
                                                                                              • String ID: time_cfg
                                                                                              • API String ID: 1594361348-2401304539
                                                                                              • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                              • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                              • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                              • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: ntdll.dll
                                                                                              • API String ID: 2574300362-2227199552
                                                                                              • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                              • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                              • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                              • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                              APIs
                                                                                                • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2092652370.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                              • Associated: 00000000.00000002.2092652370.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_400000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1017166417-0
                                                                                              • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                              • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                              • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                              • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                              APIs
                                                                                                • Part of subcall function 00782F88: GetModuleHandleA.KERNEL32(?), ref: 00782FA1
                                                                                                • Part of subcall function 00782F88: LoadLibraryA.KERNEL32(?), ref: 00782FB1
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007831DA
                                                                                              • HeapFree.KERNEL32(00000000), ref: 007831E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.2094151970.0000000000780000.00000040.00001000.00020000.00000000.sdmp, Offset: 00780000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_780000_vekvtia.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1017166417-0
                                                                                              • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                              • Instruction ID: b1b0c1146997e16d652d6cf526e355ffa6fc717f626ca4eab37d9ecdda0bd4a0
                                                                                              • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                              • Instruction Fuzzy Hash: 4D519A3194020AEFCF01AF68D8889FAB775FF15705F244169EC96C7211E73ADA19CB90

                                                                                              Execution Graph

                                                                                              Execution Coverage:3%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:1606
                                                                                              Total number of Limit Nodes:14
                                                                                              execution_graph 14879 409961 RegisterServiceCtrlHandlerA 14880 40997d 14879->14880 14887 4099cb 14879->14887 14889 409892 14880->14889 14882 40999a 14883 4099ba 14882->14883 14884 409892 SetServiceStatus 14882->14884 14886 409892 SetServiceStatus 14883->14886 14883->14887 14885 4099aa 14884->14885 14885->14883 14892 4098f2 14885->14892 14886->14887 14890 4098c2 SetServiceStatus 14889->14890 14890->14882 14893 4098f6 14892->14893 14895 409904 Sleep 14893->14895 14897 409917 14893->14897 14900 404280 CreateEventA 14893->14900 14895->14893 14896 409915 14895->14896 14896->14897 14899 409947 14897->14899 14927 40977c 14897->14927 14899->14883 14901 4042a5 14900->14901 14902 40429d 14900->14902 14941 403ecd 14901->14941 14902->14893 14904 4042b0 14945 404000 14904->14945 14907 4043c1 CloseHandle 14907->14902 14908 4042ce 14951 403f18 WriteFile 14908->14951 14913 4043ba CloseHandle 14913->14907 14914 404318 14915 403f18 4 API calls 14914->14915 14916 404331 14915->14916 14917 403f18 4 API calls 14916->14917 14918 40434a 14917->14918 14959 40ebcc GetProcessHeap HeapAlloc 14918->14959 14921 403f18 4 API calls 14922 404389 14921->14922 14962 40ec2e 14922->14962 14925 403f8c 4 API calls 14926 40439f CloseHandle CloseHandle 14925->14926 14926->14902 14991 40ee2a 14927->14991 14930 4097bb 14930->14899 14931 4097c2 14932 4097d4 Wow64GetThreadContext 14931->14932 14933 409801 14932->14933 14934 4097f5 14932->14934 14993 40637c 14933->14993 14935 4097f6 TerminateProcess 14934->14935 14935->14930 14937 409816 14937->14935 14938 40981e WriteProcessMemory 14937->14938 14938->14934 14939 40983b Wow64SetThreadContext 14938->14939 14939->14934 14940 409858 ResumeThread 14939->14940 14940->14930 14942 403edc 14941->14942 14944 403ee2 14941->14944 14967 406dc2 14942->14967 14944->14904 14946 40400b CreateFileA 14945->14946 14947 40402c GetLastError 14946->14947 14948 404052 14946->14948 14947->14948 14949 404037 14947->14949 14948->14902 14948->14907 14948->14908 14949->14948 14950 404041 Sleep 14949->14950 14950->14946 14950->14948 14952 403f7c 14951->14952 14953 403f4e GetLastError 14951->14953 14955 403f8c ReadFile 14952->14955 14953->14952 14954 403f5b WaitForSingleObject GetOverlappedResult 14953->14954 14954->14952 14956 403ff0 14955->14956 14957 403fc2 GetLastError 14955->14957 14956->14913 14956->14914 14957->14956 14958 403fcf WaitForSingleObject GetOverlappedResult 14957->14958 14958->14956 14985 40eb74 14959->14985 14963 40ec37 14962->14963 14964 40438f 14962->14964 14988 40eba0 14963->14988 14964->14925 14968 406dd7 14967->14968 14972 406e24 14967->14972 14973 406cc9 14968->14973 14970 406ddc 14970->14970 14971 406e02 GetVolumeInformationA 14970->14971 14970->14972 14971->14972 14972->14944 14974 406cdc GetModuleHandleA GetProcAddress 14973->14974 14975 406dbe 14973->14975 14976 406d12 GetSystemDirectoryA 14974->14976 14977 406cfd 14974->14977 14975->14970 14978 406d27 GetWindowsDirectoryA 14976->14978 14979 406d1e 14976->14979 14977->14976 14981 406d8b 14977->14981 14980 406d42 14978->14980 14979->14978 14979->14981 14983 40ef1e lstrlenA 14980->14983 14981->14975 14981->14981 14984 40ef32 14983->14984 14984->14981 14986 40eb7b GetProcessHeap HeapSize 14985->14986 14987 404350 14985->14987 14986->14987 14987->14921 14989 40eba7 GetProcessHeap HeapSize 14988->14989 14990 40ebbf GetProcessHeap HeapFree 14988->14990 14989->14990 14990->14964 14992 409794 CreateProcessA 14991->14992 14992->14930 14992->14931 14994 406386 14993->14994 14995 40638a GetModuleHandleA VirtualAlloc 14993->14995 14994->14937 14996 4063f5 14995->14996 14997 4063b6 14995->14997 14996->14937 14998 4063be VirtualAllocEx 14997->14998 14998->14996 14999 4063d6 14998->14999 15000 4063df WriteProcessMemory 14999->15000 15000->14996 15076 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15193 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15076->15193 15078 409a95 15079 409aa3 GetModuleHandleA GetModuleFileNameA 15078->15079 15084 40a3c7 15078->15084 15093 409ac4 15079->15093 15080 40a41c CreateThread WSAStartup 15304 40e52e 15080->15304 16131 40405e CreateEventA 15080->16131 15082 409afd GetCommandLineA 15091 409b22 15082->15091 15083 40a406 DeleteFileA 15083->15084 15085 40a40d 15083->15085 15084->15080 15084->15083 15084->15085 15088 40a3ed GetLastError 15084->15088 15085->15080 15086 40a445 15323 40eaaf 15086->15323 15088->15085 15090 40a3f8 Sleep 15088->15090 15089 40a44d 15327 401d96 15089->15327 15090->15083 15096 409c0c 15091->15096 15105 409b47 15091->15105 15093->15082 15094 40a457 15375 4080c9 15094->15375 15194 4096aa 15096->15194 15102 40a1d2 15114 40a1e3 GetCommandLineA 15102->15114 15103 409c39 15107 40a167 GetModuleHandleA GetModuleFileNameA 15103->15107 15112 409c4b 15103->15112 15106 409b96 lstrlenA 15105->15106 15113 409b58 15105->15113 15106->15113 15110 409c05 ExitProcess 15107->15110 15111 40a189 15107->15111 15111->15110 15122 40a1b2 GetDriveTypeA 15111->15122 15112->15107 15116 404280 30 API calls 15112->15116 15113->15110 15117 409bd2 15113->15117 15138 40a205 15114->15138 15119 409c5b 15116->15119 15206 40675c 15117->15206 15119->15107 15125 40675c 21 API calls 15119->15125 15122->15110 15124 40a1c5 15122->15124 15296 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15124->15296 15127 409c79 15125->15127 15127->15107 15134 409ca0 GetTempPathA 15127->15134 15135 409e3e 15127->15135 15128 409bff 15128->15110 15130 40a491 15131 40a49f GetTickCount 15130->15131 15132 40a4be Sleep 15130->15132 15137 40a4b7 GetTickCount 15130->15137 15421 40c913 15130->15421 15131->15130 15131->15132 15132->15130 15134->15135 15136 409cba 15134->15136 15143 409e6b GetEnvironmentVariableA 15135->15143 15145 409e04 15135->15145 15244 4099d2 lstrcpyA 15136->15244 15137->15132 15144 40a285 lstrlenA 15138->15144 15152 40a239 15138->15152 15139 40ec2e codecvt 4 API calls 15141 40a15d 15139->15141 15141->15107 15141->15110 15143->15145 15146 409e7d 15143->15146 15144->15152 15145->15139 15147 4099d2 16 API calls 15146->15147 15149 409e9d 15147->15149 15148 406dc2 6 API calls 15150 409d5f 15148->15150 15149->15145 15154 409eb0 lstrcpyA lstrlenA 15149->15154 15155 406cc9 5 API calls 15150->15155 15202 406ec3 15152->15202 15153 40a3c2 15156 4098f2 41 API calls 15153->15156 15157 409ef4 15154->15157 15160 409d72 lstrcpyA lstrcatA lstrcatA 15155->15160 15156->15084 15158 406dc2 6 API calls 15157->15158 15161 409f03 15157->15161 15158->15161 15159 40a39d StartServiceCtrlDispatcherA 15159->15153 15162 409cf6 15160->15162 15163 409f32 RegOpenKeyExA 15161->15163 15251 409326 15162->15251 15165 409f48 RegSetValueExA RegCloseKey 15163->15165 15168 409f70 15163->15168 15164 40a35f 15164->15153 15164->15159 15165->15168 15174 409f9d GetModuleHandleA GetModuleFileNameA 15168->15174 15169 409e0c DeleteFileA 15169->15135 15170 409dde GetFileAttributesExA 15170->15169 15172 409df7 15170->15172 15172->15145 15288 4096ff 15172->15288 15175 409fc2 15174->15175 15176 40a093 15174->15176 15175->15176 15182 409ff1 GetDriveTypeA 15175->15182 15177 40a103 CreateProcessA 15176->15177 15178 40a0a4 wsprintfA 15176->15178 15179 40a13a 15177->15179 15180 40a12a DeleteFileA 15177->15180 15294 402544 15178->15294 15179->15145 15186 4096ff 3 API calls 15179->15186 15180->15179 15182->15176 15184 40a00d 15182->15184 15188 40a02d lstrcatA 15184->15188 15185 40ee2a 15187 40a0ec lstrcatA 15185->15187 15186->15145 15187->15177 15189 40a046 15188->15189 15190 40a052 lstrcatA 15189->15190 15191 40a064 lstrcatA 15189->15191 15190->15191 15191->15176 15192 40a081 lstrcatA 15191->15192 15192->15176 15193->15078 15195 4096b9 15194->15195 15524 4073ff 15195->15524 15197 4096e2 15198 4096e9 15197->15198 15199 4096fa 15197->15199 15544 40704c 15198->15544 15199->15102 15199->15103 15201 4096f7 15201->15199 15203 406ecc 15202->15203 15205 406ed5 15202->15205 15569 406e36 GetUserNameW 15203->15569 15205->15164 15207 406784 CreateFileA 15206->15207 15208 40677a SetFileAttributesA 15206->15208 15209 4067a4 CreateFileA 15207->15209 15210 4067b5 15207->15210 15208->15207 15209->15210 15211 4067c5 15210->15211 15212 4067ba SetFileAttributesA 15210->15212 15213 406977 15211->15213 15214 4067cf GetFileSize 15211->15214 15212->15211 15213->15110 15231 406a60 CreateFileA 15213->15231 15215 4067e5 15214->15215 15229 406922 15214->15229 15217 4067ed ReadFile 15215->15217 15215->15229 15216 40696e CloseHandle 15216->15213 15218 406811 SetFilePointer 15217->15218 15217->15229 15219 40682a ReadFile 15218->15219 15218->15229 15220 406848 SetFilePointer 15219->15220 15219->15229 15224 406867 15220->15224 15220->15229 15221 406878 ReadFile 15222 4068d0 15221->15222 15221->15224 15222->15216 15223 40ebcc 4 API calls 15222->15223 15225 4068f8 15223->15225 15224->15221 15224->15222 15226 406900 SetFilePointer 15225->15226 15225->15229 15227 40695a 15226->15227 15228 40690d ReadFile 15226->15228 15230 40ec2e codecvt 4 API calls 15227->15230 15228->15227 15228->15229 15229->15216 15230->15229 15232 406b8c GetLastError 15231->15232 15233 406a8f GetDiskFreeSpaceA 15231->15233 15234 406b86 15232->15234 15235 406ac5 15233->15235 15241 406ad7 15233->15241 15234->15128 15572 40eb0e 15235->15572 15239 406b56 CloseHandle 15239->15234 15243 406b65 GetLastError CloseHandle 15239->15243 15240 406b36 GetLastError CloseHandle 15242 406b7f DeleteFileA 15240->15242 15576 406987 15241->15576 15242->15234 15243->15242 15245 4099eb 15244->15245 15246 409a2f lstrcatA 15245->15246 15247 40ee2a 15246->15247 15248 409a4b lstrcatA 15247->15248 15249 406a60 13 API calls 15248->15249 15250 409a60 15249->15250 15250->15135 15250->15148 15250->15162 15586 401910 15251->15586 15254 40934a GetModuleHandleA GetModuleFileNameA 15256 40937f 15254->15256 15257 4093a4 15256->15257 15258 4093d9 15256->15258 15259 4093c3 wsprintfA 15257->15259 15260 409401 wsprintfA 15258->15260 15262 409415 15259->15262 15260->15262 15261 4094a0 15588 406edd 15261->15588 15262->15261 15264 406cc9 5 API calls 15262->15264 15271 409439 15264->15271 15265 4094ac 15266 40962f 15265->15266 15267 4094e8 RegOpenKeyExA 15265->15267 15272 409646 15266->15272 15609 401820 15266->15609 15269 409502 15267->15269 15270 4094fb 15267->15270 15274 40951f RegQueryValueExA 15269->15274 15270->15266 15276 40958a 15270->15276 15275 40ef1e lstrlenA 15271->15275 15281 4095d6 15272->15281 15615 4091eb 15272->15615 15278 409530 15274->15278 15279 409539 15274->15279 15280 409462 15275->15280 15276->15272 15277 409593 15276->15277 15277->15281 15596 40f0e4 15277->15596 15282 40956e RegCloseKey 15278->15282 15283 409556 RegQueryValueExA 15279->15283 15284 40947e wsprintfA 15280->15284 15281->15169 15281->15170 15282->15270 15283->15278 15283->15282 15284->15261 15286 4095bb 15286->15281 15603 4018e0 15286->15603 15289 402544 15288->15289 15290 40972d RegOpenKeyExA 15289->15290 15291 409740 15290->15291 15292 409765 15290->15292 15293 40974f RegDeleteValueA RegCloseKey 15291->15293 15292->15145 15293->15292 15295 402554 lstrcatA 15294->15295 15295->15185 15297 402544 15296->15297 15298 40919e wsprintfA 15297->15298 15299 4091bb 15298->15299 15653 409064 GetTempPathA 15299->15653 15302 4091d5 ShellExecuteA 15303 4091e7 15302->15303 15303->15128 15660 40dd05 GetTickCount 15304->15660 15306 40e538 15667 40dbcf 15306->15667 15308 40e544 15309 40e555 GetFileSize 15308->15309 15313 40e5b8 15308->15313 15310 40e5b1 CloseHandle 15309->15310 15311 40e566 15309->15311 15310->15313 15677 40db2e 15311->15677 15686 40e3ca RegOpenKeyExA 15313->15686 15315 40e576 ReadFile 15315->15310 15317 40e58d 15315->15317 15681 40e332 15317->15681 15319 40e5f2 15321 40e629 15319->15321 15322 40e3ca 19 API calls 15319->15322 15321->15086 15322->15321 15324 40eaba 15323->15324 15325 40eabe 15323->15325 15324->15089 15325->15324 15326 40dd05 6 API calls 15325->15326 15326->15324 15328 40ee2a 15327->15328 15329 401db4 GetVersionExA 15328->15329 15330 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15329->15330 15332 401e24 15330->15332 15333 401e16 GetCurrentProcess 15330->15333 15739 40e819 15332->15739 15333->15332 15335 401e3d 15336 40e819 11 API calls 15335->15336 15337 401e4e 15336->15337 15344 401e77 15337->15344 15746 40df70 15337->15746 15340 401e6c 15342 40df70 12 API calls 15340->15342 15342->15344 15343 40e819 11 API calls 15345 401e93 15343->15345 15755 40ea84 15344->15755 15759 40199c inet_addr LoadLibraryA 15345->15759 15348 40e819 11 API calls 15349 401eb9 15348->15349 15350 401ed8 15349->15350 15351 40f04e 4 API calls 15349->15351 15352 40e819 11 API calls 15350->15352 15353 401ec9 15351->15353 15354 401eee 15352->15354 15355 40ea84 30 API calls 15353->15355 15356 401f0a 15354->15356 15772 401b71 15354->15772 15355->15350 15357 40e819 11 API calls 15356->15357 15359 401f23 15357->15359 15361 401f3f 15359->15361 15776 401bdf 15359->15776 15360 401efd 15362 40ea84 30 API calls 15360->15362 15364 40e819 11 API calls 15361->15364 15362->15356 15366 401f5e 15364->15366 15368 401f77 15366->15368 15369 40ea84 30 API calls 15366->15369 15367 40ea84 30 API calls 15367->15361 15783 4030b5 15368->15783 15369->15368 15372 406ec3 2 API calls 15374 401f8e GetTickCount 15372->15374 15374->15094 15376 406ec3 2 API calls 15375->15376 15377 4080eb 15376->15377 15378 4080f9 15377->15378 15379 4080ef 15377->15379 15381 40704c 16 API calls 15378->15381 15831 407ee6 15379->15831 15383 408110 15381->15383 15382 408269 CreateThread 15400 405e6c 15382->15400 16160 40877e 15382->16160 15385 408156 RegOpenKeyExA 15383->15385 15386 4080f4 15383->15386 15384 40675c 21 API calls 15390 408244 15384->15390 15385->15386 15387 40816d RegQueryValueExA 15385->15387 15386->15382 15386->15384 15388 4081f7 15387->15388 15389 40818d 15387->15389 15391 40820d RegCloseKey 15388->15391 15393 40ec2e codecvt 4 API calls 15388->15393 15389->15388 15394 40ebcc 4 API calls 15389->15394 15390->15382 15392 40ec2e codecvt 4 API calls 15390->15392 15391->15386 15392->15382 15399 4081dd 15393->15399 15395 4081a0 15394->15395 15395->15391 15396 4081aa RegQueryValueExA 15395->15396 15396->15388 15397 4081c4 15396->15397 15398 40ebcc 4 API calls 15397->15398 15398->15399 15399->15391 15899 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15400->15899 15402 405e71 15900 40e654 15402->15900 15404 405ec1 15405 403132 15404->15405 15406 40df70 12 API calls 15405->15406 15407 40313b 15406->15407 15408 40c125 15407->15408 15911 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15408->15911 15410 40c12d 15411 40e654 13 API calls 15410->15411 15412 40c2bd 15411->15412 15413 40e654 13 API calls 15412->15413 15414 40c2c9 15413->15414 15415 40e654 13 API calls 15414->15415 15416 40a47a 15415->15416 15417 408db1 15416->15417 15418 408dbc 15417->15418 15419 40e654 13 API calls 15418->15419 15420 408dec Sleep 15419->15420 15420->15130 15422 40c92f 15421->15422 15423 40c93c 15422->15423 15912 40c517 15422->15912 15425 40e819 11 API calls 15423->15425 15457 40ca2b 15423->15457 15426 40c96a 15425->15426 15427 40e819 11 API calls 15426->15427 15428 40c97d 15427->15428 15429 40e819 11 API calls 15428->15429 15430 40c990 15429->15430 15431 40c9aa 15430->15431 15432 40ebcc 4 API calls 15430->15432 15431->15457 15929 402684 15431->15929 15432->15431 15437 40ca26 15936 40c8aa 15437->15936 15440 40ca44 15441 40ca4b closesocket 15440->15441 15442 40ca83 15440->15442 15441->15437 15443 40ea84 30 API calls 15442->15443 15444 40caac 15443->15444 15445 40f04e 4 API calls 15444->15445 15446 40cab2 15445->15446 15447 40ea84 30 API calls 15446->15447 15448 40caca 15447->15448 15449 40ea84 30 API calls 15448->15449 15450 40cad9 15449->15450 15944 40c65c 15450->15944 15453 40cb60 closesocket 15453->15457 15455 40dad2 closesocket 15456 40e318 23 API calls 15455->15456 15456->15457 15457->15130 15458 40df4c 20 API calls 15518 40cb70 15458->15518 15463 40e654 13 API calls 15463->15518 15466 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15466->15518 15470 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15470->15518 15471 40ea84 30 API calls 15471->15518 15472 40d569 closesocket Sleep 15991 40e318 15472->15991 15473 40d815 wsprintfA 15473->15518 15474 40cc1c GetTempPathA 15474->15518 15475 407ead 6 API calls 15475->15518 15476 40c517 23 API calls 15476->15518 15478 40e8a1 30 API calls 15478->15518 15479 40d582 ExitProcess 15480 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15480->15518 15481 40cfe3 GetSystemDirectoryA 15481->15518 15482 40cfad GetEnvironmentVariableA 15482->15518 15483 40675c 21 API calls 15483->15518 15484 40d027 GetSystemDirectoryA 15484->15518 15485 40d105 lstrcatA 15485->15518 15486 40ef1e lstrlenA 15486->15518 15487 40cc9f CreateFileA 15488 40ccc6 WriteFile 15487->15488 15487->15518 15492 40cdcc CloseHandle 15488->15492 15493 40cced CloseHandle 15488->15493 15489 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15489->15518 15490 40d15b CreateFileA 15491 40d182 WriteFile CloseHandle 15490->15491 15490->15518 15491->15518 15492->15518 15498 40cd2f 15493->15498 15494 40cd16 wsprintfA 15494->15498 15495 40d149 SetFileAttributesA 15495->15490 15496 40d36e GetEnvironmentVariableA 15496->15518 15497 40d1bf SetFileAttributesA 15497->15518 15498->15494 15973 407fcf 15498->15973 15499 40d22d GetEnvironmentVariableA 15499->15518 15500 40d3af lstrcatA 15502 40d3f2 CreateFileA 15500->15502 15500->15518 15505 40d415 WriteFile CloseHandle 15502->15505 15502->15518 15504 407fcf 64 API calls 15504->15518 15505->15518 15506 40cd81 WaitForSingleObject CloseHandle CloseHandle 15508 40f04e 4 API calls 15506->15508 15507 40cda5 15509 407ee6 64 API calls 15507->15509 15508->15507 15513 40cdbd DeleteFileA 15509->15513 15510 40d4b1 CreateProcessA 15514 40d4e8 CloseHandle CloseHandle 15510->15514 15510->15518 15511 40d3e0 SetFileAttributesA 15511->15502 15512 40d26e lstrcatA 15515 40d2b1 CreateFileA 15512->15515 15512->15518 15513->15518 15514->15518 15515->15518 15519 40d2d8 WriteFile CloseHandle 15515->15519 15516 407ee6 64 API calls 15516->15518 15517 40d452 SetFileAttributesA 15517->15518 15518->15455 15518->15458 15518->15463 15518->15466 15518->15470 15518->15471 15518->15472 15518->15473 15518->15474 15518->15475 15518->15476 15518->15478 15518->15480 15518->15481 15518->15482 15518->15483 15518->15484 15518->15485 15518->15486 15518->15487 15518->15489 15518->15490 15518->15495 15518->15496 15518->15497 15518->15499 15518->15500 15518->15502 15518->15504 15518->15510 15518->15511 15518->15512 15518->15515 15518->15516 15518->15517 15521 40d29f SetFileAttributesA 15518->15521 15523 40d31d SetFileAttributesA 15518->15523 15952 40c75d 15518->15952 15964 407e2f 15518->15964 15986 407ead 15518->15986 15996 4031d0 15518->15996 16013 403c09 15518->16013 16023 403a00 15518->16023 16027 40e7b4 15518->16027 16030 40c06c 15518->16030 16036 406f5f GetUserNameA 15518->16036 16047 40e854 15518->16047 16057 407dd6 15518->16057 15519->15518 15521->15515 15523->15518 15525 40741b 15524->15525 15526 406dc2 6 API calls 15525->15526 15527 40743f 15526->15527 15528 407469 RegOpenKeyExA 15527->15528 15530 4077f9 15528->15530 15540 407487 ___ascii_stricmp 15528->15540 15529 407703 RegEnumKeyA 15531 407714 RegCloseKey 15529->15531 15529->15540 15530->15197 15531->15530 15532 40f1a5 lstrlenA 15532->15540 15533 4074d2 RegOpenKeyExA 15533->15540 15534 40772c 15536 407742 RegCloseKey 15534->15536 15537 40774b 15534->15537 15535 407521 RegQueryValueExA 15535->15540 15536->15537 15538 4077ec RegCloseKey 15537->15538 15538->15530 15539 4076e4 RegCloseKey 15539->15540 15540->15529 15540->15532 15540->15533 15540->15534 15540->15535 15540->15539 15542 40777e GetFileAttributesExA 15540->15542 15543 407769 15540->15543 15541 4077e3 RegCloseKey 15541->15538 15542->15543 15543->15541 15545 407073 15544->15545 15546 4070b9 RegOpenKeyExA 15545->15546 15547 4070d0 15546->15547 15561 4071b8 15546->15561 15548 406dc2 6 API calls 15547->15548 15551 4070d5 15548->15551 15549 40719b RegEnumValueA 15550 4071af RegCloseKey 15549->15550 15549->15551 15550->15561 15551->15549 15553 4071d0 15551->15553 15567 40f1a5 lstrlenA 15551->15567 15554 407205 RegCloseKey 15553->15554 15555 407227 15553->15555 15554->15561 15556 4072b8 ___ascii_stricmp 15555->15556 15557 40728e RegCloseKey 15555->15557 15558 4072cd RegCloseKey 15556->15558 15559 4072dd 15556->15559 15557->15561 15558->15561 15560 407311 RegCloseKey 15559->15560 15563 407335 15559->15563 15560->15561 15561->15201 15562 4073d5 RegCloseKey 15564 4073e4 15562->15564 15563->15562 15565 40737e GetFileAttributesExA 15563->15565 15566 407397 15563->15566 15565->15566 15566->15562 15568 40f1c3 15567->15568 15568->15551 15570 406e5f LookupAccountNameW 15569->15570 15571 406e97 15569->15571 15570->15571 15571->15205 15573 40eb17 15572->15573 15574 40eb21 15572->15574 15582 40eae4 15573->15582 15574->15241 15578 4069b9 WriteFile 15576->15578 15579 406a3c 15578->15579 15581 4069ff 15578->15581 15579->15239 15579->15240 15580 406a10 WriteFile 15580->15579 15580->15581 15581->15579 15581->15580 15583 40eb02 GetProcAddress 15582->15583 15584 40eaed LoadLibraryA 15582->15584 15583->15574 15584->15583 15585 40eb01 15584->15585 15585->15574 15587 401924 GetVersionExA 15586->15587 15587->15254 15589 406eef AllocateAndInitializeSid 15588->15589 15595 406f55 15588->15595 15590 406f1c CheckTokenMembership 15589->15590 15593 406f44 15589->15593 15591 406f3b FreeSid 15590->15591 15592 406f2e 15590->15592 15591->15593 15592->15591 15594 406e36 2 API calls 15593->15594 15593->15595 15594->15595 15595->15265 15597 40f0f1 15596->15597 15598 40f0ed 15596->15598 15599 40f119 15597->15599 15600 40f0fa lstrlenA SysAllocStringByteLen 15597->15600 15598->15286 15601 40f11c MultiByteToWideChar 15599->15601 15600->15601 15602 40f117 15600->15602 15601->15602 15602->15286 15604 401820 17 API calls 15603->15604 15606 4018f2 15604->15606 15605 4018f9 15605->15281 15606->15605 15620 401280 15606->15620 15608 401908 15608->15281 15632 401000 15609->15632 15611 401839 15612 401851 GetCurrentProcess 15611->15612 15613 40183d 15611->15613 15614 401864 15612->15614 15613->15272 15614->15272 15616 40920e 15615->15616 15619 409308 15615->15619 15617 4092f1 Sleep 15616->15617 15618 4092bf ShellExecuteA 15616->15618 15616->15619 15617->15616 15618->15616 15618->15619 15619->15281 15621 4012e1 15620->15621 15622 4016f9 GetLastError 15621->15622 15623 4013a8 15621->15623 15624 401699 15622->15624 15623->15624 15625 401570 lstrlenW 15623->15625 15626 4015be GetStartupInfoW 15623->15626 15627 4015ff CreateProcessWithLogonW 15623->15627 15631 401668 CloseHandle 15623->15631 15624->15608 15625->15623 15626->15623 15628 4016bf GetLastError 15627->15628 15629 40163f WaitForSingleObject 15627->15629 15628->15624 15629->15623 15630 401659 CloseHandle 15629->15630 15630->15623 15631->15623 15633 40100d LoadLibraryA 15632->15633 15635 401023 15632->15635 15634 401021 15633->15634 15633->15635 15634->15611 15636 4010b5 GetProcAddress 15635->15636 15652 4010ae 15635->15652 15637 4010d1 GetProcAddress 15636->15637 15638 40127b 15636->15638 15637->15638 15639 4010f0 GetProcAddress 15637->15639 15638->15611 15639->15638 15640 401110 GetProcAddress 15639->15640 15640->15638 15641 401130 GetProcAddress 15640->15641 15641->15638 15642 40114f GetProcAddress 15641->15642 15642->15638 15643 40116f GetProcAddress 15642->15643 15643->15638 15644 40118f GetProcAddress 15643->15644 15644->15638 15645 4011ae GetProcAddress 15644->15645 15645->15638 15646 4011ce GetProcAddress 15645->15646 15646->15638 15647 4011ee GetProcAddress 15646->15647 15647->15638 15648 401209 GetProcAddress 15647->15648 15648->15638 15649 401225 GetProcAddress 15648->15649 15649->15638 15650 401241 GetProcAddress 15649->15650 15650->15638 15651 40125c GetProcAddress 15650->15651 15651->15638 15652->15611 15654 40908d 15653->15654 15655 4090e2 wsprintfA 15654->15655 15656 40ee2a 15655->15656 15657 4090fd CreateFileA 15656->15657 15658 40911a lstrlenA WriteFile CloseHandle 15657->15658 15659 40913f 15657->15659 15658->15659 15659->15302 15659->15303 15661 40dd41 InterlockedExchange 15660->15661 15662 40dd20 GetCurrentThreadId 15661->15662 15666 40dd4a 15661->15666 15663 40dd53 GetCurrentThreadId 15662->15663 15664 40dd2e GetTickCount 15662->15664 15663->15306 15665 40dd39 Sleep 15664->15665 15664->15666 15665->15661 15666->15663 15668 40dbf0 15667->15668 15700 40db67 GetEnvironmentVariableA 15668->15700 15670 40dc19 15671 40dcda 15670->15671 15672 40db67 3 API calls 15670->15672 15671->15308 15673 40dc5c 15672->15673 15673->15671 15674 40db67 3 API calls 15673->15674 15675 40dc9b 15674->15675 15675->15671 15676 40db67 3 API calls 15675->15676 15676->15671 15678 40db55 15677->15678 15679 40db3a 15677->15679 15678->15310 15678->15315 15704 40ebed 15679->15704 15713 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15681->15713 15683 40e3be 15683->15310 15684 40e342 15684->15683 15716 40de24 15684->15716 15687 40e528 15686->15687 15688 40e3f4 15686->15688 15687->15319 15689 40e434 RegQueryValueExA 15688->15689 15690 40e458 15689->15690 15691 40e51d RegCloseKey 15689->15691 15692 40e46e RegQueryValueExA 15690->15692 15691->15687 15692->15690 15693 40e488 15692->15693 15693->15691 15694 40db2e 8 API calls 15693->15694 15695 40e499 15694->15695 15695->15691 15696 40e4b9 RegQueryValueExA 15695->15696 15697 40e4e8 15695->15697 15696->15695 15696->15697 15697->15691 15698 40e332 14 API calls 15697->15698 15699 40e513 15698->15699 15699->15691 15701 40db89 lstrcpyA CreateFileA 15700->15701 15702 40dbca 15700->15702 15701->15670 15702->15670 15705 40ec01 15704->15705 15706 40ebf6 15704->15706 15708 40eba0 codecvt 2 API calls 15705->15708 15707 40ebcc 4 API calls 15706->15707 15709 40ebfe 15707->15709 15710 40ec0a GetProcessHeap HeapReAlloc 15708->15710 15709->15678 15711 40eb74 2 API calls 15710->15711 15712 40ec28 15711->15712 15712->15678 15727 40eb41 15713->15727 15717 40de3a 15716->15717 15720 40de4e 15717->15720 15731 40dd84 15717->15731 15720->15684 15721 40de9e 15721->15720 15722 40ebed 8 API calls 15721->15722 15725 40def6 15722->15725 15723 40de76 15735 40ddcf 15723->15735 15725->15720 15726 40ddcf lstrcmpA 15725->15726 15726->15720 15728 40eb4a 15727->15728 15730 40eb54 15727->15730 15729 40eae4 2 API calls 15728->15729 15729->15730 15730->15684 15732 40ddc5 15731->15732 15733 40dd96 15731->15733 15732->15721 15732->15723 15733->15732 15734 40ddad lstrcmpiA 15733->15734 15734->15732 15734->15733 15736 40dddd 15735->15736 15738 40de20 15735->15738 15737 40ddfa lstrcmpA 15736->15737 15736->15738 15737->15736 15738->15720 15740 40dd05 6 API calls 15739->15740 15741 40e821 15740->15741 15742 40dd84 lstrcmpiA 15741->15742 15743 40e82c 15742->15743 15745 40e844 15743->15745 15787 402480 15743->15787 15745->15335 15747 40dd05 6 API calls 15746->15747 15748 40df7c 15747->15748 15749 40dd84 lstrcmpiA 15748->15749 15753 40df89 15749->15753 15750 40ddcf lstrcmpA 15750->15753 15751 40ec2e codecvt 4 API calls 15751->15753 15752 40dd84 lstrcmpiA 15752->15753 15753->15750 15753->15751 15753->15752 15754 40dfc4 15753->15754 15754->15340 15756 40ea98 15755->15756 15796 40e8a1 15756->15796 15758 401e84 15758->15343 15760 4019d5 GetProcAddress GetProcAddress GetProcAddress 15759->15760 15763 4019ce 15759->15763 15761 401ab3 FreeLibrary 15760->15761 15762 401a04 15760->15762 15761->15763 15762->15761 15764 401a14 GetProcessHeap 15762->15764 15763->15348 15764->15763 15766 401a2e HeapAlloc 15764->15766 15766->15763 15767 401a42 15766->15767 15768 401a52 HeapReAlloc 15767->15768 15770 401a62 15767->15770 15768->15770 15769 401aa1 FreeLibrary 15769->15763 15770->15769 15771 401a96 HeapFree 15770->15771 15771->15769 15824 401ac3 LoadLibraryA 15772->15824 15775 401bcf 15775->15360 15777 401ac3 12 API calls 15776->15777 15778 401c09 15777->15778 15779 401c41 15778->15779 15780 401c0d GetComputerNameA 15778->15780 15779->15367 15781 401c45 GetVolumeInformationA 15780->15781 15782 401c1f 15780->15782 15781->15779 15782->15779 15782->15781 15784 40ee2a 15783->15784 15785 4030d0 gethostname gethostbyname 15784->15785 15786 401f82 15785->15786 15786->15372 15786->15374 15790 402419 lstrlenA 15787->15790 15789 402491 15789->15745 15791 40243d lstrlenA 15790->15791 15794 402474 15790->15794 15792 402464 lstrlenA 15791->15792 15793 40244e lstrcmpiA 15791->15793 15792->15791 15792->15794 15793->15792 15795 40245c 15793->15795 15794->15789 15795->15792 15795->15794 15797 40dd05 6 API calls 15796->15797 15798 40e8b4 15797->15798 15799 40dd84 lstrcmpiA 15798->15799 15800 40e8c0 15799->15800 15801 40e8c8 lstrcpynA 15800->15801 15810 40e90a 15800->15810 15802 40e8f5 15801->15802 15817 40df4c 15802->15817 15803 402419 4 API calls 15804 40e926 lstrlenA lstrlenA 15803->15804 15806 40e94c lstrlenA 15804->15806 15809 40e96a 15804->15809 15806->15809 15807 40e901 15808 40dd84 lstrcmpiA 15807->15808 15808->15810 15811 40ebcc 4 API calls 15809->15811 15812 40ea27 15809->15812 15810->15803 15810->15812 15813 40e98f 15811->15813 15812->15758 15813->15812 15814 40df4c 20 API calls 15813->15814 15815 40ea1e 15814->15815 15816 40ec2e codecvt 4 API calls 15815->15816 15816->15812 15818 40dd05 6 API calls 15817->15818 15819 40df51 15818->15819 15820 40f04e 4 API calls 15819->15820 15821 40df58 15820->15821 15822 40de24 10 API calls 15821->15822 15823 40df63 15822->15823 15823->15807 15825 401ae2 GetProcAddress 15824->15825 15828 401b68 GetComputerNameA GetVolumeInformationA 15824->15828 15826 401af5 15825->15826 15825->15828 15827 40ebed 8 API calls 15826->15827 15829 401b29 15826->15829 15827->15826 15828->15775 15829->15828 15829->15829 15830 40ec2e codecvt 4 API calls 15829->15830 15830->15828 15832 406ec3 2 API calls 15831->15832 15833 407ef4 15832->15833 15834 4073ff 17 API calls 15833->15834 15843 407fc9 15833->15843 15835 407f16 15834->15835 15835->15843 15844 407809 GetUserNameA 15835->15844 15837 407f63 15838 40ef1e lstrlenA 15837->15838 15837->15843 15839 407fa6 15838->15839 15840 40ef1e lstrlenA 15839->15840 15841 407fb7 15840->15841 15868 407a95 RegOpenKeyExA 15841->15868 15843->15386 15845 40783d LookupAccountNameA 15844->15845 15846 407a8d 15844->15846 15845->15846 15847 407874 GetLengthSid GetFileSecurityA 15845->15847 15846->15837 15847->15846 15848 4078a8 GetSecurityDescriptorOwner 15847->15848 15849 4078c5 EqualSid 15848->15849 15850 40791d GetSecurityDescriptorDacl 15848->15850 15849->15850 15851 4078dc LocalAlloc 15849->15851 15850->15846 15857 407941 15850->15857 15851->15850 15852 4078ef InitializeSecurityDescriptor 15851->15852 15853 407916 LocalFree 15852->15853 15854 4078fb SetSecurityDescriptorOwner 15852->15854 15853->15850 15854->15853 15856 40790b SetFileSecurityA 15854->15856 15855 40795b GetAce 15855->15857 15856->15853 15857->15846 15857->15855 15858 407980 EqualSid 15857->15858 15859 407a3d 15857->15859 15860 4079be EqualSid 15857->15860 15861 40799d DeleteAce 15857->15861 15858->15857 15859->15846 15862 407a43 LocalAlloc 15859->15862 15860->15857 15861->15857 15862->15846 15863 407a56 InitializeSecurityDescriptor 15862->15863 15864 407a62 SetSecurityDescriptorDacl 15863->15864 15865 407a86 LocalFree 15863->15865 15864->15865 15866 407a73 SetFileSecurityA 15864->15866 15865->15846 15866->15865 15867 407a83 15866->15867 15867->15865 15869 407ac4 15868->15869 15870 407acb GetUserNameA 15868->15870 15869->15843 15871 407da7 RegCloseKey 15870->15871 15872 407aed LookupAccountNameA 15870->15872 15871->15869 15872->15871 15873 407b24 RegGetKeySecurity 15872->15873 15873->15871 15874 407b49 GetSecurityDescriptorOwner 15873->15874 15875 407b63 EqualSid 15874->15875 15876 407bb8 GetSecurityDescriptorDacl 15874->15876 15875->15876 15877 407b74 LocalAlloc 15875->15877 15878 407da6 15876->15878 15885 407bdc 15876->15885 15877->15876 15879 407b8a InitializeSecurityDescriptor 15877->15879 15878->15871 15880 407bb1 LocalFree 15879->15880 15881 407b96 SetSecurityDescriptorOwner 15879->15881 15880->15876 15881->15880 15883 407ba6 RegSetKeySecurity 15881->15883 15882 407bf8 GetAce 15882->15885 15883->15880 15884 407c1d EqualSid 15884->15885 15885->15878 15885->15882 15885->15884 15886 407c5f EqualSid 15885->15886 15887 407cd9 15885->15887 15888 407c3a DeleteAce 15885->15888 15886->15885 15887->15878 15889 407d5a LocalAlloc 15887->15889 15890 407cf2 RegOpenKeyExA 15887->15890 15888->15885 15889->15878 15891 407d70 InitializeSecurityDescriptor 15889->15891 15890->15889 15896 407d0f 15890->15896 15892 407d7c SetSecurityDescriptorDacl 15891->15892 15893 407d9f LocalFree 15891->15893 15892->15893 15894 407d8c RegSetKeySecurity 15892->15894 15893->15878 15894->15893 15895 407d9c 15894->15895 15895->15893 15897 407d43 RegSetValueExA 15896->15897 15897->15889 15898 407d54 15897->15898 15898->15889 15899->15402 15901 40dd05 6 API calls 15900->15901 15904 40e65f 15901->15904 15902 40e6a5 15903 40ebcc 4 API calls 15902->15903 15909 40e6f5 15902->15909 15906 40e6b0 15903->15906 15904->15902 15905 40e68c lstrcmpA 15904->15905 15905->15904 15907 40e6b7 15906->15907 15908 40e6e0 lstrcpynA 15906->15908 15906->15909 15907->15404 15908->15909 15909->15907 15910 40e71d lstrcmpA 15909->15910 15910->15909 15911->15410 15913 40c525 15912->15913 15914 40c532 15912->15914 15913->15914 15916 40ec2e codecvt 4 API calls 15913->15916 15915 40c548 15914->15915 16064 40e7ff 15914->16064 15918 40e7ff lstrcmpiA 15915->15918 15924 40c54f 15915->15924 15916->15914 15919 40c615 15918->15919 15920 40ebcc 4 API calls 15919->15920 15919->15924 15920->15924 15921 40c5d1 15923 40ebcc 4 API calls 15921->15923 15923->15924 15924->15423 15925 40e819 11 API calls 15926 40c5b7 15925->15926 15927 40f04e 4 API calls 15926->15927 15928 40c5bf 15927->15928 15928->15915 15928->15921 15930 402692 inet_addr 15929->15930 15931 40268e 15929->15931 15930->15931 15932 40269e gethostbyname 15930->15932 15933 40f428 15931->15933 15932->15931 16067 40f315 15933->16067 15938 40c8d2 15936->15938 15937 40c907 15937->15457 15938->15937 15939 40c517 23 API calls 15938->15939 15939->15937 15940 40f43e 15941 40f473 recv 15940->15941 15942 40f458 15941->15942 15943 40f47c 15941->15943 15942->15941 15942->15943 15943->15440 15945 40c670 15944->15945 15948 40c67d 15944->15948 15946 40ebcc 4 API calls 15945->15946 15946->15948 15947 40ebcc 4 API calls 15950 40c699 15947->15950 15948->15947 15948->15950 15949 40c6f3 15949->15453 15949->15518 15950->15949 15951 40c73c send 15950->15951 15951->15949 15953 40c770 15952->15953 15954 40c77d 15952->15954 15955 40ebcc 4 API calls 15953->15955 15956 40c799 15954->15956 15957 40ebcc 4 API calls 15954->15957 15955->15954 15959 40ebcc 4 API calls 15956->15959 15960 40c7b5 15956->15960 15957->15956 15958 40f43e recv 15961 40c7cb 15958->15961 15959->15960 15960->15958 15962 40f43e recv 15961->15962 15963 40c7d3 15961->15963 15962->15963 15963->15518 16080 407db7 15964->16080 15967 407e96 15967->15518 15968 40f04e 4 API calls 15970 407e4c 15968->15970 15969 40f04e 4 API calls 15969->15967 15971 40f04e 4 API calls 15970->15971 15972 407e70 15970->15972 15971->15972 15972->15967 15972->15969 15974 406ec3 2 API calls 15973->15974 15975 407fdd 15974->15975 15976 4073ff 17 API calls 15975->15976 15985 4080c2 CreateProcessA 15975->15985 15977 407fff 15976->15977 15978 407809 21 API calls 15977->15978 15977->15985 15979 40804d 15978->15979 15980 40ef1e lstrlenA 15979->15980 15979->15985 15981 40809e 15980->15981 15982 40ef1e lstrlenA 15981->15982 15983 4080af 15982->15983 15984 407a95 24 API calls 15983->15984 15984->15985 15985->15506 15985->15507 15987 407db7 2 API calls 15986->15987 15988 407eb8 15987->15988 15989 40f04e 4 API calls 15988->15989 15990 407ece DeleteFileA 15989->15990 15990->15518 15992 40dd05 6 API calls 15991->15992 15993 40e31d 15992->15993 16084 40e177 15993->16084 15995 40e326 15995->15479 15997 4031f3 15996->15997 16006 4031ec 15996->16006 15998 40ebcc 4 API calls 15997->15998 16010 4031fc 15998->16010 15999 403459 16001 40f04e 4 API calls 15999->16001 16000 40349d 16002 40ec2e codecvt 4 API calls 16000->16002 16003 40345f 16001->16003 16002->16006 16004 4030fa 4 API calls 16003->16004 16004->16006 16005 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 16005->16010 16006->15518 16007 40344d 16008 40ec2e codecvt 4 API calls 16007->16008 16012 40344b 16008->16012 16010->16005 16010->16006 16010->16007 16011 403141 lstrcmpiA 16010->16011 16010->16012 16110 4030fa GetTickCount 16010->16110 16011->16010 16012->15999 16012->16000 16014 4030fa 4 API calls 16013->16014 16015 403c1a 16014->16015 16016 403ce6 16015->16016 16115 403a72 16015->16115 16016->15518 16019 403a72 9 API calls 16021 403c5e 16019->16021 16020 403a72 9 API calls 16020->16021 16021->16016 16021->16020 16022 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16021->16022 16022->16021 16024 403a10 16023->16024 16025 4030fa 4 API calls 16024->16025 16026 403a1a 16025->16026 16026->15518 16028 40dd05 6 API calls 16027->16028 16029 40e7be 16028->16029 16029->15518 16031 40c105 16030->16031 16032 40c07e wsprintfA 16030->16032 16031->15518 16124 40bfce GetTickCount wsprintfA 16032->16124 16034 40c0ef 16125 40bfce GetTickCount wsprintfA 16034->16125 16037 407047 16036->16037 16038 406f88 LookupAccountNameA 16036->16038 16037->15518 16040 407025 16038->16040 16041 406fcb 16038->16041 16042 406edd 5 API calls 16040->16042 16044 406fdb ConvertSidToStringSidA 16041->16044 16043 40702a wsprintfA 16042->16043 16043->16037 16044->16040 16045 406ff1 16044->16045 16046 407013 LocalFree 16045->16046 16046->16040 16048 40dd05 6 API calls 16047->16048 16049 40e85c 16048->16049 16050 40dd84 lstrcmpiA 16049->16050 16052 40e867 16050->16052 16051 40e885 lstrcpyA 16129 40dd69 16051->16129 16052->16051 16126 4024a5 16052->16126 16058 407db7 2 API calls 16057->16058 16059 407de1 16058->16059 16060 407e16 16059->16060 16061 40f04e 4 API calls 16059->16061 16060->15518 16062 407df2 16061->16062 16062->16060 16063 40f04e 4 API calls 16062->16063 16063->16060 16065 40dd84 lstrcmpiA 16064->16065 16066 40c58e 16065->16066 16066->15915 16066->15921 16066->15925 16068 40ca1d 16067->16068 16069 40f33b 16067->16069 16068->15437 16068->15940 16070 40f347 htons socket 16069->16070 16071 40f382 ioctlsocket 16070->16071 16072 40f374 closesocket 16070->16072 16073 40f3aa connect select 16071->16073 16074 40f39d 16071->16074 16072->16068 16073->16068 16076 40f3f2 __WSAFDIsSet 16073->16076 16075 40f39f closesocket 16074->16075 16075->16068 16076->16075 16077 40f403 ioctlsocket 16076->16077 16079 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16077->16079 16079->16068 16081 407dc8 InterlockedExchange 16080->16081 16082 407dc0 Sleep 16081->16082 16083 407dd4 16081->16083 16082->16081 16083->15968 16083->15972 16085 40e184 16084->16085 16086 40e223 16085->16086 16098 40e2e4 16085->16098 16100 40dfe2 16085->16100 16088 40dfe2 8 API calls 16086->16088 16086->16098 16092 40e23c 16088->16092 16089 40e1be 16089->16086 16090 40dbcf 3 API calls 16089->16090 16093 40e1d6 16090->16093 16091 40e21a CloseHandle 16091->16086 16092->16098 16104 40e095 RegCreateKeyExA 16092->16104 16093->16086 16093->16091 16094 40e1f9 WriteFile 16093->16094 16094->16091 16095 40e213 16094->16095 16095->16091 16097 40e2a3 16097->16098 16099 40e095 4 API calls 16097->16099 16098->15995 16099->16098 16101 40dffc 16100->16101 16103 40e024 16100->16103 16102 40db2e 8 API calls 16101->16102 16101->16103 16102->16103 16103->16089 16105 40e172 16104->16105 16108 40e0c0 16104->16108 16105->16097 16106 40e14e RegDeleteValueA RegCloseKey 16106->16105 16107 40e115 RegSetValueExA 16107->16108 16109 40e13d 16107->16109 16108->16107 16108->16109 16109->16106 16111 403122 InterlockedExchange 16110->16111 16112 40312e 16111->16112 16113 40310f GetTickCount 16111->16113 16112->16010 16113->16112 16114 40311a Sleep 16113->16114 16114->16111 16116 40f04e 4 API calls 16115->16116 16117 403a83 16116->16117 16119 403bc0 16117->16119 16122 403b66 lstrlenA 16117->16122 16123 403ac1 16117->16123 16118 403be6 16120 40ec2e codecvt 4 API calls 16118->16120 16119->16118 16121 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16119->16121 16120->16123 16121->16119 16122->16117 16122->16123 16123->16016 16123->16019 16124->16034 16125->16031 16127 402419 4 API calls 16126->16127 16128 4024b6 16127->16128 16128->16051 16130 40dd79 lstrlenA 16129->16130 16130->15518 16132 404084 16131->16132 16133 40407d 16131->16133 16134 403ecd 6 API calls 16132->16134 16135 40408f 16134->16135 16136 404000 3 API calls 16135->16136 16138 404095 16136->16138 16137 404130 16139 403ecd 6 API calls 16137->16139 16138->16137 16143 403f18 4 API calls 16138->16143 16140 404159 CreateNamedPipeA 16139->16140 16141 404167 Sleep 16140->16141 16142 404188 ConnectNamedPipe 16140->16142 16141->16137 16144 404176 CloseHandle 16141->16144 16146 404195 GetLastError 16142->16146 16151 4041ab 16142->16151 16145 4040da 16143->16145 16144->16142 16147 403f8c 4 API calls 16145->16147 16148 40425e DisconnectNamedPipe 16146->16148 16146->16151 16149 4040ec 16147->16149 16148->16142 16150 404127 CloseHandle 16149->16150 16152 404101 16149->16152 16150->16137 16151->16142 16151->16148 16153 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16151->16153 16156 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16151->16156 16157 40426a CloseHandle CloseHandle 16151->16157 16154 403f18 4 API calls 16152->16154 16153->16151 16155 40411c ExitProcess 16154->16155 16156->16151 16158 40e318 23 API calls 16157->16158 16159 40427b 16158->16159 16159->16159 16161 408791 16160->16161 16162 40879f 16160->16162 16163 40f04e 4 API calls 16161->16163 16164 4087bc 16162->16164 16165 40f04e 4 API calls 16162->16165 16163->16162 16166 40e819 11 API calls 16164->16166 16165->16164 16167 4087d7 16166->16167 16180 408803 16167->16180 16182 4026b2 gethostbyaddr 16167->16182 16170 4087eb 16172 40e8a1 30 API calls 16170->16172 16170->16180 16172->16180 16175 40e819 11 API calls 16175->16180 16176 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16176->16180 16177 4088a0 Sleep 16177->16180 16179 4026b2 2 API calls 16179->16180 16180->16175 16180->16176 16180->16177 16180->16179 16181 40e8a1 30 API calls 16180->16181 16187 408cee 16180->16187 16195 40c4d6 16180->16195 16198 40c4e2 16180->16198 16201 402011 16180->16201 16236 408328 16180->16236 16181->16180 16183 4026fb 16182->16183 16184 4026cd 16182->16184 16183->16170 16185 4026e1 inet_ntoa 16184->16185 16186 4026de 16184->16186 16185->16186 16186->16170 16188 408d02 GetTickCount 16187->16188 16189 408dae 16187->16189 16188->16189 16192 408d19 16188->16192 16189->16180 16190 408da1 GetTickCount 16190->16189 16192->16190 16194 408d89 16192->16194 16288 40a677 16192->16288 16291 40a688 16192->16291 16194->16190 16299 40c2dc 16195->16299 16199 40c2dc 142 API calls 16198->16199 16200 40c4ec 16199->16200 16200->16180 16202 402020 16201->16202 16203 40202e 16201->16203 16205 40f04e 4 API calls 16202->16205 16204 40204b 16203->16204 16206 40f04e 4 API calls 16203->16206 16207 40206e GetTickCount 16204->16207 16208 40f04e 4 API calls 16204->16208 16205->16203 16206->16204 16209 4020db GetTickCount 16207->16209 16219 402090 16207->16219 16211 402068 16208->16211 16210 402132 GetTickCount GetTickCount 16209->16210 16221 4020e7 16209->16221 16213 40f04e 4 API calls 16210->16213 16211->16207 16212 4020d4 GetTickCount 16212->16209 16215 402159 16213->16215 16214 40212b GetTickCount 16214->16210 16217 4021b4 16215->16217 16220 40e854 13 API calls 16215->16220 16216 402684 2 API calls 16216->16219 16222 40f04e 4 API calls 16217->16222 16219->16212 16219->16216 16224 4020ce 16219->16224 16628 401978 16219->16628 16225 40218e 16220->16225 16221->16214 16229 401978 15 API calls 16221->16229 16230 402125 16221->16230 16633 402ef8 16221->16633 16223 4021d1 16222->16223 16227 4021f2 16223->16227 16231 40ea84 30 API calls 16223->16231 16224->16212 16228 40e819 11 API calls 16225->16228 16227->16180 16232 40219c 16228->16232 16229->16221 16230->16214 16233 4021ec 16231->16233 16232->16217 16641 401c5f 16232->16641 16234 40f04e 4 API calls 16233->16234 16234->16227 16237 407dd6 6 API calls 16236->16237 16238 40833c 16237->16238 16239 406ec3 2 API calls 16238->16239 16247 408340 16238->16247 16240 40834f 16239->16240 16241 40835c 16240->16241 16244 40846b 16240->16244 16242 4073ff 17 API calls 16241->16242 16263 408373 16242->16263 16243 40675c 21 API calls 16248 4085df 16243->16248 16249 4084a7 RegOpenKeyExA 16244->16249 16273 408450 16244->16273 16245 408626 GetTempPathA 16246 408638 16245->16246 16713 406ba7 IsBadCodePtr 16246->16713 16247->16180 16248->16245 16248->16246 16255 408762 16248->16255 16251 4084c0 RegQueryValueExA 16249->16251 16253 40852f 16249->16253 16254 408521 RegCloseKey 16251->16254 16259 4084dd 16251->16259 16252 4086ad 16252->16255 16257 407e2f 6 API calls 16252->16257 16256 408564 RegOpenKeyExA 16253->16256 16269 4085a5 16253->16269 16254->16253 16255->16247 16261 40ec2e codecvt 4 API calls 16255->16261 16258 408573 RegSetValueExA RegCloseKey 16256->16258 16256->16269 16266 4086bb 16257->16266 16258->16269 16259->16254 16262 40ebcc 4 API calls 16259->16262 16260 40875b DeleteFileA 16260->16255 16261->16247 16265 4084f0 16262->16265 16263->16247 16267 4083ea RegOpenKeyExA 16263->16267 16263->16273 16265->16254 16268 4084f8 RegQueryValueExA 16265->16268 16266->16260 16274 4086e0 lstrcpyA lstrlenA 16266->16274 16270 4083fd RegQueryValueExA 16267->16270 16267->16273 16268->16254 16271 408515 16268->16271 16272 40ec2e codecvt 4 API calls 16269->16272 16269->16273 16275 40842d RegSetValueExA 16270->16275 16276 40841e 16270->16276 16277 40ec2e codecvt 4 API calls 16271->16277 16272->16273 16273->16243 16273->16248 16279 407fcf 64 API calls 16274->16279 16280 408447 RegCloseKey 16275->16280 16276->16275 16276->16280 16278 40851d 16277->16278 16278->16254 16281 408719 CreateProcessA 16279->16281 16280->16273 16282 40873d CloseHandle CloseHandle 16281->16282 16283 40874f 16281->16283 16282->16255 16284 407ee6 64 API calls 16283->16284 16285 408754 16284->16285 16286 407ead 6 API calls 16285->16286 16287 40875a 16286->16287 16287->16260 16294 40a63d 16288->16294 16290 40a685 16290->16192 16292 40a63d GetTickCount 16291->16292 16293 40a696 16292->16293 16293->16192 16295 40a645 16294->16295 16296 40a64d 16294->16296 16295->16290 16297 40a66e 16296->16297 16298 40a65e GetTickCount 16296->16298 16297->16290 16298->16297 16315 40a4c7 GetTickCount 16299->16315 16302 40c45e 16306 40c4d2 16302->16306 16307 40c4ab InterlockedIncrement CreateThread 16302->16307 16303 40c300 GetTickCount 16305 40c337 16303->16305 16304 40c326 16304->16305 16308 40c32b GetTickCount 16304->16308 16305->16302 16310 40c363 GetTickCount 16305->16310 16306->16180 16307->16306 16309 40c4cb CloseHandle 16307->16309 16320 40b535 16307->16320 16308->16305 16309->16306 16310->16302 16311 40c373 16310->16311 16312 40c378 GetTickCount 16311->16312 16313 40c37f 16311->16313 16312->16313 16314 40c43b GetTickCount 16313->16314 16314->16302 16316 40a4f7 InterlockedExchange 16315->16316 16317 40a500 16316->16317 16318 40a4e4 GetTickCount 16316->16318 16317->16302 16317->16303 16317->16304 16318->16317 16319 40a4ef Sleep 16318->16319 16319->16316 16321 40b566 16320->16321 16322 40ebcc 4 API calls 16321->16322 16323 40b587 16322->16323 16324 40ebcc 4 API calls 16323->16324 16375 40b590 16324->16375 16325 40bdcd InterlockedDecrement 16326 40bde2 16325->16326 16328 40ec2e codecvt 4 API calls 16326->16328 16329 40bdea 16328->16329 16331 40ec2e codecvt 4 API calls 16329->16331 16330 40bdb7 Sleep 16330->16375 16332 40bdf2 16331->16332 16333 40be05 16332->16333 16335 40ec2e codecvt 4 API calls 16332->16335 16334 40bdcc 16334->16325 16335->16333 16336 40ebed 8 API calls 16336->16375 16339 40b6b6 lstrlenA 16339->16375 16340 4030b5 2 API calls 16340->16375 16341 40e819 11 API calls 16341->16375 16342 40b6ed lstrcpyA 16395 405ce1 16342->16395 16345 40b731 lstrlenA 16345->16375 16346 40b71f lstrcmpA 16346->16345 16346->16375 16347 40b772 GetTickCount 16347->16375 16348 40bd49 InterlockedIncrement 16489 40a628 16348->16489 16350 40ab81 lstrcpynA InterlockedIncrement 16350->16375 16352 40b7ce InterlockedIncrement 16405 40acd7 16352->16405 16353 40bc5b InterlockedIncrement 16353->16375 16356 40b912 GetTickCount 16356->16375 16357 40b932 GetTickCount 16360 40bc6d InterlockedIncrement 16357->16360 16357->16375 16358 40bcdc closesocket 16358->16375 16359 40b826 InterlockedIncrement 16359->16347 16360->16375 16361 4038f0 6 API calls 16361->16375 16363 40bba6 InterlockedIncrement 16363->16375 16366 40bc4c closesocket 16366->16375 16367 40a7c1 22 API calls 16367->16375 16369 40ba71 wsprintfA 16423 40a7c1 16369->16423 16370 405ded 12 API calls 16370->16375 16372 405ce1 23 API calls 16372->16375 16374 40ef1e lstrlenA 16374->16375 16375->16325 16375->16330 16375->16334 16375->16336 16375->16339 16375->16340 16375->16341 16375->16342 16375->16345 16375->16346 16375->16347 16375->16348 16375->16350 16375->16352 16375->16353 16375->16356 16375->16357 16375->16358 16375->16359 16375->16361 16375->16363 16375->16366 16375->16367 16375->16369 16375->16370 16375->16372 16375->16374 16376 40a688 GetTickCount 16375->16376 16377 403e10 16375->16377 16380 403e4f 16375->16380 16383 40384f 16375->16383 16403 40a7a3 inet_ntoa 16375->16403 16410 40abee 16375->16410 16422 401feb GetTickCount 16375->16422 16443 403cfb 16375->16443 16446 40b3c5 16375->16446 16477 40ab81 16375->16477 16376->16375 16378 4030fa 4 API calls 16377->16378 16379 403e1d 16378->16379 16379->16375 16381 4030fa 4 API calls 16380->16381 16382 403e5c 16381->16382 16382->16375 16384 4030fa 4 API calls 16383->16384 16386 403863 16384->16386 16385 4038b2 16385->16375 16386->16385 16387 4038b9 16386->16387 16388 403889 16386->16388 16498 4035f9 16387->16498 16492 403718 16388->16492 16393 4035f9 6 API calls 16393->16385 16394 403718 6 API calls 16394->16385 16396 405cf4 16395->16396 16397 405cec 16395->16397 16399 404bd1 4 API calls 16396->16399 16504 404bd1 GetTickCount 16397->16504 16400 405d02 16399->16400 16509 405472 16400->16509 16404 40a7b9 16403->16404 16404->16375 16406 40f315 14 API calls 16405->16406 16407 40aceb 16406->16407 16408 40acff 16407->16408 16409 40f315 14 API calls 16407->16409 16408->16375 16409->16408 16411 40abfb 16410->16411 16414 40ac65 16411->16414 16574 402f22 16411->16574 16413 40f315 14 API calls 16413->16414 16414->16413 16415 40ac8a 16414->16415 16416 40ac6f 16414->16416 16415->16375 16418 40ab81 2 API calls 16416->16418 16417 40ac23 16417->16414 16420 402684 2 API calls 16417->16420 16419 40ac81 16418->16419 16582 4038f0 16419->16582 16420->16417 16422->16375 16424 40a87d lstrlenA send 16423->16424 16425 40a7df 16423->16425 16426 40a899 16424->16426 16427 40a8bf 16424->16427 16425->16424 16432 40a7fa wsprintfA 16425->16432 16433 40a80a 16425->16433 16435 40a8f2 16425->16435 16430 40a8a5 wsprintfA 16426->16430 16436 40a89e 16426->16436 16428 40a8c4 send 16427->16428 16427->16435 16431 40a8d8 wsprintfA 16428->16431 16428->16435 16429 40a978 recv 16429->16435 16437 40a982 16429->16437 16430->16436 16431->16436 16432->16433 16433->16424 16434 40a9b0 wsprintfA 16434->16436 16435->16429 16435->16434 16435->16437 16436->16375 16437->16436 16438 4030b5 2 API calls 16437->16438 16439 40ab05 16438->16439 16440 40e819 11 API calls 16439->16440 16441 40ab17 16440->16441 16442 40a7a3 inet_ntoa 16441->16442 16442->16436 16444 4030fa 4 API calls 16443->16444 16445 403d0b 16444->16445 16445->16375 16447 405ce1 23 API calls 16446->16447 16448 40b3e6 16447->16448 16449 405ce1 23 API calls 16448->16449 16451 40b404 16449->16451 16450 40b440 16452 40ef7c 3 API calls 16450->16452 16451->16450 16453 40ef7c 3 API calls 16451->16453 16454 40b458 wsprintfA 16452->16454 16455 40b42b 16453->16455 16456 40ef7c 3 API calls 16454->16456 16457 40ef7c 3 API calls 16455->16457 16458 40b480 16456->16458 16457->16450 16459 40ef7c 3 API calls 16458->16459 16460 40b493 16459->16460 16461 40ef7c 3 API calls 16460->16461 16462 40b4bb 16461->16462 16596 40ad89 GetLocalTime SystemTimeToFileTime 16462->16596 16466 40b4cc 16467 40ef7c 3 API calls 16466->16467 16468 40b4dd 16467->16468 16469 40b211 7 API calls 16468->16469 16470 40b4ec 16469->16470 16471 40ef7c 3 API calls 16470->16471 16472 40b4fd 16471->16472 16473 40b211 7 API calls 16472->16473 16474 40b509 16473->16474 16475 40ef7c 3 API calls 16474->16475 16476 40b51a 16475->16476 16476->16375 16478 40abe9 GetTickCount 16477->16478 16480 40ab8c 16477->16480 16482 40a51d 16478->16482 16479 40aba8 lstrcpynA 16479->16480 16480->16478 16480->16479 16481 40abe1 InterlockedIncrement 16480->16481 16481->16480 16483 40a4c7 4 API calls 16482->16483 16484 40a52c 16483->16484 16485 40a542 GetTickCount 16484->16485 16487 40a539 GetTickCount 16484->16487 16485->16487 16488 40a56c 16487->16488 16488->16375 16490 40a4c7 4 API calls 16489->16490 16491 40a633 16490->16491 16491->16375 16493 40f04e 4 API calls 16492->16493 16495 40372a 16493->16495 16494 403847 16494->16385 16494->16394 16495->16494 16496 4037b3 GetCurrentThreadId 16495->16496 16496->16495 16497 4037c8 GetCurrentThreadId 16496->16497 16497->16495 16499 40f04e 4 API calls 16498->16499 16500 40360c 16499->16500 16501 4036da GetCurrentThreadId 16500->16501 16502 4036f1 16500->16502 16501->16502 16503 4036e5 GetCurrentThreadId 16501->16503 16502->16385 16502->16393 16503->16502 16505 404bff InterlockedExchange 16504->16505 16506 404c08 16505->16506 16507 404bec GetTickCount 16505->16507 16506->16396 16507->16506 16508 404bf7 Sleep 16507->16508 16508->16505 16530 404763 16509->16530 16511 405b58 16540 404699 16511->16540 16514 404763 lstrlenA 16515 405b6e 16514->16515 16561 404f9f 16515->16561 16517 405b79 16517->16375 16519 405549 lstrlenA 16529 40548a 16519->16529 16521 40558d lstrcpynA 16521->16529 16522 405a9f lstrcpyA 16522->16529 16523 404ae6 8 API calls 16523->16529 16524 405935 lstrcpynA 16524->16529 16525 404ae6 8 API calls 16526 405643 LoadLibraryW 16525->16526 16526->16529 16527 405472 13 API calls 16527->16529 16528 4058e7 lstrcpyA 16528->16529 16529->16511 16529->16521 16529->16522 16529->16523 16529->16524 16529->16525 16529->16527 16529->16528 16534 404ae6 16529->16534 16538 40ef7c lstrlenA lstrlenA lstrlenA 16529->16538 16532 40477a 16530->16532 16531 404859 16531->16529 16532->16531 16533 40480d lstrlenA 16532->16533 16533->16532 16535 404af3 16534->16535 16537 404b03 16534->16537 16536 40ebed 8 API calls 16535->16536 16536->16537 16537->16519 16539 40efb4 16538->16539 16539->16529 16566 4045b3 16540->16566 16543 4045b3 7 API calls 16544 4046c6 16543->16544 16545 4045b3 7 API calls 16544->16545 16546 4046d8 16545->16546 16547 4045b3 7 API calls 16546->16547 16548 4046ea 16547->16548 16549 4045b3 7 API calls 16548->16549 16550 4046ff 16549->16550 16551 4045b3 7 API calls 16550->16551 16552 404711 16551->16552 16553 4045b3 7 API calls 16552->16553 16554 404723 16553->16554 16555 40ef7c 3 API calls 16554->16555 16556 404735 16555->16556 16557 40ef7c 3 API calls 16556->16557 16558 40474a 16557->16558 16559 40ef7c 3 API calls 16558->16559 16560 40475c 16559->16560 16560->16514 16562 404fac 16561->16562 16565 404fb0 16561->16565 16562->16517 16563 404ffd 16563->16517 16564 404fd5 IsBadCodePtr 16564->16565 16565->16563 16565->16564 16567 4045c1 16566->16567 16568 4045c8 16566->16568 16569 40ebcc 4 API calls 16567->16569 16570 40ebcc 4 API calls 16568->16570 16572 4045e1 16568->16572 16569->16568 16570->16572 16571 404691 16571->16543 16572->16571 16573 40ef7c 3 API calls 16572->16573 16573->16572 16589 402d21 GetModuleHandleA 16574->16589 16577 402fcf GetProcessHeap HeapFree 16581 402f44 16577->16581 16578 402f4f 16580 402f6b GetProcessHeap HeapFree 16578->16580 16579 402f85 16579->16577 16579->16579 16580->16581 16581->16417 16583 403900 16582->16583 16584 403980 16582->16584 16585 4030fa 4 API calls 16583->16585 16584->16415 16588 40390a 16585->16588 16586 40391b GetCurrentThreadId 16586->16588 16587 403939 GetCurrentThreadId 16587->16588 16588->16584 16588->16586 16588->16587 16590 402d46 LoadLibraryA 16589->16590 16591 402d5b GetProcAddress 16589->16591 16590->16591 16593 402d54 16590->16593 16591->16593 16595 402d6b 16591->16595 16592 402d97 GetProcessHeap HeapAlloc 16592->16593 16592->16595 16593->16578 16593->16579 16593->16581 16594 402db5 lstrcpynA 16594->16595 16595->16592 16595->16593 16595->16594 16597 40adbf 16596->16597 16621 40ad08 gethostname 16597->16621 16600 4030b5 2 API calls 16601 40add3 16600->16601 16602 40a7a3 inet_ntoa 16601->16602 16603 40ade4 16601->16603 16602->16603 16604 40ae85 wsprintfA 16603->16604 16607 40ae36 wsprintfA wsprintfA 16603->16607 16605 40ef7c 3 API calls 16604->16605 16606 40aebb 16605->16606 16608 40ef7c 3 API calls 16606->16608 16609 40ef7c 3 API calls 16607->16609 16610 40aed2 16608->16610 16609->16603 16611 40b211 16610->16611 16612 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16611->16612 16613 40b2af GetLocalTime 16611->16613 16614 40b2d2 16612->16614 16613->16614 16615 40b2d9 SystemTimeToFileTime 16614->16615 16616 40b31c GetTimeZoneInformation 16614->16616 16617 40b2ec 16615->16617 16618 40b33a wsprintfA 16616->16618 16619 40b312 FileTimeToSystemTime 16617->16619 16618->16466 16619->16616 16622 40ad71 16621->16622 16627 40ad26 lstrlenA 16621->16627 16624 40ad85 16622->16624 16625 40ad79 lstrcpyA 16622->16625 16624->16600 16625->16624 16626 40ad68 lstrlenA 16626->16622 16627->16622 16627->16626 16629 40f428 14 API calls 16628->16629 16630 40198a 16629->16630 16631 401990 closesocket 16630->16631 16632 401998 16630->16632 16631->16632 16632->16219 16634 402d21 6 API calls 16633->16634 16636 402f01 16634->16636 16635 402f0f 16638 402684 2 API calls 16635->16638 16640 402f1f 16635->16640 16636->16635 16649 402df2 GetModuleHandleA 16636->16649 16639 402f1d 16638->16639 16639->16221 16640->16221 16642 401c80 16641->16642 16643 401d1c 16642->16643 16644 401cc2 wsprintfA 16642->16644 16648 401d79 16642->16648 16643->16643 16646 401d47 wsprintfA 16643->16646 16645 402684 2 API calls 16644->16645 16645->16642 16647 402684 2 API calls 16646->16647 16647->16648 16648->16217 16650 402e10 LoadLibraryA 16649->16650 16651 402e0b 16649->16651 16652 402e17 16650->16652 16651->16650 16651->16652 16653 402ef1 16652->16653 16654 402e28 GetProcAddress 16652->16654 16653->16635 16654->16653 16655 402e3e GetProcessHeap HeapAlloc 16654->16655 16657 402e62 16655->16657 16656 402ede GetProcessHeap HeapFree 16656->16653 16657->16653 16657->16656 16658 402e7f htons inet_addr 16657->16658 16659 402ea5 gethostbyname 16657->16659 16661 402ceb 16657->16661 16658->16657 16658->16659 16659->16657 16662 402cf2 16661->16662 16664 402d1c 16662->16664 16665 402d0e Sleep 16662->16665 16666 402a62 GetProcessHeap HeapAlloc 16662->16666 16664->16657 16665->16662 16665->16664 16667 402a92 16666->16667 16668 402a99 socket 16666->16668 16667->16662 16669 402cd3 GetProcessHeap HeapFree 16668->16669 16670 402ab4 16668->16670 16669->16667 16670->16669 16674 402abd 16670->16674 16671 402adb htons 16686 4026ff 16671->16686 16673 402b04 select 16673->16674 16674->16671 16674->16673 16675 402ca4 16674->16675 16676 402cb3 GetProcessHeap HeapFree closesocket 16674->16676 16677 402b3f recv 16674->16677 16678 402b66 htons 16674->16678 16679 402b87 htons 16674->16679 16681 402bf3 GetProcessHeap HeapAlloc 16674->16681 16683 402c17 htons 16674->16683 16685 402c4d GetProcessHeap HeapFree 16674->16685 16693 402923 16674->16693 16705 402904 16674->16705 16675->16676 16676->16667 16677->16674 16678->16674 16678->16675 16679->16674 16679->16675 16681->16674 16701 402871 16683->16701 16685->16674 16687 40271d 16686->16687 16688 402717 16686->16688 16690 40272b GetTickCount htons 16687->16690 16689 40ebcc 4 API calls 16688->16689 16689->16687 16691 4027cc htons htons sendto 16690->16691 16692 40278a 16690->16692 16691->16674 16692->16691 16694 402944 16693->16694 16695 40293d 16693->16695 16709 402816 htons 16694->16709 16695->16674 16697 402871 htons 16700 402950 16697->16700 16698 4029bd htons htons htons 16698->16695 16699 4029f6 GetProcessHeap HeapAlloc 16698->16699 16699->16695 16699->16700 16700->16695 16700->16697 16700->16698 16702 4028e3 16701->16702 16704 402889 16701->16704 16702->16674 16703 4028c3 htons 16703->16702 16703->16704 16704->16702 16704->16703 16706 402921 16705->16706 16707 402908 16705->16707 16706->16674 16708 402909 GetProcessHeap HeapFree 16707->16708 16708->16706 16708->16708 16710 40286b 16709->16710 16711 402836 16709->16711 16710->16700 16711->16710 16712 40285c htons 16711->16712 16712->16710 16712->16711 16714 406bc0 16713->16714 16715 406bbc 16713->16715 16716 40ebcc 4 API calls 16714->16716 16726 406bd4 16714->16726 16715->16252 16717 406be4 16716->16717 16718 406c07 CreateFileA 16717->16718 16719 406bfc 16717->16719 16717->16726 16720 406c34 WriteFile 16718->16720 16721 406c2a 16718->16721 16722 40ec2e codecvt 4 API calls 16719->16722 16724 406c49 CloseHandle DeleteFileA 16720->16724 16725 406c5a CloseHandle 16720->16725 16723 40ec2e codecvt 4 API calls 16721->16723 16722->16726 16723->16726 16724->16721 16727 40ec2e codecvt 4 API calls 16725->16727 16726->16252 16727->16726 15060 770920 TerminateProcess 15001 770005 15006 77092b GetPEB 15001->15006 15003 770030 15008 77003c 15003->15008 15007 770972 15006->15007 15007->15003 15009 770049 15008->15009 15023 770e0f SetErrorMode SetErrorMode 15009->15023 15014 770265 15015 7702ce VirtualProtect 15014->15015 15016 77030b 15015->15016 15017 770439 VirtualFree 15016->15017 15021 7705f4 LoadLibraryA 15017->15021 15022 7704be 15017->15022 15018 7704e3 LoadLibraryA 15018->15022 15020 7708c7 15021->15020 15022->15018 15022->15021 15024 770223 15023->15024 15025 770d90 15024->15025 15026 770dad 15025->15026 15027 770238 VirtualAlloc 15026->15027 15028 770dbb GetPEB 15026->15028 15027->15014 15028->15027 15061 8f1d38 15062 8f1d47 15061->15062 15065 8f24d8 15062->15065 15071 8f24f3 15065->15071 15066 8f24fc CreateToolhelp32Snapshot 15067 8f2518 Module32First 15066->15067 15066->15071 15068 8f1d50 15067->15068 15069 8f2527 15067->15069 15072 8f2197 15069->15072 15071->15066 15071->15067 15073 8f21c2 15072->15073 15074 8f21d3 VirtualAlloc 15073->15074 15075 8f220b 15073->15075 15074->15075 15029 407a95 RegOpenKeyExA 15030 407ac4 15029->15030 15031 407acb GetUserNameA 15029->15031 15032 407da7 RegCloseKey 15031->15032 15033 407aed LookupAccountNameA 15031->15033 15032->15030 15033->15032 15034 407b24 RegGetKeySecurity 15033->15034 15034->15032 15035 407b49 GetSecurityDescriptorOwner 15034->15035 15036 407b63 EqualSid 15035->15036 15037 407bb8 GetSecurityDescriptorDacl 15035->15037 15036->15037 15038 407b74 LocalAlloc 15036->15038 15039 407da6 15037->15039 15046 407bdc 15037->15046 15038->15037 15040 407b8a InitializeSecurityDescriptor 15038->15040 15039->15032 15041 407bb1 LocalFree 15040->15041 15042 407b96 SetSecurityDescriptorOwner 15040->15042 15041->15037 15042->15041 15044 407ba6 RegSetKeySecurity 15042->15044 15043 407bf8 GetAce 15043->15046 15044->15041 15045 407c1d EqualSid 15045->15046 15046->15039 15046->15043 15046->15045 15047 407c5f EqualSid 15046->15047 15048 407cd9 15046->15048 15049 407c3a DeleteAce 15046->15049 15047->15046 15048->15039 15050 407d5a LocalAlloc 15048->15050 15051 407cf2 RegOpenKeyExA 15048->15051 15049->15046 15050->15039 15052 407d70 InitializeSecurityDescriptor 15050->15052 15051->15050 15057 407d0f 15051->15057 15053 407d7c SetSecurityDescriptorDacl 15052->15053 15054 407d9f LocalFree 15052->15054 15053->15054 15055 407d8c RegSetKeySecurity 15053->15055 15054->15039 15055->15054 15056 407d9c 15055->15056 15056->15054 15058 407d43 RegSetValueExA 15057->15058 15058->15050 15059 407d54 15058->15059 15059->15050
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                              • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                                • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                                • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                                • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                              • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                              • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                              • ExitProcess.KERNEL32 ref: 00409C06
                                                                                              • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                              • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                              • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                              • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                              • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                              • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                              • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                              • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                              • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                              • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                              • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                              • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                              • wsprintfA.USER32 ref: 0040A0B6
                                                                                              • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                              • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                              • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                              • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                              • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                              • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                                • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                                • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                                • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                              • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                              • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                              • DeleteFileA.KERNEL32(C:\Users\user\Desktop\vekvtia.exe), ref: 0040A407
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                              • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                              • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                              • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                              • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                              • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                              • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\vekvtia.exe$C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe$D$P$\$xembmrjv
                                                                                              • API String ID: 2089075347-3798926020
                                                                                              • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                              • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                              • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                              • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 538 40637c-406384 539 406386-406389 538->539 540 40638a-4063b4 GetModuleHandleA VirtualAlloc 538->540 541 4063f5-4063f7 540->541 542 4063b6-4063d4 call 40ee08 VirtualAllocEx 540->542 544 40640b-40640f 541->544 542->541 546 4063d6-4063f3 call 4062b7 WriteProcessMemory 542->546 546->541 549 4063f9-40640a 546->549 549->544
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                              • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                              • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 1965334864-0
                                                                                              • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                              • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                              • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                              • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 264 407a95-407ac2 RegOpenKeyExA 265 407ac4-407ac6 264->265 266 407acb-407ae7 GetUserNameA 264->266 269 407db4-407db6 265->269 267 407da7-407db3 RegCloseKey 266->267 268 407aed-407b1e LookupAccountNameA 266->268 267->269 268->267 270 407b24-407b43 RegGetKeySecurity 268->270 270->267 271 407b49-407b61 GetSecurityDescriptorOwner 270->271 272 407b63-407b72 EqualSid 271->272 273 407bb8-407bd6 GetSecurityDescriptorDacl 271->273 272->273 274 407b74-407b88 LocalAlloc 272->274 275 407da6 273->275 276 407bdc-407be1 273->276 274->273 277 407b8a-407b94 InitializeSecurityDescriptor 274->277 275->267 276->275 278 407be7-407bf2 276->278 279 407bb1-407bb2 LocalFree 277->279 280 407b96-407ba4 SetSecurityDescriptorOwner 277->280 278->275 281 407bf8-407c08 GetAce 278->281 279->273 280->279 282 407ba6-407bab RegSetKeySecurity 280->282 283 407cc6 281->283 284 407c0e-407c1b 281->284 282->279 285 407cc9-407cd3 283->285 286 407c1d-407c2f EqualSid 284->286 287 407c4f-407c52 284->287 285->281 290 407cd9-407cdc 285->290 291 407c31-407c34 286->291 292 407c36-407c38 286->292 288 407c54-407c5e 287->288 289 407c5f-407c71 EqualSid 287->289 288->289 294 407c73-407c84 289->294 295 407c86 289->295 290->275 296 407ce2-407ce8 290->296 291->286 291->292 292->287 293 407c3a-407c4d DeleteAce 292->293 293->285 299 407c8b-407c8e 294->299 295->299 297 407d5a-407d6e LocalAlloc 296->297 298 407cea-407cf0 296->298 297->275 303 407d70-407d7a InitializeSecurityDescriptor 297->303 298->297 300 407cf2-407d0d RegOpenKeyExA 298->300 301 407c90-407c96 299->301 302 407c9d-407c9f 299->302 300->297 304 407d0f-407d16 300->304 301->302 305 407ca1-407ca5 302->305 306 407ca7-407cc3 302->306 307 407d7c-407d8a SetSecurityDescriptorDacl 303->307 308 407d9f-407da0 LocalFree 303->308 309 407d19-407d1e 304->309 305->283 305->306 306->283 307->308 310 407d8c-407d9a RegSetKeySecurity 307->310 308->275 309->309 311 407d20-407d52 call 402544 RegSetValueExA 309->311 310->308 312 407d9c 310->312 311->297 315 407d54 311->315 312->308 315->297
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                              • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                              • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                              • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                              • String ID: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe$D
                                                                                              • API String ID: 2976863881-661856222
                                                                                              • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                              • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                              • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                              • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 316 4073ff-407419 317 40741b 316->317 318 40741d-407422 316->318 317->318 319 407424 318->319 320 407426-40742b 318->320 319->320 321 407430-407435 320->321 322 40742d 320->322 323 407437 321->323 324 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 321->324 322->321 323->324 329 407487-40749d call 40ee2a 324->329 330 4077f9-4077fe call 40ee2a 324->330 335 407703-40770e RegEnumKeyA 329->335 336 407801 330->336 337 4074a2-4074b1 call 406cad 335->337 338 407714-40771d RegCloseKey 335->338 339 407804-407808 336->339 342 4074b7-4074cc call 40f1a5 337->342 343 4076ed-407700 337->343 338->336 342->343 346 4074d2-4074f8 RegOpenKeyExA 342->346 343->335 347 407727-40772a 346->347 348 4074fe-407530 call 402544 RegQueryValueExA 346->348 349 407755-407764 call 40ee2a 347->349 350 40772c-407740 call 40ef00 347->350 348->347 357 407536-40753c 348->357 358 4076df-4076e2 349->358 359 407742-407745 RegCloseKey 350->359 360 40774b-40774e 350->360 361 40753f-407544 357->361 358->343 364 4076e4-4076e7 RegCloseKey 358->364 359->360 363 4077ec-4077f7 RegCloseKey 360->363 361->361 362 407546-40754b 361->362 362->349 365 407551-40756b call 40ee95 362->365 363->339 364->343 365->349 368 407571-407593 call 402544 call 40ee95 365->368 373 407753 368->373 374 407599-4075a0 368->374 373->349 375 4075a2-4075c6 call 40ef00 call 40ed03 374->375 376 4075c8-4075d7 call 40ed03 374->376 381 4075d8-4075da 375->381 376->381 383 4075dc 381->383 384 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 381->384 383->384 394 407626-40762b 384->394 394->394 395 40762d-407634 394->395 396 407637-40763c 395->396 396->396 397 40763e-407642 396->397 398 407644-407656 call 40ed77 397->398 399 40765c-407673 call 40ed23 397->399 398->399 404 407769-40777c call 40ef00 398->404 405 407680 399->405 406 407675-40767e 399->406 411 4077e3-4077e6 RegCloseKey 404->411 408 407683-40768e call 406cad 405->408 406->408 413 407722-407725 408->413 414 407694-4076bf call 40f1a5 call 406c96 408->414 411->363 415 4076dd 413->415 420 4076c1-4076c7 414->420 421 4076d8 414->421 415->358 420->421 422 4076c9-4076d2 420->422 421->415 422->421 423 40777e-407797 GetFileAttributesExA 422->423 424 407799 423->424 425 40779a-40779f 423->425 424->425 426 4077a1 425->426 427 4077a3-4077a8 425->427 426->427 428 4077c4-4077c8 427->428 429 4077aa-4077c0 call 40ee08 427->429 430 4077d7-4077dc 428->430 431 4077ca-4077d6 call 40ef00 428->431 429->428 434 4077e0-4077e2 430->434 435 4077de 430->435 431->430 434->411 435->434
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                              • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                              • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                              • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                              • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                                • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                              • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                              • String ID: "
                                                                                              • API String ID: 3433985886-123907689
                                                                                              • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                              • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                              • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                              • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 438 77003c-770047 439 77004c-770263 call 770a3f call 770e0f call 770d90 VirtualAlloc 438->439 440 770049 438->440 455 770265-770289 call 770a69 439->455 456 77028b-770292 439->456 440->439 461 7702ce-7703c2 VirtualProtect call 770cce call 770ce7 455->461 458 7702a1-7702b0 456->458 460 7702b2-7702cc 458->460 458->461 460->458 467 7703d1-7703e0 461->467 468 7703e2-770437 call 770ce7 467->468 469 770439-7704b8 VirtualFree 467->469 468->467 471 7705f4-7705fe 469->471 472 7704be-7704cd 469->472 475 770604-77060d 471->475 476 77077f-770789 471->476 474 7704d3-7704dd 472->474 474->471 480 7704e3-770505 LoadLibraryA 474->480 475->476 481 770613-770637 475->481 478 7707a6-7707b0 476->478 479 77078b-7707a3 476->479 482 7707b6-7707cb 478->482 483 77086e-7708be LoadLibraryA 478->483 479->478 484 770517-770520 480->484 485 770507-770515 480->485 486 77063e-770648 481->486 487 7707d2-7707d5 482->487 490 7708c7-7708f9 483->490 488 770526-770547 484->488 485->488 486->476 489 77064e-77065a 486->489 491 7707d7-7707e0 487->491 492 770824-770833 487->492 493 77054d-770550 488->493 489->476 494 770660-77066a 489->494 495 770902-77091d 490->495 496 7708fb-770901 490->496 497 7707e4-770822 491->497 498 7707e2 491->498 502 770839-77083c 492->502 499 770556-77056b 493->499 500 7705e0-7705ef 493->500 501 77067a-770689 494->501 496->495 497->487 498->492 503 77056f-77057a 499->503 504 77056d 499->504 500->474 505 770750-77077a 501->505 506 77068f-7706b2 501->506 502->483 507 77083e-770847 502->507 509 77057c-770599 503->509 510 77059b-7705bb 503->510 504->500 505->486 511 7706b4-7706ed 506->511 512 7706ef-7706fc 506->512 513 77084b-77086c 507->513 514 770849 507->514 521 7705bd-7705db 509->521 510->521 511->512 515 7706fe-770748 512->515 516 77074b 512->516 513->502 514->483 515->516 516->501 521->493
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0077024D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID: cess$kernel32.dll
                                                                                              • API String ID: 4275171209-1230238691
                                                                                              • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                              • Instruction ID: eb967b8dd150540dfe34656cd18d3c8926ccd1c5aeb965a026e86d844c862aa8
                                                                                              • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                              • Instruction Fuzzy Hash: 34526874A00229DFDB64CF68C985BA8BBB1BF09304F1480D9E90DAB351DB34AE95DF54

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 522 40977c-4097b9 call 40ee2a CreateProcessA 525 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 522->525 526 4097bb-4097bd 522->526 530 409801-40981c call 40637c 525->530 531 4097f5 525->531 527 409864-409866 526->527 532 4097f6-4097ff TerminateProcess 530->532 535 40981e-409839 WriteProcessMemory 530->535 531->532 532->526 535->531 536 40983b-409856 Wow64SetThreadContext 535->536 536->531 537 409858-409863 ResumeThread 536->537 537->527
                                                                                              APIs
                                                                                              • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                              • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                              • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                              • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                              • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                              • String ID: D
                                                                                              • API String ID: 2098669666-2746444292
                                                                                              • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                              • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                              • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                              • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 550 404000-404008 551 40400b-40402a CreateFileA 550->551 552 404057 551->552 553 40402c-404035 GetLastError 551->553 554 404059-40405c 552->554 555 404052 553->555 556 404037-40403a 553->556 557 404054-404056 554->557 555->557 556->555 558 40403c-40403f 556->558 558->554 559 404041-404050 Sleep 558->559 559->551 559->555
                                                                                              APIs
                                                                                              • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                              • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                              • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateErrorFileLastSleep
                                                                                              • String ID:
                                                                                              • API String ID: 408151869-0
                                                                                              • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                              • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                              • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                              • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$CountFileInformationSystemTickVolume
                                                                                              • String ID:
                                                                                              • API String ID: 1209300637-0
                                                                                              • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                              • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                              • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                              • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 578 406e36-406e5d GetUserNameW 579 406ebe-406ec2 578->579 580 406e5f-406e95 LookupAccountNameW 578->580 580->579 581 406e97-406e9b 580->581 582 406ebb-406ebd 581->582 583 406e9d-406ea3 581->583 582->579 583->582 584 406ea5-406eaa 583->584 585 406eb7-406eb9 584->585 586 406eac-406eb0 584->586 585->579 586->582 587 406eb2-406eb5 586->587 587->582 587->585
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                              • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$AccountLookupUser
                                                                                              • String ID:
                                                                                              • API String ID: 2370142434-0
                                                                                              • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                              • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                              • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                              • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 588 8f24d8-8f24f1 589 8f24f3-8f24f5 588->589 590 8f24fc-8f2508 CreateToolhelp32Snapshot 589->590 591 8f24f7 589->591 592 8f250a-8f2510 590->592 593 8f2518-8f2525 Module32First 590->593 591->590 592->593 600 8f2512-8f2516 592->600 594 8f252e-8f2536 593->594 595 8f2527-8f2528 call 8f2197 593->595 598 8f252d 595->598 598->594 600->589 600->593
                                                                                              APIs
                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008F2500
                                                                                              • Module32First.KERNEL32(00000000,00000224), ref: 008F2520
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095880214.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 008E2000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_8e2000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                              • String ID:
                                                                                              • API String ID: 3833638111-0
                                                                                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                              • Instruction ID: 7eea1c9448ba32a9311062033d054a7d16c0cdb0a6ec8d349ef71920a23a4a27
                                                                                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                              • Instruction Fuzzy Hash: 78F090362007296BE7207BF9A88DB7E76E8FF89724F100528E742D60C0DBB4EC454A65

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 601 770e0f-770e24 SetErrorMode * 2 602 770e26 601->602 603 770e2b-770e2c 601->603 602->603
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(00000400,?,?,00770223,?,?), ref: 00770E19
                                                                                              • SetErrorMode.KERNELBASE(00000000,?,?,00770223,?,?), ref: 00770E1E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                              • Instruction ID: f2e617ca39dc8991cb6ac2ca656cf8dc3aa0cf64d11947b8883ade7833503f58
                                                                                              • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                              • Instruction Fuzzy Hash: 16D01231145128B7DB003A94DC09BCD7B1CDF09BA2F008411FB0DD9080C7B4994046E5

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 604 406dc2-406dd5 605 406e33-406e35 604->605 606 406dd7-406df1 call 406cc9 call 40ef00 604->606 611 406df4-406df9 606->611 611->611 612 406dfb-406e00 611->612 613 406e02-406e22 GetVolumeInformationA 612->613 614 406e24 612->614 613->614 615 406e2e 613->615 614->615 615->605
                                                                                              APIs
                                                                                                • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                                • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                                • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                                • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                              • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                              • String ID:
                                                                                              • API String ID: 1823874839-0
                                                                                              • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                              • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                              • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                              • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 616 409892-4098c0 617 4098c2-4098c5 616->617 618 4098d9 616->618 617->618 619 4098c7-4098d7 617->619 620 4098e0-4098f1 SetServiceStatus 618->620 619->620
                                                                                              APIs
                                                                                              • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ServiceStatus
                                                                                              • String ID:
                                                                                              • API String ID: 3969395364-0
                                                                                              • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                              • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                              • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                              • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 621 770920-770929 TerminateProcess
                                                                                              APIs
                                                                                              • TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00770929
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 560597551-0
                                                                                              • Opcode ID: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                              • Instruction ID: 46c7c7c6dcd93c711cbd188b681eb9ae36fa97d9339837816e323f92b9b16bc3
                                                                                              • Opcode Fuzzy Hash: ed1fa5443604d132978e6c58f8cc4a5f1646693310c318f56ccf6213ab4b7ad9
                                                                                              • Instruction Fuzzy Hash: 9F90043034437511DC3035DC0C01F4500133741734F7047307533DD1D0C54157004117

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 622 8f2197-8f21d1 call 8f24aa 625 8f221f 622->625 626 8f21d3-8f2206 VirtualAlloc call 8f2224 622->626 625->625 628 8f220b-8f221d 626->628 628->625
                                                                                              APIs
                                                                                              • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008F21E8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095880214.00000000008E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 008E2000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_8e2000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                              • Instruction ID: d97c40e9a8a8410ceccb8fd27f4c856195e357ef46937de2f34d947a41f3be2c
                                                                                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                              • Instruction Fuzzy Hash: B4113C79A00208EFDB01DF98C985E98BBF5EF08750F058094FA489B362D371EA50DF90
                                                                                              APIs
                                                                                                • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                              • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEventSleep
                                                                                              • String ID:
                                                                                              • API String ID: 3100162736-0
                                                                                              • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                              • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                              • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                              • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 007765F6
                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00776610
                                                                                              • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00776631
                                                                                              • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00776652
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 1965334864-0
                                                                                              • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                              • Instruction ID: 826209737b753dc832981653273453de62ed20454bd0d825e6a4a065336a96dd
                                                                                              • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                              • Instruction Fuzzy Hash: 211173B1600218BFDB219F65DC4AF9B3FA8EB057E5F108024F908E7255D7B5DD109AB4
                                                                                              APIs
                                                                                              • ExitProcess.KERNEL32 ref: 00779E6D
                                                                                              • lstrcpy.KERNEL32(?,00000000), ref: 00779FE1
                                                                                              • lstrcat.KERNEL32(?,?), ref: 00779FF2
                                                                                              • lstrcat.KERNEL32(?,0041070C), ref: 0077A004
                                                                                              • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0077A054
                                                                                              • DeleteFileA.KERNEL32(?), ref: 0077A09F
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0077A0D6
                                                                                              • lstrcpy.KERNEL32 ref: 0077A12F
                                                                                              • lstrlen.KERNEL32(00000022), ref: 0077A13C
                                                                                              • GetTempPathA.KERNEL32(000001F4,?), ref: 00779F13
                                                                                                • Part of subcall function 00777029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00777081
                                                                                                • Part of subcall function 00776F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wdlalqiu,00777043), ref: 00776F4E
                                                                                                • Part of subcall function 00776F30: GetProcAddress.KERNEL32(00000000), ref: 00776F55
                                                                                                • Part of subcall function 00776F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00776F7B
                                                                                                • Part of subcall function 00776F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00776F92
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0077A1A2
                                                                                              • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0077A1C5
                                                                                              • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0077A214
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0077A21B
                                                                                              • GetDriveTypeA.KERNEL32(?), ref: 0077A265
                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 0077A29F
                                                                                              • lstrcat.KERNEL32(?,00410A34), ref: 0077A2C5
                                                                                              • lstrcat.KERNEL32(?,00000022), ref: 0077A2D9
                                                                                              • lstrcat.KERNEL32(?,00410A34), ref: 0077A2F4
                                                                                              • wsprintfA.USER32 ref: 0077A31D
                                                                                              • lstrcat.KERNEL32(?,00000000), ref: 0077A345
                                                                                              • lstrcat.KERNEL32(?,?), ref: 0077A364
                                                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0077A387
                                                                                              • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0077A398
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0077A1D1
                                                                                                • Part of subcall function 00779966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0077999D
                                                                                                • Part of subcall function 00779966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 007799BD
                                                                                                • Part of subcall function 00779966: RegCloseKey.ADVAPI32(?), ref: 007799C6
                                                                                              • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0077A3DB
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0077A3E2
                                                                                              • GetDriveTypeA.KERNEL32(00000022), ref: 0077A41D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                              • String ID: "$"$"$D$P$\
                                                                                              • API String ID: 1653845638-2605685093
                                                                                              • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                              • Instruction ID: aa3141979343131c3b5eb88b30a3bea44c52ab0108e18662fb00509823062475
                                                                                              • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                              • Instruction Fuzzy Hash: E0F130B1D40259FEEF11DBA08C49EEF7BBCAB48344F0484A5E609E2141E7798A85CF65
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                              • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                              • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                              • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                              • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                              • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                              • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                              • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                              • API String ID: 2238633743-3228201535
                                                                                              • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                              • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                              • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                              • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                              • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                              • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                              • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                              • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                              • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                              • wsprintfA.USER32 ref: 0040B3B7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                              • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                              • API String ID: 766114626-2976066047
                                                                                              • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                              • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                              • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                              • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00777D21
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 00777D46
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00777D7D
                                                                                              • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00777DA2
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00777DC0
                                                                                              • EqualSid.ADVAPI32(?,?), ref: 00777DD1
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00777DE5
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00777DF3
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00777E03
                                                                                              • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00777E12
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00777E19
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00777E35
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                              • String ID: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe$D
                                                                                              • API String ID: 2976863881-661856222
                                                                                              • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                              • Instruction ID: 257c08014dce105198e6c41c35a75377b5f05d6f7a39559e6bf31107c496b516
                                                                                              • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                              • Instruction Fuzzy Hash: 9AA14E71900219AFDF11CFA0DD88FEEBBB9FB08340F148469E519E6150DB798A85CB65
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                              • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                              • API String ID: 2400214276-165278494
                                                                                              • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                              • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                              • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                              • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                              APIs
                                                                                              • wsprintfA.USER32 ref: 0040A7FB
                                                                                              • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                              • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                              • wsprintfA.USER32 ref: 0040A8AF
                                                                                              • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                              • wsprintfA.USER32 ref: 0040A8E2
                                                                                              • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                              • wsprintfA.USER32 ref: 0040A9B9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$send$lstrlenrecv
                                                                                              • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                              • API String ID: 3650048968-2394369944
                                                                                              • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                              • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                              • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                              • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                              • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                              • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                              • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                              • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                              • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                              • String ID: D
                                                                                              • API String ID: 3722657555-2746444292
                                                                                              • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                              • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                              • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                              • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 00777A96
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00777ACD
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 00777ADF
                                                                                              • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00777B01
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00777B1F
                                                                                              • EqualSid.ADVAPI32(?,?), ref: 00777B39
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00777B4A
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00777B58
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00777B68
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00777B77
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00777B7E
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00777B9A
                                                                                              • GetAce.ADVAPI32(?,?,?), ref: 00777BCA
                                                                                              • EqualSid.ADVAPI32(?,?), ref: 00777BF1
                                                                                              • DeleteAce.ADVAPI32(?,?), ref: 00777C0A
                                                                                              • EqualSid.ADVAPI32(?,?), ref: 00777C2C
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 00777CB1
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00777CBF
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00777CD0
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00777CE0
                                                                                              • LocalFree.KERNEL32(00000000), ref: 00777CEE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                              • String ID: D
                                                                                              • API String ID: 3722657555-2746444292
                                                                                              • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                              • Instruction ID: 1359a93c46f67dcf9840065ed5c5057464e23708e9806f6fce1ca0317ab3bca1
                                                                                              • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                              • Instruction Fuzzy Hash: A4814E72904219AFDF16CFA4DD44FEEBBBCAF0C344F14806AE609E6150D7799A41CBA4
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                              • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                              • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                              • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseOpenQuery
                                                                                              • String ID: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe$localcfg
                                                                                              • API String ID: 237177642-2982705486
                                                                                              • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                              • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                              • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                              • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                              APIs
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                              • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShelllstrlen
                                                                                              • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                              • API String ID: 1628651668-3716895483
                                                                                              • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                              • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                              • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                              • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                              • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                              • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                                • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                              • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                              • API String ID: 4207808166-1381319158
                                                                                              • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                              • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                              • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                              • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                              APIs
                                                                                              • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                              • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                              • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                              • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                              • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                              • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                              • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                              • API String ID: 835516345-270533642
                                                                                              • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                              • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                              • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                              • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0077865A
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0077867B
                                                                                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 007786A8
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 007786B1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseOpenQuery
                                                                                              • String ID: "$C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe
                                                                                              • API String ID: 237177642-3530236392
                                                                                              • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                              • Instruction ID: 5ab90ee3a93bb8f2fef9294b4a96147a93fd21a12a15538752bb79cc20a13d07
                                                                                              • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                              • Instruction Fuzzy Hash: 94C1A471940208FEEF519BA4DD89EFF7B7CEB04380F148075F609E6051EB784A948B66
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                              • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                              • htons.WS2_32(00000000), ref: 00402ADB
                                                                                              • select.WS2_32 ref: 00402B28
                                                                                              • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                              • htons.WS2_32(?), ref: 00402B71
                                                                                              • htons.WS2_32(?), ref: 00402B8C
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                              • String ID:
                                                                                              • API String ID: 1639031587-0
                                                                                              • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                              • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                              • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                              • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                              APIs
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 00771601
                                                                                              • lstrlenW.KERNEL32(-00000003), ref: 007717D8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShelllstrlen
                                                                                              • String ID: $<$@$D
                                                                                              • API String ID: 1628651668-1974347203
                                                                                              • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                              • Instruction ID: e1da89a9720393104528e03c2913b2c74ebb27c84b9d04d073332ecc01837526
                                                                                              • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                              • Instruction Fuzzy Hash: 4DF180B15083819FDB20CF68C888BABB7E4FB89344F50892DF69997290D778D944CF56
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 007776D9
                                                                                              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00777757
                                                                                              • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0077778F
                                                                                              • ___ascii_stricmp.LIBCMT ref: 007778B4
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0077794E
                                                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0077796D
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0077797E
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 007779AC
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00777A56
                                                                                                • Part of subcall function 0077F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0077772A,?), ref: 0077F414
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 007779F6
                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00777A4D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                              • String ID: "
                                                                                              • API String ID: 3433985886-123907689
                                                                                              • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                              • Instruction ID: da00ace4fd4b70f1a5eb9dbb91bce4e42d63660ae5c6047bf1d2540c68067fdd
                                                                                              • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                              • Instruction Fuzzy Hash: CBC1B371904209EFEF15DBA4DC49FEE7BB9EF45390F1080A5F508E6191EB789A84CB60
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                              • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                              • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                              • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                                • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                              • String ID: $"
                                                                                              • API String ID: 4293430545-3817095088
                                                                                              • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                              • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                              • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                              • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                              APIs
                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00772CED
                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 00772D07
                                                                                              • htons.WS2_32(00000000), ref: 00772D42
                                                                                              • select.WS2_32 ref: 00772D8F
                                                                                              • recv.WS2_32(?,00000000,00001000,00000000), ref: 00772DB1
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00772E62
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                              • String ID:
                                                                                              • API String ID: 127016686-0
                                                                                              • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                              • Instruction ID: 8db6e1779cf8785bc4062d1f940373a84a740298f299048c872a867d5b214723
                                                                                              • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                              • Instruction Fuzzy Hash: E161E471504305AFCB209F64DC0CB6BBBF8FB48791F148819F9AC97152D7B9D8828BA5
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                                • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                                • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                                • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                                • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                                • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                                • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                              • wsprintfA.USER32 ref: 0040AEA5
                                                                                                • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                              • wsprintfA.USER32 ref: 0040AE4F
                                                                                              • wsprintfA.USER32 ref: 0040AE5E
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                              • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                              • API String ID: 3631595830-1816598006
                                                                                              • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                              • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                              • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                              • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                              • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                              • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                              • htons.WS2_32(00000035), ref: 00402E88
                                                                                              • inet_addr.WS2_32(?), ref: 00402E93
                                                                                              • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                              • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                              • String ID: GetNetworkParams$iphlpapi.dll
                                                                                              • API String ID: 929413710-2099955842
                                                                                              • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                              • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                              • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                              • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                              APIs
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                              • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                              • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                              • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                              • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                              • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                              • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                              • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                              • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                              • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                                • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                              • String ID:
                                                                                              • API String ID: 2622201749-0
                                                                                              • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                              • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                              • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                              • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                              • wsprintfA.USER32 ref: 004093CE
                                                                                              • wsprintfA.USER32 ref: 0040940C
                                                                                              • wsprintfA.USER32 ref: 0040948D
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                              • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                              • String ID: runas
                                                                                              • API String ID: 3696105349-4000483414
                                                                                              • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                              • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                              • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                              • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                              APIs
                                                                                              • wsprintfA.USER32 ref: 0040B467
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                                • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$wsprintf
                                                                                              • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                              • API String ID: 1220175532-2340906255
                                                                                              • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                              • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                              • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                              • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32 ref: 0077202D
                                                                                              • GetSystemInfo.KERNEL32(?), ref: 0077204F
                                                                                              • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0077206A
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00772071
                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 00772082
                                                                                              • GetTickCount.KERNEL32 ref: 00772230
                                                                                                • Part of subcall function 00771E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00771E7C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                              • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                              • API String ID: 4207808166-1391650218
                                                                                              • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                              • Instruction ID: c31f1bc74410f2b08661f2d85c19bbd7d30d1a15da9536fc07bf303803c94f0b
                                                                                              • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                              • Instruction Fuzzy Hash: E851D570500348AFE730AF658C8AF677AECFB44784F40892DF99E82143D6BDA944C765
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00402078
                                                                                              • GetTickCount.KERNEL32 ref: 004020D4
                                                                                              • GetTickCount.KERNEL32 ref: 004020DB
                                                                                              • GetTickCount.KERNEL32 ref: 0040212B
                                                                                              • GetTickCount.KERNEL32 ref: 00402132
                                                                                              • GetTickCount.KERNEL32 ref: 00402142
                                                                                                • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                                • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                                • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                                • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                                • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                              • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                              • API String ID: 3976553417-1522128867
                                                                                              • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                              • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                              • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                              • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                              APIs
                                                                                              • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                              • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                              • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: closesockethtonssocket
                                                                                              • String ID: time_cfg
                                                                                              • API String ID: 311057483-2401304539
                                                                                              • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                              • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                              • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                              • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                              • ExitProcess.KERNEL32 ref: 00404121
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEventExitProcess
                                                                                              • String ID:
                                                                                              • API String ID: 2404124870-0
                                                                                              • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                              • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                              • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                              • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                              APIs
                                                                                                • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                                • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                              • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                              • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                              • GetTickCount.KERNEL32 ref: 0040C363
                                                                                              • GetTickCount.KERNEL32 ref: 0040C378
                                                                                              • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                              • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                              • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 1553760989-1857712256
                                                                                              • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                              • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                              • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                              • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00773068
                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00773078
                                                                                              • GetProcAddress.KERNEL32(00000000,00410408), ref: 00773095
                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 007730B6
                                                                                              • htons.WS2_32(00000035), ref: 007730EF
                                                                                              • inet_addr.WS2_32(?), ref: 007730FA
                                                                                              • gethostbyname.WS2_32(?), ref: 0077310D
                                                                                              • HeapFree.KERNEL32(00000000), ref: 0077314D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                              • String ID: iphlpapi.dll
                                                                                              • API String ID: 2869546040-3565520932
                                                                                              • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                              • Instruction ID: f4eca0bd814e8dcdeeba99fa8212fd549da60b0e1e424dfcf0573a2da01babad
                                                                                              • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                              • Instruction Fuzzy Hash: 0E318731B0060AABDF119BB89C48AAE7778AF047A1F54C125E51CE7290DB78DE41DB54
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32(?), ref: 007795A7
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007795D5
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 007795DC
                                                                                              • wsprintfA.USER32 ref: 00779635
                                                                                              • wsprintfA.USER32 ref: 00779673
                                                                                              • wsprintfA.USER32 ref: 007796F4
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00779758
                                                                                              • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0077978D
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 007797D8
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                              • String ID:
                                                                                              • API String ID: 3696105349-0
                                                                                              • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                              • Instruction ID: dbf737d5b8b309f009f61b9136445fc7bf9b61a7f6102b01cd6e5d2df684d9fc
                                                                                              • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                              • Instruction Fuzzy Hash: F9A16FB1901208EFEF25DFA4CC45FDA3BACEB05781F108026FA1996152E779D984CBA5
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                              • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                              • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                              • String ID: DnsQuery_A$dnsapi.dll
                                                                                              • API String ID: 3560063639-3847274415
                                                                                              • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                              • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                              • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                              • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                              APIs
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmpi
                                                                                              • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                              • API String ID: 1586166983-1625972887
                                                                                              • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                              • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                              • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                              • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                              APIs
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                              • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                              • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                              • String ID:
                                                                                              • API String ID: 3188212458-0
                                                                                              • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                              • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                              • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                              • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                              APIs
                                                                                              • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 007767C3
                                                                                              • htonl.WS2_32(?), ref: 007767DF
                                                                                              • htonl.WS2_32(?), ref: 007767EE
                                                                                              • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 007768F1
                                                                                              • ExitProcess.KERNEL32 ref: 007769BC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Processhtonl$CurrentExitHugeRead
                                                                                              • String ID: except_info$localcfg
                                                                                              • API String ID: 1150517154-3605449297
                                                                                              • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                              • Instruction ID: 3b071b62396c4dd01147634692be2b3b918ae8c070e3e3dbdbc5081c41704860
                                                                                              • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                              • Instruction Fuzzy Hash: 64614071940208EFDF609FA4DC45FEA77E9FB08300F148069FA5DD2161DA7599948F54
                                                                                              APIs
                                                                                              • htons.WS2_32(0077CC84), ref: 0077F5B4
                                                                                              • socket.WS2_32(00000002,00000001,00000000), ref: 0077F5CE
                                                                                              • closesocket.WS2_32(00000000), ref: 0077F5DC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: closesockethtonssocket
                                                                                              • String ID: time_cfg
                                                                                              • API String ID: 311057483-2401304539
                                                                                              • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                              • Instruction ID: 2130cd02c8687465b3ce74a1b2361191e0f265ac2d194b003cb3f6234eb4da25
                                                                                              • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                              • Instruction Fuzzy Hash: 3C316C72900118ABDB10DFA9DD89DEF7BBCEF88350F108576F919E3150E7749A818BA4
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                              • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                              • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                              • wsprintfA.USER32 ref: 00407036
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                              • String ID: /%d$|
                                                                                              • API String ID: 676856371-4124749705
                                                                                              • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                              • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                              • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                              • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(?), ref: 00772FA1
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 00772FB1
                                                                                              • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00772FC8
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00773000
                                                                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00773007
                                                                                              • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00773032
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                              • String ID: dnsapi.dll
                                                                                              • API String ID: 1242400761-3175542204
                                                                                              • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                              • Instruction ID: c3ac9e14c5d7cf3868173d33bf62decd1fd7d3e227205144027db8ac820c4efb
                                                                                              • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                              • Instruction Fuzzy Hash: AE219271900229BBCF219B64DC48DAEBBB9EF08B90F108421F909E7141D7B89EC1D7D4
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                              • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                              • API String ID: 1082366364-3395550214
                                                                                              • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                              • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                              • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                              • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00779A18
                                                                                              • GetThreadContext.KERNEL32(?,?), ref: 00779A52
                                                                                              • TerminateProcess.KERNEL32(?,00000000), ref: 00779A60
                                                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00779A98
                                                                                              • SetThreadContext.KERNEL32(?,00010002), ref: 00779AB5
                                                                                              • ResumeThread.KERNEL32(?), ref: 00779AC2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                              • String ID: D
                                                                                              • API String ID: 2981417381-2746444292
                                                                                              • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                              • Instruction ID: 07103a66c7c2ca6f7ebf0672288caa3dd543a15af4a1cecfc0b829ce08cf95b2
                                                                                              • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                              • Instruction Fuzzy Hash: 60213BB1A02219BBDF11DBA1DC09EEF7BBCEF05790F408061FA19E5150E7798A44CBA4
                                                                                              APIs
                                                                                              • inet_addr.WS2_32(004102D8), ref: 00771C18
                                                                                              • LoadLibraryA.KERNEL32(004102C8), ref: 00771C26
                                                                                              • GetProcessHeap.KERNEL32 ref: 00771C84
                                                                                              • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00771C9D
                                                                                              • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00771CC1
                                                                                              • HeapFree.KERNEL32(?,00000000,00000000), ref: 00771D02
                                                                                              • FreeLibrary.KERNEL32(?), ref: 00771D0B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                              • String ID:
                                                                                              • API String ID: 2324436984-0
                                                                                              • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                              • Instruction ID: 0fb669a1ebe6ad571c1a12244d310c7ded1a1b0214e4d56ab833aa0f22bc7dfe
                                                                                              • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                              • Instruction Fuzzy Hash: FF314332E00219BFCF219FE8DC888FEBBB9EB45751B65847AE505A2110D7B94D80DB64
                                                                                              APIs
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00776CE4
                                                                                              • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00776D22
                                                                                              • GetLastError.KERNEL32 ref: 00776DA7
                                                                                              • CloseHandle.KERNEL32(?), ref: 00776DB5
                                                                                              • GetLastError.KERNEL32 ref: 00776DD6
                                                                                              • DeleteFileA.KERNEL32(?), ref: 00776DE7
                                                                                              • GetLastError.KERNEL32 ref: 00776DFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                              • String ID:
                                                                                              • API String ID: 3873183294-0
                                                                                              • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                              • Instruction ID: 57c00d9eba75bdd619f900ec181eec399ba67ed62ff144be809d2d6ba455e8e2
                                                                                              • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                              • Instruction Fuzzy Hash: 4F31EE76A00649BFCF21AFA49D48ADE7F79EB48380F14C075E219E3211D7748A858B61
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wdlalqiu,00777043), ref: 00776F4E
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00776F55
                                                                                              • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00776F7B
                                                                                              • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00776F92
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                              • String ID: C:\Windows\SysWOW64\$\\.\pipe\wdlalqiu
                                                                                              • API String ID: 1082366364-468843816
                                                                                              • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                              • Instruction ID: 94a374d11bf80002d7bace51df95d5b1aa943ae6d9475a8fd27e91799c029012
                                                                                              • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                              • Instruction Fuzzy Hash: 92210421744340B9FB225331AD8DFFB2E5C8B527A0F18C0A5F508A5182DADD88D6C2AD
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen
                                                                                              • String ID: $localcfg
                                                                                              • API String ID: 1659193697-2018645984
                                                                                              • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                              • Instruction ID: dca6af621412f2becaa032310603d3d20f616e54509fccb7107ddea365ddb3f9
                                                                                              • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                              • Instruction Fuzzy Hash: A5711972B00304BAFF318B54DC86FEE37699B813C5F24C466F90CA60A1DA6D9D848767
                                                                                              APIs
                                                                                                • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                                • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                              • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                              • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                              • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                              • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                              • String ID: flags_upd$localcfg
                                                                                              • API String ID: 204374128-3505511081
                                                                                              • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                              • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                              • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                              • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                              APIs
                                                                                                • Part of subcall function 0077DF6C: GetCurrentThreadId.KERNEL32 ref: 0077DFBA
                                                                                              • lstrcmp.KERNEL32(00410178,00000000), ref: 0077E8FA
                                                                                              • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00776128), ref: 0077E950
                                                                                              • lstrcmp.KERNEL32(?,00000008), ref: 0077E989
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                              • String ID: A$ A$ A
                                                                                              • API String ID: 2920362961-1846390581
                                                                                              • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                              • Instruction ID: db3f7d9b3e1db57f1c2b64144296912afa41be0f2f84422f9043911f79305342
                                                                                              • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                              • Instruction Fuzzy Hash: 75318F32604705DBDF718F24C884BA67BE8EB197A4F10C9AAE65987551D378F880CB92
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Code
                                                                                              • String ID:
                                                                                              • API String ID: 3609698214-0
                                                                                              • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                              • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                              • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                              • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Code
                                                                                              • String ID:
                                                                                              • API String ID: 3609698214-0
                                                                                              • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                              • Instruction ID: 286359c28aba6acab100507eaac5b7b71ff94d6a473f674f8446e7a316aac26a
                                                                                              • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                              • Instruction Fuzzy Hash: 36216D76104615FFDF109B70EC49EEF3FADEB483A0B20C465F50AD1095EBB89A009674
                                                                                              APIs
                                                                                              • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • wsprintfA.USER32 ref: 004090E9
                                                                                              • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 2439722600-0
                                                                                              • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                              • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                              • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                              • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                              APIs
                                                                                              • GetTempPathA.KERNEL32(00000400,?), ref: 007792E2
                                                                                              • wsprintfA.USER32 ref: 00779350
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00779375
                                                                                              • lstrlen.KERNEL32(?,?,00000000), ref: 00779389
                                                                                              • WriteFile.KERNEL32(00000000,?,00000000), ref: 00779394
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0077939B
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 2439722600-0
                                                                                              • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                              • Instruction ID: 1ebf825d199486d4941955450386bbfc00b58bdfb044f13fc147bc98d9dfbfa2
                                                                                              • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                              • Instruction Fuzzy Hash: 821184B1740114BBEB606B31ED0EFEF3A6DDBC8B50F00C065FB09E5091EAB84A5186A4
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                              • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                              • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                              • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 3819781495-0
                                                                                              • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                              • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                              • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                              • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0077C6B4
                                                                                              • InterlockedIncrement.KERNEL32(0077C74B), ref: 0077C715
                                                                                              • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0077C747), ref: 0077C728
                                                                                              • CloseHandle.KERNEL32(00000000,?,0077C747,00413588,00778A77), ref: 0077C733
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 1026198776-1857712256
                                                                                              • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                              • Instruction ID: 3467bdd1cf6da529de6ae3c9b930f5bd9e3eaf9b402b1dae93de2f1c9d4c7540
                                                                                              • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                              • Instruction Fuzzy Hash: 56514CB1A01B418FDB258F29C5C552ABBE9FB4C340B60993EE18BC7A90D779F8408B50
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                                • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                                • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                                • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                                • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                                • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                                • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                                • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                                • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                                • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                                • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                                • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                              • String ID: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe
                                                                                              • API String ID: 124786226-2316492303
                                                                                              • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                              • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                              • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                              • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                              APIs
                                                                                              • RegCreateKeyExA.ADVAPI32(80000001,0077E50A,00000000,00000000,00000000,00020106,00000000,0077E50A,00000000,000000E4), ref: 0077E319
                                                                                              • RegSetValueExA.ADVAPI32(0077E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0077E38E
                                                                                              • RegDeleteValueA.ADVAPI32(0077E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dw), ref: 0077E3BF
                                                                                              • RegCloseKey.ADVAPI32(0077E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dw,0077E50A), ref: 0077E3C8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseCreateDelete
                                                                                              • String ID: Dw
                                                                                              • API String ID: 2667537340-3192257026
                                                                                              • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                              • Instruction ID: 97ba917be264961d4311b1b65abaf7195d0e3157e6851e21a3d70bc03237ca25
                                                                                              • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                              • Instruction Fuzzy Hash: 32215C71A0021DBBDF209FA4EC89EEE7F79EF08790F108061F908E7151E2758A54D7A0
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 007771E1
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00777228
                                                                                              • LocalFree.KERNEL32(?,?,?), ref: 00777286
                                                                                              • wsprintfA.USER32 ref: 0077729D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                              • String ID: |
                                                                                              • API String ID: 2539190677-2343686810
                                                                                              • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                              • Instruction ID: 48583f42aea7806cb621d0c20bb0839618128c36e356d2c140f9f6805c271316
                                                                                              • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                              • Instruction Fuzzy Hash: 65310B72A04208BBDF01DFA4DC49ADA7BBCEF04354F14C066F959DB111EA79D648CB94
                                                                                              APIs
                                                                                              • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$gethostnamelstrcpy
                                                                                              • String ID: LocalHost
                                                                                              • API String ID: 3695455745-3154191806
                                                                                              • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                              • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                              • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                              • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                              • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                              • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                              • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                              • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: QueryValue$CloseOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1586453840-0
                                                                                              • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                              • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                              • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                              • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0077B51A
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0077B529
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0077B548
                                                                                              • GetTimeZoneInformation.KERNEL32(?), ref: 0077B590
                                                                                              • wsprintfA.USER32 ref: 0077B61E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 4026320513-0
                                                                                              • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                              • Instruction ID: 5076087b4746f9a5ea043ff05fb56aa87900fd567641dac44029b74b135a1e34
                                                                                              • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                              • Instruction Fuzzy Hash: 045120B1D0021DAACF14DFD5D8895EEBBB9BF48344F10816AF505B6150E7B84AC9CF98
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                              • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                              • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreateEvent
                                                                                              • String ID:
                                                                                              • API String ID: 1371578007-0
                                                                                              • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                              • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                              • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                              • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                              APIs
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                              • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                              • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                              • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Read$AddressLibraryLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 2438460464-0
                                                                                              • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                              • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                              • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                              • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                              APIs
                                                                                              • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00776303
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 0077632A
                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 007763B1
                                                                                              • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00776405
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: HugeRead$AddressLibraryLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 3498078134-0
                                                                                              • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                              • Instruction ID: ce15ed90ddcd5f5bc45346a63d6b34466a1c9b377af38269e5abb482da36079b
                                                                                              • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                              • Instruction Fuzzy Hash: 7B414DB1A00A05EFDF14CF58C884AA9B7B4FF04394F24C569E919D7294E779EE40DB50
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                              • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                              • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                              • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                              APIs
                                                                                                • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                                • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                                • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                              • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                              • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                              • String ID: A$ A
                                                                                              • API String ID: 3343386518-686259309
                                                                                              • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                              • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                              • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                              • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0040272E
                                                                                              • htons.WS2_32(00000001), ref: 00402752
                                                                                              • htons.WS2_32(0000000F), ref: 004027D5
                                                                                              • htons.WS2_32(00000001), ref: 004027E3
                                                                                              • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                                • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                                • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                              • String ID:
                                                                                              • API String ID: 1802437671-0
                                                                                              • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                              • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                              • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                              • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                              • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                              • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                              • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                              • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                              • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                              • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                              • CharToOemA.USER32(?,?), ref: 00409174
                                                                                              • wsprintfA.USER32 ref: 004091A9
                                                                                                • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                                • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                                • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                                • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                                • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                                • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3857584221-0
                                                                                              • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                              • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                              • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                              • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 007793C6
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 007793CD
                                                                                              • CharToOemA.USER32(?,?), ref: 007793DB
                                                                                              • wsprintfA.USER32 ref: 00779410
                                                                                                • Part of subcall function 007792CB: GetTempPathA.KERNEL32(00000400,?), ref: 007792E2
                                                                                                • Part of subcall function 007792CB: wsprintfA.USER32 ref: 00779350
                                                                                                • Part of subcall function 007792CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00779375
                                                                                                • Part of subcall function 007792CB: lstrlen.KERNEL32(?,?,00000000), ref: 00779389
                                                                                                • Part of subcall function 007792CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00779394
                                                                                                • Part of subcall function 007792CB: CloseHandle.KERNEL32(00000000), ref: 0077939B
                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00779448
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3857584221-0
                                                                                              • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                              • Instruction ID: e7d752bb4363c5557ad58e3d42a6887c9e3fff722c00b78a9428164ff77f04cb
                                                                                              • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                              • Instruction Fuzzy Hash: A80152F6900158BBDB21A7619D4DEDF377CDB95701F0040A1BB49E2081DAB896C5CF75
                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                              • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                              • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                              • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$lstrcmpi
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 1808961391-1857712256
                                                                                              • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                              • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                              • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                              • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                              • API String ID: 2574300362-1087626847
                                                                                              • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                              • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                              • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                              • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                              APIs
                                                                                                • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                              • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                              • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                              • String ID: hi_id$localcfg
                                                                                              • API String ID: 2777991786-2393279970
                                                                                              • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                              • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                              • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                              • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                              APIs
                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                              • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                              • String ID: *p@
                                                                                              • API String ID: 3429775523-2474123842
                                                                                              • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                              • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                              • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                              • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbynameinet_addr
                                                                                              • String ID: time_cfg$u6A
                                                                                              • API String ID: 1594361348-1940331995
                                                                                              • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                              • Instruction ID: 5b80bd6e8cfc52b57163f43040b874cf2ff6d6412c07448dc84df1a4e4567c7a
                                                                                              • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                              • Instruction Fuzzy Hash: D8E08C306041118FCB008B28F848AC537A4AF0A370F04C580F068D31A1C738DD829A41
                                                                                              APIs
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 007769E5
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 00776A26
                                                                                              • GetFileSize.KERNEL32(000000FF,00000000), ref: 00776A3A
                                                                                              • CloseHandle.KERNEL32(000000FF), ref: 00776BD8
                                                                                                • Part of subcall function 0077EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00771DCF,?), ref: 0077EEA8
                                                                                                • Part of subcall function 0077EE95: HeapFree.KERNEL32(00000000), ref: 0077EEAF
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                              • String ID:
                                                                                              • API String ID: 3384756699-0
                                                                                              • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                              • Instruction ID: 06ca6df95259339e926cc1c9add2b69cfc259b4dd5aa7b6177a3b6677d107590
                                                                                              • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                              • Instruction Fuzzy Hash: 0C7139B190061DEFDF10DFA4CC809EEBBB9FB04354F20856AE519E61A0D7349E92DB50
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf
                                                                                              • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                              • API String ID: 2111968516-120809033
                                                                                              • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                              • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                              • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                              • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                              APIs
                                                                                              • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                              • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                              • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseCreateDelete
                                                                                              • String ID:
                                                                                              • API String ID: 2667537340-0
                                                                                              • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                              • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                              • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                              • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                              • GetLastError.KERNEL32 ref: 00403F4E
                                                                                              • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3373104450-0
                                                                                              • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                              • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                              • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                              • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                              APIs
                                                                                              • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                              • GetLastError.KERNEL32 ref: 00403FC2
                                                                                              • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 888215731-0
                                                                                              • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                              • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                              • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                              • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 007741AB
                                                                                              • GetLastError.KERNEL32 ref: 007741B5
                                                                                              • WaitForSingleObject.KERNEL32(?,?), ref: 007741C6
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 007741D9
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3373104450-0
                                                                                              • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                              • Instruction ID: 9a3e86cddacf04a0a94edc49ee59af072c76ba5ffae56337fe6d120d1d140458
                                                                                              • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                              • Instruction Fuzzy Hash: 9D01297651111EABDF01EF90ED84BEE3B6CEB18396F408061F905E2050D7749A908BB9
                                                                                              APIs
                                                                                              • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0077421F
                                                                                              • GetLastError.KERNEL32 ref: 00774229
                                                                                              • WaitForSingleObject.KERNEL32(?,?), ref: 0077423A
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0077424D
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 888215731-0
                                                                                              • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                              • Instruction ID: e45734ea573cae997385bb26b763945fb040c55589f3617fc9734aa778915558
                                                                                              • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                              • Instruction Fuzzy Hash: FF01E572511109ABDF01DF90ED84BEE7BACFB08395F108061F905E2451D7749A648BB6
                                                                                              APIs
                                                                                              • lstrcmp.KERNEL32(?,80000009), ref: 0077E066
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmp
                                                                                              • String ID: A$ A$ A
                                                                                              • API String ID: 1534048567-1846390581
                                                                                              • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                              • Instruction ID: ead20b8a5319a4ecf1d0ae7758f23ffdc056fdfe9cd8f5bf3c1be7ae61fd8c3d
                                                                                              • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                              • Instruction Fuzzy Hash: F7F062312007029BCF20CF25D884A92B7E9FB09361B64C6BAE158C3060D3B8A898CB51
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                              • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                              • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                              • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                              • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                              • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                              • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                              • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                              • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                              • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                              • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                              • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                              • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                              • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                              • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 00403103
                                                                                              • GetTickCount.KERNEL32 ref: 0040310F
                                                                                              • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                              • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                              • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                              • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00000001,Dw,00000000,00000000,00000000), ref: 0077E470
                                                                                              • CloseHandle.KERNEL32(00000001,00000003), ref: 0077E484
                                                                                                • Part of subcall function 0077E2FC: RegCreateKeyExA.ADVAPI32(80000001,0077E50A,00000000,00000000,00000000,00020106,00000000,0077E50A,00000000,000000E4), ref: 0077E319
                                                                                                • Part of subcall function 0077E2FC: RegSetValueExA.ADVAPI32(0077E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0077E38E
                                                                                                • Part of subcall function 0077E2FC: RegDeleteValueA.ADVAPI32(0077E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dw), ref: 0077E3BF
                                                                                                • Part of subcall function 0077E2FC: RegCloseKey.ADVAPI32(0077E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dw,0077E50A), ref: 0077E3C8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                              • String ID: Dw
                                                                                              • API String ID: 4151426672-3192257026
                                                                                              • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                              • Instruction ID: 22efb760203f1044cf21e815a5498de4a002aee10b3c6a57903d8fdd31b76466
                                                                                              • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                              • Instruction Fuzzy Hash: 7E41DB72900208FAEF205B558C4AFEB3B6CEB087A4F14C075FA1D94192E7B98A50D6B4
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 007783C6
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00778477
                                                                                                • Part of subcall function 007769C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 007769E5
                                                                                                • Part of subcall function 007769C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00776A26
                                                                                                • Part of subcall function 007769C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00776A3A
                                                                                                • Part of subcall function 0077EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00771DCF,?), ref: 0077EEA8
                                                                                                • Part of subcall function 0077EE95: HeapFree.KERNEL32(00000000), ref: 0077EEAF
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                              • String ID: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe
                                                                                              • API String ID: 359188348-2316492303
                                                                                              • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                              • Instruction ID: d7f35b4f97e88883d6d2441e7ec2bb46ffdc84e8742d7693809167ce98db5aca
                                                                                              • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                              • Instruction Fuzzy Hash: 0D4183B1940149BEEF50EFA0DD89DFF776CEB04390F1484B6F508D6011FAB85A548B65
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 0077AFFF
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 0077B00D
                                                                                                • Part of subcall function 0077AF6F: gethostname.WS2_32(?,00000080), ref: 0077AF83
                                                                                                • Part of subcall function 0077AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0077AFE6
                                                                                                • Part of subcall function 0077331C: gethostname.WS2_32(?,00000080), ref: 0077333F
                                                                                                • Part of subcall function 0077331C: gethostbyname.WS2_32(?), ref: 00773349
                                                                                                • Part of subcall function 0077AA0A: inet_ntoa.WS2_32(00000000), ref: 0077AA10
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                              • String ID: %OUTLOOK_BND_
                                                                                              • API String ID: 1981676241-3684217054
                                                                                              • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                              • Instruction ID: 520da1a00bc306dd47a385fa6212dff457f06be2c28d35dacae3bd5f15301fad
                                                                                              • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                              • Instruction Fuzzy Hash: A141F17290024CABDF25AFA0DC45EEE376CFB08344F148426F91992152EA79D654DB54
                                                                                              APIs
                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00779536
                                                                                              • Sleep.KERNEL32(000001F4), ref: 0077955D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShellSleep
                                                                                              • String ID:
                                                                                              • API String ID: 4194306370-3916222277
                                                                                              • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                              • Instruction ID: 03ae43c9e96d20f23e6ec651422747a6da23ace37cd668aa017389d889b7f81f
                                                                                              • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                              • Instruction Fuzzy Hash: EA4129718053A46EEF378B68D88D7F63BA49B02394F28C1E5D28E971E2E67C4D81C711
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                              • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID: ,k@
                                                                                              • API String ID: 3934441357-1053005162
                                                                                              • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                              • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                              • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                              • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 0077B9D9
                                                                                              • InterlockedIncrement.KERNEL32(00413648), ref: 0077BA3A
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 0077BA94
                                                                                              • GetTickCount.KERNEL32 ref: 0077BB79
                                                                                              • GetTickCount.KERNEL32 ref: 0077BB99
                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 0077BE15
                                                                                              • closesocket.WS2_32(00000000), ref: 0077BEB4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountIncrementInterlockedTick$closesocket
                                                                                              • String ID: %FROM_EMAIL
                                                                                              • API String ID: 1869671989-2903620461
                                                                                              • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                              • Instruction ID: 9e8e2d36e46b9463db373f701c2d4b96abd50dd58ff78f3b5aab9fd2bbc48b00
                                                                                              • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                              • Instruction Fuzzy Hash: B4318D71500248EFDF25DFA4DC88BED77B8EB48740F208056FA2882261EB78DA85CF10
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 536389180-1857712256
                                                                                              • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                              • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                              • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                              • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                              APIs
                                                                                              Strings
                                                                                              • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTickwsprintf
                                                                                              • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                              • API String ID: 2424974917-1012700906
                                                                                              • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                              • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                              • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                              • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                              APIs
                                                                                                • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                                • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                              • String ID: %FROM_EMAIL
                                                                                              • API String ID: 3716169038-2903620461
                                                                                              • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                              • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                              • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                              • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                              APIs
                                                                                              • GetUserNameW.ADVAPI32(?,?), ref: 007770BC
                                                                                              • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 007770F4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$AccountLookupUser
                                                                                              • String ID: |
                                                                                              • API String ID: 2370142434-2343686810
                                                                                              • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                              • Instruction ID: 5b40a8d353439d6efb3b1e8ce01ea50cb2591e74f29bfb183622d901dcbc54e2
                                                                                              • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                              • Instruction Fuzzy Hash: 72116172A0411CEBDF15CFD4DC84ADEB7BCAB44341F5481A6E505E6090E7749B88CBA0
                                                                                              APIs
                                                                                                • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                                • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                              • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                              • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 2777991786-1857712256
                                                                                              • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                              • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                              • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                              • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                              APIs
                                                                                              • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                              • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: IncrementInterlockedlstrcpyn
                                                                                              • String ID: %FROM_EMAIL
                                                                                              • API String ID: 224340156-2903620461
                                                                                              • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                              • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                              • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                              • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                              APIs
                                                                                              • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                              • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbyaddrinet_ntoa
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 2112563974-1857712256
                                                                                              • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                              • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                              • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                              • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                              APIs
                                                                                              • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                              • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbynameinet_addr
                                                                                              • String ID: time_cfg
                                                                                              • API String ID: 1594361348-2401304539
                                                                                              • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                              • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                              • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                              • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: ntdll.dll
                                                                                              • API String ID: 2574300362-2227199552
                                                                                              • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                              • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                              • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                              • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                              APIs
                                                                                                • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                                • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                              • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095329209.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_400000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1017166417-0
                                                                                              • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                              • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                              • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                              • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                              APIs
                                                                                                • Part of subcall function 00772F88: GetModuleHandleA.KERNEL32(?), ref: 00772FA1
                                                                                                • Part of subcall function 00772F88: LoadLibraryA.KERNEL32(?), ref: 00772FB1
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007731DA
                                                                                              • HeapFree.KERNEL32(00000000), ref: 007731E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000C.00000002.2095646286.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Offset: 00770000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_12_2_770000_igqrtpsy.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1017166417-0
                                                                                              • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                              • Instruction ID: b7fa0d012235ad62a46887ac8f287b9b76d164b8bc47d25cc6c189af4f621862
                                                                                              • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                              • Instruction Fuzzy Hash: 4151CA3190020AEFCF019F64D8889FAB775FF15345F248568ECAAC7212E736DA19CB90

                                                                                              Execution Graph

                                                                                              Execution Coverage:14.7%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:0.7%
                                                                                              Total number of Nodes:1807
                                                                                              Total number of Limit Nodes:18
                                                                                              execution_graph 7896 3e5d34 IsBadWritePtr 7897 3e5d47 7896->7897 7898 3e5d4a 7896->7898 7901 3e5389 7898->7901 7902 3e4bd1 4 API calls 7901->7902 7903 3e53a5 7902->7903 7904 3e4ae6 8 API calls 7903->7904 7907 3e53ad 7904->7907 7905 3e5407 7906 3e4ae6 8 API calls 7906->7907 7907->7905 7907->7906 7908 3ebe31 lstrcmpiA 7909 3ebe55 lstrcmpiA 7908->7909 7915 3ebe71 7908->7915 7910 3ebe61 lstrcmpiA 7909->7910 7909->7915 7913 3ebfc8 7910->7913 7910->7915 7911 3ebf62 lstrcmpiA 7912 3ebf77 lstrcmpiA 7911->7912 7917 3ebf70 7911->7917 7914 3ebf8c lstrcmpiA 7912->7914 7912->7917 7914->7917 7915->7911 7919 3eebcc 4 API calls 7915->7919 7916 3ebfc2 7920 3eec2e codecvt 4 API calls 7916->7920 7917->7913 7917->7916 7918 3eec2e codecvt 4 API calls 7917->7918 7918->7917 7923 3ebeb6 7919->7923 7920->7913 7921 3ebf5a 7921->7911 7922 3eebcc 4 API calls 7922->7923 7923->7911 7923->7913 7923->7921 7923->7922 6124 3e9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6240 3eec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6124->6240 6126 3e9a95 6127 3e9aa3 GetModuleHandleA GetModuleFileNameA 6126->6127 6134 3ea3cc 6126->6134 6136 3e9ac4 6127->6136 6128 3ea41c CreateThread WSAStartup 6241 3ee52e 6128->6241 7315 3e405e CreateEventA 6128->7315 6130 3e9afd GetCommandLineA 6140 3e9b22 6130->6140 6131 3ea406 DeleteFileA 6133 3ea40d 6131->6133 6131->6134 6132 3ea445 6260 3eeaaf 6132->6260 6133->6128 6134->6128 6134->6131 6134->6133 6137 3ea3ed GetLastError 6134->6137 6136->6130 6137->6133 6139 3ea3f8 Sleep 6137->6139 6138 3ea44d 6264 3e1d96 6138->6264 6139->6131 6144 3e9c0c 6140->6144 6151 3e9b47 6140->6151 6142 3ea457 6312 3e80c9 6142->6312 6504 3e96aa 6144->6504 6156 3e9b96 lstrlenA 6151->6156 6157 3e9b58 6151->6157 6152 3e9c39 6154 3ea167 GetModuleHandleA GetModuleFileNameA 6152->6154 6510 3e4280 CreateEventA 6152->6510 6153 3ea1d2 6159 3ea1e3 GetCommandLineA 6153->6159 6158 3e9c05 ExitProcess 6154->6158 6161 3ea189 6154->6161 6156->6157 6157->6158 6463 3e675c 6157->6463 6182 3ea205 6159->6182 6161->6158 6168 3ea1b2 GetDriveTypeA 6161->6168 6168->6158 6170 3ea1c5 6168->6170 6611 3e9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6170->6611 6171 3e675c 21 API calls 6173 3e9c79 6171->6173 6173->6154 6180 3e9e3e 6173->6180 6181 3e9ca0 GetTempPathA 6173->6181 6174 3e9bff 6174->6158 6176 3ea491 6177 3ea49f GetTickCount 6176->6177 6178 3ea4be Sleep 6176->6178 6184 3ea4b7 GetTickCount 6176->6184 6359 3ec913 6176->6359 6177->6176 6177->6178 6178->6176 6187 3e9e6b GetEnvironmentVariableA 6180->6187 6192 3e9e04 6180->6192 6181->6180 6183 3e9cba 6181->6183 6188 3ea285 lstrlenA 6182->6188 6201 3ea239 6182->6201 6536 3e99d2 lstrcpyA 6183->6536 6184->6178 6191 3e9e7d 6187->6191 6187->6192 6188->6201 6193 3e99d2 16 API calls 6191->6193 6606 3eec2e 6192->6606 6194 3e9e9d 6193->6194 6194->6192 6199 3e9eb0 lstrcpyA lstrlenA 6194->6199 6197 3e9d5f 6550 3e6cc9 6197->6550 6198 3ea3c2 6623 3e98f2 6198->6623 6203 3e9ef4 6199->6203 6619 3e6ec3 6201->6619 6207 3e6dc2 6 API calls 6203->6207 6209 3e9f03 6203->6209 6204 3ea39d StartServiceCtrlDispatcherA 6204->6198 6205 3e9d72 lstrcpyA lstrcatA lstrcatA 6208 3e9cf6 6205->6208 6206 3ea3c7 6206->6134 6207->6209 6559 3e9326 6208->6559 6210 3e9f32 RegOpenKeyExA 6209->6210 6211 3e9f48 RegSetValueExA RegCloseKey 6210->6211 6215 3e9f70 6210->6215 6211->6215 6212 3ea35f 6212->6198 6212->6204 6220 3e9f9d GetModuleHandleA GetModuleFileNameA 6215->6220 6216 3e9dde GetFileAttributesExA 6217 3e9e0c DeleteFileA 6216->6217 6219 3e9df7 6216->6219 6217->6180 6219->6192 6596 3e96ff 6219->6596 6222 3ea093 6220->6222 6223 3e9fc2 6220->6223 6224 3ea103 CreateProcessA 6222->6224 6227 3ea0a4 wsprintfA 6222->6227 6223->6222 6228 3e9ff1 GetDriveTypeA 6223->6228 6225 3ea13a 6224->6225 6226 3ea12a DeleteFileA 6224->6226 6225->6192 6233 3e96ff 3 API calls 6225->6233 6226->6225 6602 3e2544 6227->6602 6228->6222 6230 3ea00d 6228->6230 6235 3ea02d lstrcatA 6230->6235 6233->6192 6236 3ea046 6235->6236 6237 3ea064 lstrcatA 6236->6237 6238 3ea052 lstrcatA 6236->6238 6237->6222 6239 3ea081 lstrcatA 6237->6239 6238->6237 6239->6222 6240->6126 6630 3edd05 GetTickCount 6241->6630 6243 3ee538 6638 3edbcf 6243->6638 6245 3ee544 6246 3ee555 GetFileSize 6245->6246 6250 3ee5b8 6245->6250 6247 3ee566 6246->6247 6248 3ee5b1 CloseHandle 6246->6248 6662 3edb2e 6247->6662 6248->6250 6648 3ee3ca RegOpenKeyExA 6250->6648 6252 3ee576 ReadFile 6252->6248 6254 3ee58d 6252->6254 6666 3ee332 6254->6666 6255 3ee5f2 6258 3ee3ca 19 API calls 6255->6258 6259 3ee629 6255->6259 6258->6259 6259->6132 6261 3eeabe 6260->6261 6263 3eeaba 6260->6263 6262 3edd05 6 API calls 6261->6262 6261->6263 6262->6263 6263->6138 6265 3eee2a 6264->6265 6266 3e1db4 GetVersionExA 6265->6266 6267 3e1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6266->6267 6269 3e1e16 GetCurrentProcess 6267->6269 6270 3e1e24 6267->6270 6269->6270 6724 3ee819 6270->6724 6272 3e1e3d 6273 3ee819 11 API calls 6272->6273 6274 3e1e4e 6273->6274 6275 3e1e77 6274->6275 6765 3edf70 6274->6765 6731 3eea84 6275->6731 6278 3e1e6c 6280 3edf70 12 API calls 6278->6280 6280->6275 6281 3ee819 11 API calls 6282 3e1e93 6281->6282 6735 3e199c inet_addr LoadLibraryA 6282->6735 6285 3ee819 11 API calls 6286 3e1eb9 6285->6286 6287 3e1ed8 6286->6287 6288 3ef04e 4 API calls 6286->6288 6289 3ee819 11 API calls 6287->6289 6290 3e1ec9 6288->6290 6291 3e1eee 6289->6291 6292 3eea84 30 API calls 6290->6292 6293 3e1f0a 6291->6293 6749 3e1b71 6291->6749 6292->6287 6294 3ee819 11 API calls 6293->6294 6296 3e1f23 6294->6296 6305 3e1f3f 6296->6305 6753 3e1bdf 6296->6753 6297 3e1efd 6298 3eea84 30 API calls 6297->6298 6298->6293 6300 3ee819 11 API calls 6304 3e1f5e 6300->6304 6302 3eea84 30 API calls 6302->6305 6303 3e1f77 6761 3e30b5 6303->6761 6304->6303 6306 3eea84 30 API calls 6304->6306 6305->6300 6306->6303 6309 3e6ec3 2 API calls 6311 3e1f8e GetTickCount 6309->6311 6311->6142 6313 3e6ec3 2 API calls 6312->6313 6314 3e80eb 6313->6314 6315 3e80ef 6314->6315 6316 3e80f9 6314->6316 6819 3e7ee6 6315->6819 6832 3e704c 6316->6832 6319 3e8269 CreateThread 6338 3e5e6c 6319->6338 7293 3e877e 6319->7293 6320 3e8110 6321 3e80f4 6320->6321 6323 3e8156 RegOpenKeyExA 6320->6323 6321->6319 6322 3e675c 21 API calls 6321->6322 6328 3e8244 6322->6328 6324 3e816d RegQueryValueExA 6323->6324 6325 3e8216 6323->6325 6326 3e818d 6324->6326 6327 3e81f7 6324->6327 6325->6321 6326->6327 6332 3eebcc 4 API calls 6326->6332 6329 3e820d RegCloseKey 6327->6329 6331 3eec2e codecvt 4 API calls 6327->6331 6328->6319 6330 3eec2e codecvt 4 API calls 6328->6330 6329->6325 6330->6319 6337 3e81dd 6331->6337 6333 3e81a0 6332->6333 6333->6329 6334 3e81aa RegQueryValueExA 6333->6334 6334->6327 6335 3e81c4 6334->6335 6335->6335 6336 3eebcc 4 API calls 6335->6336 6336->6337 6337->6329 6934 3eec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6338->6934 6340 3e5e71 6935 3ee654 6340->6935 6342 3e5ec1 6343 3e3132 6342->6343 6344 3edf70 12 API calls 6343->6344 6345 3e313b 6344->6345 6346 3ec125 6345->6346 6946 3eec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6346->6946 6348 3ec12d 6349 3ee654 13 API calls 6348->6349 6350 3ec2bd 6349->6350 6351 3ee654 13 API calls 6350->6351 6352 3ec2c9 6351->6352 6353 3ee654 13 API calls 6352->6353 6354 3ea47a 6353->6354 6355 3e8db1 6354->6355 6356 3e8dbc 6355->6356 6357 3ee654 13 API calls 6356->6357 6358 3e8dec Sleep 6357->6358 6358->6176 6360 3ec92f 6359->6360 6361 3ec93c 6360->6361 6958 3ec517 6360->6958 6363 3eca2b 6361->6363 6364 3ee819 11 API calls 6361->6364 6363->6176 6365 3ec96a 6364->6365 6366 3ee819 11 API calls 6365->6366 6367 3ec97d 6366->6367 6368 3ee819 11 API calls 6367->6368 6369 3ec990 6368->6369 6370 3ec9aa 6369->6370 6371 3eebcc 4 API calls 6369->6371 6370->6363 6947 3e2684 6370->6947 6371->6370 6376 3eca26 6975 3ec8aa 6376->6975 6379 3eca44 6380 3eca4b closesocket 6379->6380 6381 3eca83 6379->6381 6380->6376 6382 3eea84 30 API calls 6381->6382 6383 3ecaac 6382->6383 6384 3ef04e 4 API calls 6383->6384 6385 3ecab2 6384->6385 6386 3eea84 30 API calls 6385->6386 6387 3ecaca 6386->6387 6388 3eea84 30 API calls 6387->6388 6389 3ecad9 6388->6389 6979 3ec65c 6389->6979 6392 3ecb60 closesocket 6392->6363 6394 3edad2 closesocket 6395 3ee318 23 API calls 6394->6395 6396 3edae0 6395->6396 6396->6363 6397 3edf4c 20 API calls 6408 3ecb70 6397->6408 6402 3ec65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6402->6408 6403 3ee654 13 API calls 6403->6408 6408->6394 6408->6397 6408->6402 6408->6403 6410 3eea84 30 API calls 6408->6410 6411 3ed569 closesocket Sleep 6408->6411 6412 3ed815 wsprintfA 6408->6412 6413 3ecc1c GetTempPathA 6408->6413 6414 3ec517 23 API calls 6408->6414 6416 3ef04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6408->6416 6418 3ee8a1 30 API calls 6408->6418 6419 3ecfe3 GetSystemDirectoryA 6408->6419 6420 3ecfad GetEnvironmentVariableA 6408->6420 6421 3e675c 21 API calls 6408->6421 6422 3ed027 GetSystemDirectoryA 6408->6422 6423 3ed105 lstrcatA 6408->6423 6424 3eef1e lstrlenA 6408->6424 6425 3ecc9f CreateFileA 6408->6425 6426 3eec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6408->6426 6428 3e8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6408->6428 6429 3ed15b CreateFileA 6408->6429 6434 3ed149 SetFileAttributesA 6408->6434 6435 3ed36e GetEnvironmentVariableA 6408->6435 6436 3ed1bf SetFileAttributesA 6408->6436 6438 3ed22d GetEnvironmentVariableA 6408->6438 6439 3e7ead 6 API calls 6408->6439 6441 3ed3af lstrcatA 6408->6441 6443 3e7fcf 64 API calls 6408->6443 6444 3ed3f2 CreateFileA 6408->6444 6450 3ed3e0 SetFileAttributesA 6408->6450 6451 3ed26e lstrcatA 6408->6451 6453 3ed4b1 CreateProcessA 6408->6453 6454 3ed2b1 CreateFileA 6408->6454 6456 3ed452 SetFileAttributesA 6408->6456 6458 3e7ee6 64 API calls 6408->6458 6459 3ed29f SetFileAttributesA 6408->6459 6462 3ed31d SetFileAttributesA 6408->6462 6987 3ec75d 6408->6987 6999 3e7e2f 6408->6999 7021 3e7ead 6408->7021 7031 3e31d0 6408->7031 7048 3e3c09 6408->7048 7058 3e3a00 6408->7058 7062 3ee7b4 6408->7062 7065 3ec06c 6408->7065 7071 3e6f5f GetUserNameA 6408->7071 7082 3ee854 6408->7082 7092 3e7dd6 6408->7092 6410->6408 7026 3ee318 6411->7026 6412->6408 6413->6408 6414->6408 6416->6408 6417 3ed582 ExitProcess 6418->6408 6419->6408 6420->6408 6421->6408 6422->6408 6423->6408 6424->6408 6425->6408 6427 3eccc6 WriteFile 6425->6427 6426->6408 6430 3ecdcc CloseHandle 6427->6430 6431 3ecced CloseHandle 6427->6431 6428->6408 6429->6408 6432 3ed182 WriteFile CloseHandle 6429->6432 6430->6408 6437 3ecd2f 6431->6437 6432->6408 6433 3ecd16 wsprintfA 6433->6437 6434->6429 6435->6408 6436->6408 6437->6433 7008 3e7fcf 6437->7008 6438->6408 6439->6408 6441->6408 6441->6444 6443->6408 6444->6408 6445 3ed415 WriteFile CloseHandle 6444->6445 6445->6408 6446 3ecda5 6449 3e7ee6 64 API calls 6446->6449 6447 3ecd81 WaitForSingleObject CloseHandle CloseHandle 6448 3ef04e 4 API calls 6447->6448 6448->6446 6452 3ecdbd DeleteFileA 6449->6452 6450->6444 6451->6408 6451->6454 6452->6408 6453->6408 6455 3ed4e8 CloseHandle CloseHandle 6453->6455 6454->6408 6457 3ed2d8 WriteFile CloseHandle 6454->6457 6455->6408 6456->6408 6457->6408 6458->6408 6459->6454 6462->6408 6464 3e677a SetFileAttributesA 6463->6464 6465 3e6784 CreateFileA 6463->6465 6464->6465 6466 3e67a4 CreateFileA 6465->6466 6467 3e67b5 6465->6467 6466->6467 6468 3e67ba SetFileAttributesA 6467->6468 6469 3e67c5 6467->6469 6468->6469 6470 3e67cf GetFileSize 6469->6470 6471 3e6977 6469->6471 6472 3e67e5 6470->6472 6490 3e6965 6470->6490 6471->6158 6491 3e6a60 CreateFileA 6471->6491 6474 3e67ed ReadFile 6472->6474 6472->6490 6473 3e696e FindCloseChangeNotification 6473->6471 6475 3e6811 SetFilePointer 6474->6475 6474->6490 6476 3e682a ReadFile 6475->6476 6475->6490 6477 3e6848 SetFilePointer 6476->6477 6476->6490 6478 3e6867 6477->6478 6477->6490 6479 3e6878 ReadFile 6478->6479 6480 3e68d5 6478->6480 6481 3e6891 6479->6481 6484 3e68d0 6479->6484 6480->6473 6482 3eebcc 4 API calls 6480->6482 6481->6479 6481->6484 6483 3e68f8 6482->6483 6485 3e6900 SetFilePointer 6483->6485 6483->6490 6484->6480 6486 3e690d ReadFile 6485->6486 6487 3e695a 6485->6487 6486->6487 6488 3e6922 6486->6488 6489 3eec2e codecvt 4 API calls 6487->6489 6488->6473 6489->6490 6490->6473 6492 3e6a8f GetDiskFreeSpaceA 6491->6492 6493 3e6b8c GetLastError 6491->6493 6495 3e6ac5 6492->6495 6501 3e6ad7 6492->6501 6494 3e6b86 6493->6494 6494->6174 7177 3eeb0e 6495->7177 6499 3e6b56 CloseHandle 6499->6494 6503 3e6b65 GetLastError CloseHandle 6499->6503 6500 3e6b36 GetLastError CloseHandle 6502 3e6b7f DeleteFileA 6500->6502 7181 3e6987 6501->7181 6502->6494 6503->6502 6505 3e96b9 6504->6505 6506 3e73ff 17 API calls 6505->6506 6508 3e96e2 6506->6508 6507 3e96f7 6507->6152 6507->6153 6508->6507 6509 3e704c 16 API calls 6508->6509 6509->6507 6511 3e42a5 6510->6511 6516 3e429d 6510->6516 7187 3e3ecd 6511->7187 6513 3e42b0 7191 3e4000 6513->7191 6515 3e43c1 CloseHandle 6515->6516 6516->6154 6516->6171 6517 3e42b6 6517->6515 6517->6516 7197 3e3f18 WriteFile 6517->7197 6522 3e43ba CloseHandle 6522->6515 6523 3e4318 6524 3e3f18 4 API calls 6523->6524 6525 3e4331 6524->6525 6526 3e3f18 4 API calls 6525->6526 6527 3e434a 6526->6527 6528 3eebcc 4 API calls 6527->6528 6529 3e4350 6528->6529 6530 3e3f18 4 API calls 6529->6530 6531 3e4389 6530->6531 6532 3eec2e codecvt 4 API calls 6531->6532 6533 3e438f 6532->6533 6534 3e3f8c 4 API calls 6533->6534 6535 3e439f CloseHandle CloseHandle 6534->6535 6535->6516 6537 3e99eb 6536->6537 6538 3e9a2f lstrcatA 6537->6538 6539 3eee2a 6538->6539 6540 3e9a4b lstrcatA 6539->6540 6541 3e6a60 13 API calls 6540->6541 6542 3e9a60 6541->6542 6542->6180 6542->6208 6543 3e6dc2 6542->6543 6544 3e6dd7 6543->6544 6545 3e6e33 6543->6545 6546 3e6cc9 5 API calls 6544->6546 6545->6197 6547 3e6ddc 6546->6547 6547->6547 6548 3e6e24 6547->6548 6549 3e6e02 GetVolumeInformationA 6547->6549 6548->6545 6549->6548 6551 3e6cdc GetModuleHandleA GetProcAddress 6550->6551 6556 3e6d8b 6550->6556 6552 3e6cfd 6551->6552 6553 3e6d12 GetSystemDirectoryA 6551->6553 6552->6553 6552->6556 6554 3e6d1e 6553->6554 6555 3e6d27 GetWindowsDirectoryA 6553->6555 6554->6555 6554->6556 6557 3e6d42 6555->6557 6556->6205 6558 3eef1e lstrlenA 6557->6558 6558->6556 7205 3e1910 6559->7205 6562 3e934a GetModuleHandleA GetModuleFileNameA 6564 3e937f 6562->6564 6565 3e93d9 6564->6565 6566 3e93a4 6564->6566 6568 3e9401 wsprintfA 6565->6568 6567 3e93c3 wsprintfA 6566->6567 6569 3e9415 6567->6569 6568->6569 6572 3e6cc9 5 API calls 6569->6572 6593 3e94a0 6569->6593 6570 3e6edd 5 API calls 6571 3e94ac 6570->6571 6573 3e962f 6571->6573 6574 3e94e8 RegOpenKeyExA 6571->6574 6578 3e9439 6572->6578 6579 3e9646 6573->6579 7220 3e1820 6573->7220 6576 3e94fb 6574->6576 6577 3e9502 6574->6577 6576->6573 6581 3e958a 6576->6581 6583 3e951f RegQueryValueExA 6577->6583 6584 3eef1e lstrlenA 6578->6584 6582 3e95d6 6579->6582 7226 3e91eb 6579->7226 6581->6579 6588 3e9593 6581->6588 6582->6216 6582->6217 6586 3e9539 6583->6586 6592 3e9530 6583->6592 6587 3e9462 6584->6587 6585 3e956e RegCloseKey 6585->6576 6589 3e9556 RegQueryValueExA 6586->6589 6590 3e947e wsprintfA 6587->6590 6588->6582 7207 3ef0e4 6588->7207 6589->6585 6589->6592 6590->6593 6592->6585 6593->6570 6594 3e95bb 6594->6582 7214 3e18e0 6594->7214 6597 3e2544 6596->6597 6598 3e972d RegOpenKeyExA 6597->6598 6599 3e9765 6598->6599 6600 3e9740 6598->6600 6599->6192 6601 3e974f RegDeleteValueA RegCloseKey 6600->6601 6601->6599 6603 3e2554 lstrcatA 6602->6603 6604 3eee2a 6603->6604 6605 3ea0ec lstrcatA 6604->6605 6605->6224 6607 3ea15d 6606->6607 6608 3eec37 6606->6608 6607->6154 6607->6158 6609 3eeba0 codecvt 2 API calls 6608->6609 6610 3eec3d GetProcessHeap RtlFreeHeap 6609->6610 6610->6607 6612 3e2544 6611->6612 6613 3e919e wsprintfA 6612->6613 6614 3e91bb 6613->6614 7264 3e9064 GetTempPathA 6614->7264 6617 3e91e7 6617->6174 6618 3e91d5 ShellExecuteA 6618->6617 6620 3e6ed5 6619->6620 6621 3e6ecc 6619->6621 6620->6212 6622 3e6e36 2 API calls 6621->6622 6622->6620 6624 3e98f6 6623->6624 6625 3e4280 30 API calls 6624->6625 6626 3e9904 Sleep 6624->6626 6627 3e9915 6624->6627 6625->6624 6626->6624 6626->6627 6629 3e9947 6627->6629 7271 3e977c 6627->7271 6629->6206 6631 3edd41 InterlockedExchange 6630->6631 6632 3edd4a 6631->6632 6633 3edd20 GetCurrentThreadId 6631->6633 6635 3edd53 GetCurrentThreadId 6632->6635 6634 3edd2e GetTickCount 6633->6634 6633->6635 6636 3edd4c 6634->6636 6637 3edd39 Sleep 6634->6637 6635->6243 6636->6635 6637->6631 6639 3edbf0 6638->6639 6671 3edb67 GetEnvironmentVariableA 6639->6671 6641 3edc19 6642 3edcda 6641->6642 6643 3edb67 3 API calls 6641->6643 6642->6245 6644 3edc5c 6643->6644 6644->6642 6645 3edb67 3 API calls 6644->6645 6646 3edc9b 6645->6646 6646->6642 6647 3edb67 3 API calls 6646->6647 6647->6642 6649 3ee528 6648->6649 6650 3ee3f4 6648->6650 6649->6255 6651 3ee434 RegQueryValueExA 6650->6651 6652 3ee51d RegCloseKey 6651->6652 6653 3ee458 6651->6653 6652->6649 6654 3ee46e RegQueryValueExA 6653->6654 6654->6653 6655 3ee488 6654->6655 6655->6652 6656 3edb2e 8 API calls 6655->6656 6658 3ee499 6656->6658 6657 3ee4b9 RegQueryValueExA 6657->6658 6659 3ee4e8 6657->6659 6658->6652 6658->6657 6658->6659 6659->6652 6660 3ee332 14 API calls 6659->6660 6661 3ee513 6660->6661 6661->6652 6663 3edb3a 6662->6663 6664 3edb55 6662->6664 6675 3eebed 6663->6675 6664->6248 6664->6252 6693 3ef04e SystemTimeToFileTime GetSystemTimeAsFileTime 6666->6693 6668 3ee3be 6668->6248 6669 3ee342 6669->6668 6696 3ede24 6669->6696 6672 3edbca 6671->6672 6673 3edb89 lstrcpyA CreateFileA 6671->6673 6672->6641 6673->6641 6676 3eebf6 6675->6676 6677 3eec01 6675->6677 6684 3eebcc GetProcessHeap RtlAllocateHeap 6676->6684 6687 3eeba0 6677->6687 6685 3eeb74 2 API calls 6684->6685 6686 3eebe8 6685->6686 6686->6664 6688 3eebbf GetProcessHeap HeapReAlloc 6687->6688 6689 3eeba7 GetProcessHeap HeapSize 6687->6689 6690 3eeb74 6688->6690 6689->6688 6691 3eeb93 6690->6691 6692 3eeb7b GetProcessHeap HeapSize 6690->6692 6691->6664 6692->6691 6707 3eeb41 6693->6707 6695 3ef0b7 6695->6669 6697 3ede3a 6696->6697 6703 3ede4e 6697->6703 6716 3edd84 6697->6716 6700 3eebed 8 API calls 6702 3edef6 6700->6702 6701 3ede9e 6701->6700 6701->6703 6702->6703 6706 3eddcf lstrcmpA 6702->6706 6703->6669 6704 3ede76 6720 3eddcf 6704->6720 6706->6703 6708 3eeb4a 6707->6708 6709 3eeb61 6707->6709 6712 3eeae4 6708->6712 6709->6695 6711 3eeb54 6711->6695 6711->6709 6713 3eeaed LoadLibraryA 6712->6713 6714 3eeb02 GetProcAddress 6712->6714 6713->6714 6715 3eeb01 6713->6715 6714->6711 6715->6711 6717 3eddc5 6716->6717 6718 3edd96 6716->6718 6717->6701 6717->6704 6718->6717 6719 3eddad lstrcmpiA 6718->6719 6719->6717 6719->6718 6721 3ede20 6720->6721 6723 3edddd 6720->6723 6721->6703 6722 3eddfa lstrcmpA 6722->6723 6723->6721 6723->6722 6725 3edd05 6 API calls 6724->6725 6726 3ee821 6725->6726 6727 3edd84 lstrcmpiA 6726->6727 6728 3ee82c 6727->6728 6730 3ee844 6728->6730 6774 3e2480 6728->6774 6730->6272 6732 3eea98 6731->6732 6783 3ee8a1 6732->6783 6734 3e1e84 6734->6281 6736 3e19ce 6735->6736 6737 3e19d5 GetProcAddress GetProcAddress GetProcAddress 6735->6737 6736->6285 6738 3e1a04 6737->6738 6739 3e1ab3 FreeLibrary 6737->6739 6738->6739 6740 3e1a14 GetBestInterface GetProcessHeap 6738->6740 6739->6736 6740->6736 6741 3e1a2e HeapAlloc 6740->6741 6741->6736 6742 3e1a42 GetAdaptersInfo 6741->6742 6743 3e1a62 6742->6743 6744 3e1a52 HeapReAlloc 6742->6744 6745 3e1a69 GetAdaptersInfo 6743->6745 6746 3e1aa1 FreeLibrary 6743->6746 6744->6743 6745->6746 6747 3e1a75 HeapFree 6745->6747 6746->6736 6747->6746 6811 3e1ac3 LoadLibraryA 6749->6811 6752 3e1bcf 6752->6297 6754 3e1ac3 13 API calls 6753->6754 6755 3e1c09 6754->6755 6756 3e1c0d GetComputerNameA 6755->6756 6757 3e1c5a 6755->6757 6758 3e1c1f 6756->6758 6759 3e1c45 GetVolumeInformationA 6756->6759 6757->6302 6758->6759 6760 3e1c41 6758->6760 6759->6757 6760->6757 6762 3eee2a 6761->6762 6763 3e30d0 gethostname gethostbyname 6762->6763 6764 3e1f82 6763->6764 6764->6309 6764->6311 6766 3edd05 6 API calls 6765->6766 6767 3edf7c 6766->6767 6768 3edd84 lstrcmpiA 6767->6768 6772 3edf89 6768->6772 6769 3edfc4 6769->6278 6770 3eddcf lstrcmpA 6770->6772 6771 3eec2e codecvt 4 API calls 6771->6772 6772->6769 6772->6770 6772->6771 6773 3edd84 lstrcmpiA 6772->6773 6773->6772 6777 3e2419 lstrlenA 6774->6777 6776 3e2491 6776->6730 6778 3e243d lstrlenA 6777->6778 6779 3e2474 6777->6779 6780 3e244e lstrcmpiA 6778->6780 6781 3e2464 lstrlenA 6778->6781 6779->6776 6780->6781 6782 3e245c 6780->6782 6781->6778 6781->6779 6782->6779 6782->6781 6784 3edd05 6 API calls 6783->6784 6785 3ee8b4 6784->6785 6786 3edd84 lstrcmpiA 6785->6786 6787 3ee8c0 6786->6787 6788 3ee8c8 lstrcpynA 6787->6788 6789 3ee90a 6787->6789 6790 3ee8f5 6788->6790 6791 3e2419 4 API calls 6789->6791 6800 3eea27 6789->6800 6804 3edf4c 6790->6804 6792 3ee926 lstrlenA lstrlenA 6791->6792 6794 3ee94c lstrlenA 6792->6794 6795 3ee96a 6792->6795 6794->6795 6798 3eebcc 4 API calls 6795->6798 6795->6800 6796 3ee901 6797 3edd84 lstrcmpiA 6796->6797 6797->6789 6799 3ee98f 6798->6799 6799->6800 6801 3edf4c 20 API calls 6799->6801 6800->6734 6802 3eea1e 6801->6802 6803 3eec2e codecvt 4 API calls 6802->6803 6803->6800 6805 3edd05 6 API calls 6804->6805 6806 3edf51 6805->6806 6807 3ef04e 4 API calls 6806->6807 6808 3edf58 6807->6808 6809 3ede24 10 API calls 6808->6809 6810 3edf63 6809->6810 6810->6796 6812 3e1ae2 GetProcAddress 6811->6812 6818 3e1b68 GetComputerNameA GetVolumeInformationA 6811->6818 6815 3e1af5 6812->6815 6812->6818 6813 3e1b1c GetAdaptersAddresses 6813->6815 6816 3e1b29 6813->6816 6814 3eebed 8 API calls 6814->6815 6815->6813 6815->6814 6815->6816 6816->6816 6817 3eec2e codecvt 4 API calls 6816->6817 6816->6818 6817->6818 6818->6752 6820 3e6ec3 2 API calls 6819->6820 6821 3e7ef4 6820->6821 6831 3e7fc9 6821->6831 6855 3e73ff 6821->6855 6823 3e7f16 6823->6831 6875 3e7809 GetUserNameA 6823->6875 6825 3e7f63 6825->6831 6899 3eef1e lstrlenA 6825->6899 6828 3eef1e lstrlenA 6829 3e7fb7 6828->6829 6901 3e7a95 RegOpenKeyExA 6829->6901 6831->6321 6833 3e7073 6832->6833 6834 3e70b9 RegOpenKeyExA 6833->6834 6835 3e70d0 6834->6835 6849 3e71b8 6834->6849 6836 3e6dc2 6 API calls 6835->6836 6839 3e70d5 6836->6839 6837 3e719b RegEnumValueA 6838 3e71af RegCloseKey 6837->6838 6837->6839 6838->6849 6839->6837 6841 3e71d0 6839->6841 6932 3ef1a5 lstrlenA 6839->6932 6842 3e7205 RegCloseKey 6841->6842 6843 3e7227 6841->6843 6842->6849 6844 3e728e RegCloseKey 6843->6844 6845 3e72b8 ___ascii_stricmp 6843->6845 6844->6849 6846 3e72cd RegCloseKey 6845->6846 6847 3e72dd 6845->6847 6846->6849 6848 3e7311 RegCloseKey 6847->6848 6850 3e7335 6847->6850 6848->6849 6849->6320 6851 3e73d5 RegCloseKey 6850->6851 6853 3e737e GetFileAttributesExA 6850->6853 6854 3e7397 6850->6854 6852 3e73e4 6851->6852 6853->6854 6854->6851 6856 3e741b 6855->6856 6857 3e6dc2 6 API calls 6856->6857 6858 3e743f 6857->6858 6859 3e7469 RegOpenKeyExA 6858->6859 6862 3e77f9 6859->6862 6870 3e7487 ___ascii_stricmp 6859->6870 6860 3e7703 RegEnumKeyA 6861 3e7714 RegCloseKey 6860->6861 6860->6870 6861->6862 6862->6823 6863 3e74d2 RegOpenKeyExA 6863->6870 6864 3e772c 6866 3e774b 6864->6866 6867 3e7742 RegCloseKey 6864->6867 6865 3e7521 RegQueryValueExA 6865->6870 6869 3e77ec RegCloseKey 6866->6869 6867->6866 6868 3e76e4 RegCloseKey 6868->6870 6869->6862 6870->6860 6870->6863 6870->6864 6870->6865 6870->6868 6872 3ef1a5 lstrlenA 6870->6872 6873 3e777e GetFileAttributesExA 6870->6873 6874 3e7769 6870->6874 6871 3e77e3 RegCloseKey 6871->6869 6872->6870 6873->6874 6874->6871 6876 3e7a8d 6875->6876 6877 3e783d LookupAccountNameA 6875->6877 6876->6825 6877->6876 6878 3e7874 GetLengthSid GetFileSecurityA 6877->6878 6878->6876 6879 3e78a8 GetSecurityDescriptorOwner 6878->6879 6880 3e791d GetSecurityDescriptorDacl 6879->6880 6881 3e78c5 EqualSid 6879->6881 6880->6876 6896 3e7941 6880->6896 6881->6880 6882 3e78dc LocalAlloc 6881->6882 6882->6880 6883 3e78ef InitializeSecurityDescriptor 6882->6883 6885 3e78fb SetSecurityDescriptorOwner 6883->6885 6886 3e7916 LocalFree 6883->6886 6884 3e795b GetAce 6884->6896 6885->6886 6887 3e790b SetFileSecurityA 6885->6887 6886->6880 6887->6886 6888 3e7980 EqualSid 6888->6896 6889 3e7a3d 6889->6876 6892 3e7a43 LocalAlloc 6889->6892 6890 3e79be EqualSid 6890->6896 6891 3e799d DeleteAce 6891->6896 6892->6876 6893 3e7a56 InitializeSecurityDescriptor 6892->6893 6894 3e7a86 LocalFree 6893->6894 6895 3e7a62 SetSecurityDescriptorDacl 6893->6895 6894->6876 6895->6894 6897 3e7a73 SetFileSecurityA 6895->6897 6896->6876 6896->6884 6896->6888 6896->6889 6896->6890 6896->6891 6897->6894 6898 3e7a83 6897->6898 6898->6894 6900 3e7fa6 6899->6900 6900->6828 6902 3e7acb GetUserNameA 6901->6902 6903 3e7ac4 6901->6903 6904 3e7aed LookupAccountNameA 6902->6904 6905 3e7da7 RegCloseKey 6902->6905 6903->6831 6904->6905 6906 3e7b24 RegGetKeySecurity 6904->6906 6905->6903 6906->6905 6907 3e7b49 GetSecurityDescriptorOwner 6906->6907 6908 3e7bb8 GetSecurityDescriptorDacl 6907->6908 6909 3e7b63 EqualSid 6907->6909 6911 3e7da6 6908->6911 6924 3e7bdc 6908->6924 6909->6908 6910 3e7b74 LocalAlloc 6909->6910 6910->6908 6912 3e7b8a InitializeSecurityDescriptor 6910->6912 6911->6905 6913 3e7b96 SetSecurityDescriptorOwner 6912->6913 6914 3e7bb1 LocalFree 6912->6914 6913->6914 6916 3e7ba6 RegSetKeySecurity 6913->6916 6914->6908 6915 3e7bf8 GetAce 6915->6924 6916->6914 6917 3e7c1d EqualSid 6917->6924 6918 3e7cd9 6918->6911 6921 3e7d5a LocalAlloc 6918->6921 6923 3e7cf2 RegOpenKeyExA 6918->6923 6919 3e7c5f EqualSid 6919->6924 6920 3e7c3a DeleteAce 6920->6924 6921->6911 6922 3e7d70 InitializeSecurityDescriptor 6921->6922 6925 3e7d9f LocalFree 6922->6925 6926 3e7d7c SetSecurityDescriptorDacl 6922->6926 6923->6921 6929 3e7d0f 6923->6929 6924->6911 6924->6915 6924->6917 6924->6918 6924->6919 6924->6920 6925->6911 6926->6925 6927 3e7d8c RegSetKeySecurity 6926->6927 6927->6925 6928 3e7d9c 6927->6928 6928->6925 6930 3e7d43 RegSetValueExA 6929->6930 6930->6921 6931 3e7d54 6930->6931 6931->6921 6933 3ef1c3 6932->6933 6933->6839 6933->6933 6934->6340 6936 3edd05 6 API calls 6935->6936 6937 3ee65f 6936->6937 6939 3ee6a5 6937->6939 6940 3ee68c lstrcmpA 6937->6940 6938 3eebcc 4 API calls 6941 3ee6b0 6938->6941 6939->6938 6944 3ee6f5 6939->6944 6940->6937 6942 3ee6b7 6941->6942 6943 3ee6e0 lstrcpynA 6941->6943 6941->6944 6942->6342 6943->6944 6944->6942 6945 3ee71d lstrcmpA 6944->6945 6945->6944 6946->6348 6948 3e2692 inet_addr 6947->6948 6950 3e268e 6947->6950 6949 3e269e gethostbyname 6948->6949 6948->6950 6949->6950 6951 3ef428 6950->6951 7099 3ef315 6951->7099 6954 3ef43e 6955 3ef473 recv 6954->6955 6956 3ef47c 6955->6956 6957 3ef458 6955->6957 6956->6379 6957->6955 6957->6956 6959 3ec532 6958->6959 6960 3ec525 6958->6960 6961 3ec548 6959->6961 7112 3ee7ff 6959->7112 6960->6959 6963 3eec2e codecvt 4 API calls 6960->6963 6964 3ee7ff lstrcmpiA 6961->6964 6972 3ec54f 6961->6972 6963->6959 6965 3ec615 6964->6965 6966 3eebcc 4 API calls 6965->6966 6965->6972 6966->6972 6968 3ec5d1 6970 3eebcc 4 API calls 6968->6970 6969 3ee819 11 API calls 6971 3ec5b7 6969->6971 6970->6972 6973 3ef04e 4 API calls 6971->6973 6972->6361 6974 3ec5bf 6973->6974 6974->6961 6974->6968 6976 3ec8d2 6975->6976 6977 3ec907 6976->6977 6978 3ec517 23 API calls 6976->6978 6977->6363 6978->6977 6980 3ec67d 6979->6980 6981 3ec670 6979->6981 6982 3ec699 6980->6982 6984 3eebcc 4 API calls 6980->6984 6983 3eebcc 4 API calls 6981->6983 6985 3ec6f3 6982->6985 6986 3ec73c send 6982->6986 6983->6980 6984->6982 6985->6392 6985->6408 6986->6985 6988 3ec77d 6987->6988 6989 3ec770 6987->6989 6991 3ec799 6988->6991 6992 3eebcc 4 API calls 6988->6992 6990 3eebcc 4 API calls 6989->6990 6990->6988 6993 3ec7b5 6991->6993 6995 3eebcc 4 API calls 6991->6995 6992->6991 6994 3ef43e recv 6993->6994 6996 3ec7cb 6994->6996 6995->6993 6997 3ef43e recv 6996->6997 6998 3ec7d3 6996->6998 6997->6998 6998->6408 7115 3e7db7 6999->7115 7002 3e7e70 7004 3e7e96 7002->7004 7006 3ef04e 4 API calls 7002->7006 7003 3ef04e 4 API calls 7005 3e7e4c 7003->7005 7004->6408 7005->7002 7007 3ef04e 4 API calls 7005->7007 7006->7004 7007->7002 7009 3e6ec3 2 API calls 7008->7009 7010 3e7fdd 7009->7010 7011 3e73ff 17 API calls 7010->7011 7020 3e80c2 CreateProcessA 7010->7020 7012 3e7fff 7011->7012 7013 3e7809 21 API calls 7012->7013 7012->7020 7014 3e804d 7013->7014 7015 3eef1e lstrlenA 7014->7015 7014->7020 7016 3e809e 7015->7016 7017 3eef1e lstrlenA 7016->7017 7018 3e80af 7017->7018 7019 3e7a95 24 API calls 7018->7019 7019->7020 7020->6446 7020->6447 7022 3e7db7 2 API calls 7021->7022 7023 3e7eb8 7022->7023 7024 3ef04e 4 API calls 7023->7024 7025 3e7ece DeleteFileA 7024->7025 7025->6408 7027 3edd05 6 API calls 7026->7027 7028 3ee31d 7027->7028 7119 3ee177 7028->7119 7030 3ee326 7030->6417 7032 3e31f3 7031->7032 7042 3e31ec 7031->7042 7033 3eebcc 4 API calls 7032->7033 7047 3e31fc 7033->7047 7034 3e344b 7035 3e349d 7034->7035 7036 3e3459 7034->7036 7037 3eec2e codecvt 4 API calls 7035->7037 7038 3ef04e 4 API calls 7036->7038 7037->7042 7039 3e345f 7038->7039 7041 3e30fa 4 API calls 7039->7041 7040 3eebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7040->7047 7041->7042 7042->6408 7043 3e344d 7044 3eec2e codecvt 4 API calls 7043->7044 7044->7034 7046 3e3141 lstrcmpiA 7046->7047 7047->7034 7047->7040 7047->7042 7047->7043 7047->7046 7145 3e30fa GetTickCount 7047->7145 7049 3e30fa 4 API calls 7048->7049 7050 3e3c1a 7049->7050 7054 3e3ce6 7050->7054 7150 3e3a72 7050->7150 7053 3e3a72 9 API calls 7057 3e3c5e 7053->7057 7054->6408 7055 3e3a72 9 API calls 7055->7057 7056 3eec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7056->7057 7057->7054 7057->7055 7057->7056 7059 3e3a10 7058->7059 7060 3e30fa 4 API calls 7059->7060 7061 3e3a1a 7060->7061 7061->6408 7063 3edd05 6 API calls 7062->7063 7064 3ee7be 7063->7064 7064->6408 7066 3ec07e wsprintfA 7065->7066 7067 3ec105 7065->7067 7159 3ebfce GetTickCount wsprintfA 7066->7159 7067->6408 7069 3ec0ef 7160 3ebfce GetTickCount wsprintfA 7069->7160 7072 3e6f88 LookupAccountNameA 7071->7072 7073 3e7047 7071->7073 7075 3e6fcb 7072->7075 7076 3e7025 7072->7076 7073->6408 7078 3e6fdb ConvertSidToStringSidA 7075->7078 7161 3e6edd 7076->7161 7078->7076 7080 3e6ff1 7078->7080 7081 3e7013 LocalFree 7080->7081 7081->7076 7083 3edd05 6 API calls 7082->7083 7084 3ee85c 7083->7084 7085 3edd84 lstrcmpiA 7084->7085 7086 3ee867 7085->7086 7087 3ee885 lstrcpyA 7086->7087 7172 3e24a5 7086->7172 7175 3edd69 7087->7175 7093 3e7db7 2 API calls 7092->7093 7094 3e7de1 7093->7094 7095 3e7e16 7094->7095 7096 3ef04e 4 API calls 7094->7096 7095->6408 7097 3e7df2 7096->7097 7097->7095 7098 3ef04e 4 API calls 7097->7098 7098->7095 7100 3eca1d 7099->7100 7101 3ef33b 7099->7101 7100->6376 7100->6954 7102 3ef347 htons socket 7101->7102 7103 3ef374 closesocket 7102->7103 7104 3ef382 ioctlsocket 7102->7104 7103->7100 7105 3ef39d 7104->7105 7106 3ef3aa connect select 7104->7106 7107 3ef39f closesocket 7105->7107 7106->7100 7108 3ef3f2 __WSAFDIsSet 7106->7108 7107->7100 7108->7107 7109 3ef403 ioctlsocket 7108->7109 7111 3ef26d setsockopt setsockopt setsockopt setsockopt setsockopt 7109->7111 7111->7100 7113 3edd84 lstrcmpiA 7112->7113 7114 3ec58e 7113->7114 7114->6961 7114->6968 7114->6969 7116 3e7dc8 InterlockedExchange 7115->7116 7117 3e7dd4 7116->7117 7118 3e7dc0 Sleep 7116->7118 7117->7002 7117->7003 7118->7116 7121 3ee184 7119->7121 7120 3ee2e4 7120->7030 7121->7120 7122 3ee223 7121->7122 7135 3edfe2 7121->7135 7122->7120 7124 3edfe2 8 API calls 7122->7124 7127 3ee23c 7124->7127 7125 3ee1be 7125->7122 7126 3edbcf 3 API calls 7125->7126 7129 3ee1d6 7126->7129 7127->7120 7139 3ee095 RegCreateKeyExA 7127->7139 7128 3ee21a CloseHandle 7128->7122 7129->7122 7129->7128 7130 3ee1f9 WriteFile 7129->7130 7130->7128 7132 3ee213 7130->7132 7132->7128 7133 3ee2a3 7133->7120 7134 3ee095 4 API calls 7133->7134 7134->7120 7136 3edffc 7135->7136 7138 3ee024 7135->7138 7137 3edb2e 8 API calls 7136->7137 7136->7138 7137->7138 7138->7125 7140 3ee172 7139->7140 7142 3ee0c0 7139->7142 7140->7133 7141 3ee13d 7143 3ee14e RegDeleteValueA RegCloseKey 7141->7143 7142->7141 7144 3ee115 RegSetValueExA 7142->7144 7143->7140 7144->7141 7144->7142 7146 3e3122 InterlockedExchange 7145->7146 7147 3e312e 7146->7147 7148 3e310f GetTickCount 7146->7148 7147->7047 7148->7147 7149 3e311a Sleep 7148->7149 7149->7146 7151 3ef04e 4 API calls 7150->7151 7152 3e3a83 7151->7152 7154 3e3bc0 7152->7154 7157 3e3b66 lstrlenA 7152->7157 7158 3e3ac1 7152->7158 7153 3e3be6 7155 3eec2e codecvt 4 API calls 7153->7155 7154->7153 7156 3eec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7154->7156 7155->7158 7156->7154 7157->7152 7157->7158 7158->7053 7158->7054 7159->7069 7160->7067 7162 3e6eef AllocateAndInitializeSid 7161->7162 7168 3e6f55 wsprintfA 7161->7168 7163 3e6f1c CheckTokenMembership 7162->7163 7164 3e6f44 7162->7164 7165 3e6f2e 7163->7165 7166 3e6f3b FreeSid 7163->7166 7164->7168 7169 3e6e36 GetUserNameW 7164->7169 7165->7166 7166->7164 7168->7073 7170 3e6e5f LookupAccountNameW 7169->7170 7171 3e6e97 7169->7171 7170->7171 7171->7168 7173 3e2419 4 API calls 7172->7173 7174 3e24b6 7173->7174 7174->7087 7176 3edd79 lstrlenA 7175->7176 7176->6408 7178 3eeb17 7177->7178 7180 3eeb21 7177->7180 7179 3eeae4 2 API calls 7178->7179 7179->7180 7180->6501 7182 3e69b9 WriteFile 7181->7182 7184 3e6a3c 7182->7184 7185 3e69ff 7182->7185 7184->6499 7184->6500 7185->7184 7186 3e6a10 WriteFile 7185->7186 7186->7184 7186->7185 7188 3e3edc 7187->7188 7189 3e3ee2 7187->7189 7190 3e6dc2 6 API calls 7188->7190 7189->6513 7190->7189 7192 3e400b CreateFileA 7191->7192 7193 3e402c GetLastError 7192->7193 7195 3e4052 7192->7195 7194 3e4037 7193->7194 7193->7195 7194->7195 7196 3e4041 Sleep 7194->7196 7195->6517 7196->7192 7196->7195 7198 3e3f4e GetLastError 7197->7198 7199 3e3f7c 7197->7199 7198->7199 7200 3e3f5b WaitForSingleObject GetOverlappedResult 7198->7200 7201 3e3f8c ReadFile 7199->7201 7200->7199 7202 3e3fc2 GetLastError 7201->7202 7204 3e3ff0 7201->7204 7203 3e3fcf WaitForSingleObject GetOverlappedResult 7202->7203 7202->7204 7203->7204 7204->6522 7204->6523 7206 3e1924 GetVersionExA 7205->7206 7206->6562 7208 3ef0ed 7207->7208 7209 3ef0f1 7207->7209 7208->6594 7210 3ef0fa lstrlenA SysAllocStringByteLen 7209->7210 7211 3ef119 7209->7211 7212 3ef11c MultiByteToWideChar 7210->7212 7213 3ef117 7210->7213 7211->7212 7212->7213 7213->6594 7215 3e1820 17 API calls 7214->7215 7216 3e18f2 7215->7216 7217 3e18f9 7216->7217 7231 3e1280 7216->7231 7217->6582 7219 3e1908 7219->6582 7243 3e1000 7220->7243 7222 3e1839 7223 3e183d 7222->7223 7224 3e1851 GetCurrentProcess 7222->7224 7223->6579 7225 3e1864 7224->7225 7225->6579 7229 3e920e 7226->7229 7230 3e9308 7226->7230 7227 3e92f1 Sleep 7227->7229 7228 3e92bf ShellExecuteA 7228->7229 7228->7230 7229->7227 7229->7228 7229->7230 7230->6582 7232 3e12e1 7231->7232 7233 3e16f9 GetLastError 7232->7233 7234 3e13a8 7232->7234 7235 3e1699 7233->7235 7234->7235 7236 3e1570 lstrlenW 7234->7236 7237 3e15be GetStartupInfoW 7234->7237 7238 3e15ff CreateProcessWithLogonW 7234->7238 7242 3e1668 CloseHandle 7234->7242 7235->7219 7236->7234 7237->7234 7239 3e16bf GetLastError 7238->7239 7240 3e163f WaitForSingleObject 7238->7240 7239->7235 7240->7234 7241 3e1659 CloseHandle 7240->7241 7241->7234 7242->7234 7244 3e100d LoadLibraryA 7243->7244 7254 3e1023 7243->7254 7245 3e1021 7244->7245 7244->7254 7245->7222 7246 3e10b5 GetProcAddress 7247 3e127b 7246->7247 7248 3e10d1 GetProcAddress 7246->7248 7247->7222 7248->7247 7249 3e10f0 GetProcAddress 7248->7249 7249->7247 7250 3e1110 GetProcAddress 7249->7250 7250->7247 7251 3e1130 GetProcAddress 7250->7251 7251->7247 7252 3e114f GetProcAddress 7251->7252 7252->7247 7253 3e116f GetProcAddress 7252->7253 7253->7247 7255 3e118f GetProcAddress 7253->7255 7254->7246 7263 3e10ae 7254->7263 7255->7247 7256 3e11ae GetProcAddress 7255->7256 7256->7247 7257 3e11ce GetProcAddress 7256->7257 7257->7247 7258 3e11ee GetProcAddress 7257->7258 7258->7247 7259 3e1209 GetProcAddress 7258->7259 7259->7247 7260 3e1225 GetProcAddress 7259->7260 7260->7247 7261 3e1241 GetProcAddress 7260->7261 7261->7247 7262 3e125c GetProcAddress 7261->7262 7262->7247 7263->7222 7265 3e908d 7264->7265 7266 3e90e2 wsprintfA 7265->7266 7267 3eee2a 7266->7267 7268 3e90fd CreateFileA 7267->7268 7269 3e913f 7268->7269 7270 3e911a lstrlenA WriteFile CloseHandle 7268->7270 7269->6617 7269->6618 7270->7269 7272 3eee2a 7271->7272 7273 3e9794 CreateProcessA 7272->7273 7274 3e97bb 7273->7274 7275 3e97c2 7273->7275 7274->6629 7276 3e97d4 GetThreadContext 7275->7276 7277 3e97f5 7276->7277 7278 3e9801 7276->7278 7279 3e97f6 TerminateProcess 7277->7279 7285 3e637c 7278->7285 7279->7274 7281 3e9816 7281->7279 7282 3e981e WriteProcessMemory 7281->7282 7282->7277 7283 3e983b SetThreadContext 7282->7283 7283->7277 7284 3e9858 ResumeThread 7283->7284 7284->7274 7286 3e638a GetModuleHandleA VirtualAlloc 7285->7286 7287 3e6386 7285->7287 7288 3e63b6 7286->7288 7289 3e63f5 7286->7289 7287->7281 7290 3e63be VirtualAllocEx 7288->7290 7289->7281 7290->7289 7291 3e63d6 7290->7291 7292 3e63df WriteProcessMemory 7291->7292 7292->7289 7294 3e879f 7293->7294 7295 3e8791 7293->7295 7297 3e87bc 7294->7297 7298 3ef04e 4 API calls 7294->7298 7296 3ef04e 4 API calls 7295->7296 7296->7294 7299 3ee819 11 API calls 7297->7299 7298->7297 7300 3e87d7 7299->7300 7313 3e8803 7300->7313 7448 3e26b2 gethostbyaddr 7300->7448 7303 3e87eb 7305 3ee8a1 30 API calls 7303->7305 7303->7313 7305->7313 7308 3ee819 11 API calls 7308->7313 7309 3e88a0 Sleep 7309->7313 7311 3e26b2 2 API calls 7311->7313 7312 3ef04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7312->7313 7313->7308 7313->7309 7313->7311 7313->7312 7314 3ee8a1 30 API calls 7313->7314 7345 3e8cee 7313->7345 7353 3ec4d6 7313->7353 7356 3ec4e2 7313->7356 7359 3e2011 7313->7359 7394 3e8328 7313->7394 7314->7313 7316 3e407d 7315->7316 7317 3e4084 7315->7317 7318 3e3ecd 6 API calls 7317->7318 7319 3e408f 7318->7319 7320 3e4000 3 API calls 7319->7320 7321 3e4095 7320->7321 7322 3e4130 7321->7322 7323 3e40c0 7321->7323 7324 3e3ecd 6 API calls 7322->7324 7328 3e3f18 4 API calls 7323->7328 7325 3e4159 CreateNamedPipeA 7324->7325 7326 3e4188 ConnectNamedPipe 7325->7326 7327 3e4167 Sleep 7325->7327 7331 3e4195 GetLastError 7326->7331 7340 3e41ab 7326->7340 7327->7322 7329 3e4176 CloseHandle 7327->7329 7330 3e40da 7328->7330 7329->7326 7332 3e3f8c 4 API calls 7330->7332 7333 3e425e DisconnectNamedPipe 7331->7333 7331->7340 7334 3e40ec 7332->7334 7333->7326 7335 3e4127 CloseHandle 7334->7335 7336 3e4101 7334->7336 7335->7322 7337 3e3f18 4 API calls 7336->7337 7338 3e411c ExitProcess 7337->7338 7339 3e3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7339->7340 7340->7326 7340->7333 7340->7339 7341 3e3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7340->7341 7342 3e426a CloseHandle CloseHandle 7340->7342 7341->7340 7343 3ee318 23 API calls 7342->7343 7344 3e427b 7343->7344 7344->7344 7346 3e8dae 7345->7346 7347 3e8d02 GetTickCount 7345->7347 7346->7313 7347->7346 7349 3e8d19 7347->7349 7348 3e8da1 GetTickCount 7348->7346 7349->7348 7352 3e8d89 7349->7352 7453 3ea677 7349->7453 7456 3ea688 7349->7456 7352->7348 7464 3ec2dc 7353->7464 7357 3ec2dc 142 API calls 7356->7357 7358 3ec4ec 7357->7358 7358->7313 7360 3e202e 7359->7360 7361 3e2020 7359->7361 7363 3e204b 7360->7363 7364 3ef04e 4 API calls 7360->7364 7362 3ef04e 4 API calls 7361->7362 7362->7360 7365 3e206e GetTickCount 7363->7365 7367 3ef04e 4 API calls 7363->7367 7364->7363 7366 3e20db GetTickCount 7365->7366 7378 3e2090 7365->7378 7369 3e2132 GetTickCount GetTickCount 7366->7369 7377 3e20e7 7366->7377 7370 3e2068 7367->7370 7368 3e20d4 GetTickCount 7368->7366 7371 3ef04e 4 API calls 7369->7371 7370->7365 7374 3e2159 7371->7374 7372 3e212b GetTickCount 7372->7369 7373 3e2684 2 API calls 7373->7378 7376 3e21b4 7374->7376 7380 3ee854 13 API calls 7374->7380 7379 3ef04e 4 API calls 7376->7379 7377->7372 7386 3e1978 15 API calls 7377->7386 7387 3e2125 7377->7387 7794 3e2ef8 7377->7794 7378->7368 7378->7373 7383 3e20ce 7378->7383 7804 3e1978 7378->7804 7382 3e21d1 7379->7382 7384 3e218e 7380->7384 7388 3e21f2 7382->7388 7390 3eea84 30 API calls 7382->7390 7383->7368 7385 3ee819 11 API calls 7384->7385 7389 3e219c 7385->7389 7386->7377 7387->7372 7388->7313 7389->7376 7809 3e1c5f 7389->7809 7391 3e21ec 7390->7391 7392 3ef04e 4 API calls 7391->7392 7392->7388 7395 3e7dd6 6 API calls 7394->7395 7396 3e833c 7395->7396 7397 3e8340 7396->7397 7398 3e6ec3 2 API calls 7396->7398 7397->7313 7399 3e834f 7398->7399 7400 3e835c 7399->7400 7404 3e846b 7399->7404 7401 3e73ff 17 API calls 7400->7401 7410 3e8373 7401->7410 7402 3e8626 GetTempPathA 7406 3e8638 7402->7406 7403 3e675c 21 API calls 7407 3e85df 7403->7407 7408 3e84a7 RegOpenKeyExA 7404->7408 7433 3e8450 7404->7433 7440 3e8671 7406->7440 7407->7402 7418 3e8768 7407->7418 7407->7440 7411 3e84c0 RegQueryValueExA 7408->7411 7413 3e852f 7408->7413 7409 3e86ad 7412 3e8762 7409->7412 7415 3e7e2f 6 API calls 7409->7415 7410->7397 7428 3e83ea RegOpenKeyExA 7410->7428 7410->7433 7414 3e8521 RegCloseKey 7411->7414 7417 3e84dd 7411->7417 7412->7418 7416 3e8564 RegOpenKeyExA 7413->7416 7426 3e85a5 7413->7426 7414->7413 7427 3e86bb 7415->7427 7419 3e8573 RegSetValueExA RegCloseKey 7416->7419 7416->7426 7417->7414 7420 3eebcc 4 API calls 7417->7420 7418->7397 7422 3eec2e codecvt 4 API calls 7418->7422 7419->7426 7424 3e84f0 7420->7424 7421 3e875b DeleteFileA 7421->7412 7422->7397 7424->7414 7425 3e84f8 RegQueryValueExA 7424->7425 7425->7414 7429 3e8515 7425->7429 7430 3eec2e codecvt 4 API calls 7426->7430 7426->7433 7427->7421 7434 3e86e0 lstrcpyA lstrlenA 7427->7434 7431 3e83fd RegQueryValueExA 7428->7431 7428->7433 7432 3eec2e codecvt 4 API calls 7429->7432 7430->7433 7435 3e841e 7431->7435 7436 3e842d RegSetValueExA 7431->7436 7438 3e851d 7432->7438 7433->7403 7433->7407 7439 3e7fcf 64 API calls 7434->7439 7435->7436 7437 3e8447 RegCloseKey 7435->7437 7436->7437 7437->7433 7438->7414 7441 3e8719 CreateProcessA 7439->7441 7881 3e6ba7 IsBadCodePtr 7440->7881 7442 3e874f 7441->7442 7443 3e873d CloseHandle CloseHandle 7441->7443 7444 3e7ee6 64 API calls 7442->7444 7443->7418 7445 3e8754 7444->7445 7446 3e7ead 6 API calls 7445->7446 7447 3e875a 7446->7447 7447->7421 7449 3e26cd 7448->7449 7450 3e26fb 7448->7450 7451 3e26e1 inet_ntoa 7449->7451 7452 3e26de 7449->7452 7450->7303 7451->7452 7452->7303 7459 3ea63d 7453->7459 7455 3ea685 7455->7349 7457 3ea63d GetTickCount 7456->7457 7458 3ea696 7457->7458 7458->7349 7460 3ea64d 7459->7460 7461 3ea645 7459->7461 7462 3ea65e GetTickCount 7460->7462 7463 3ea66e 7460->7463 7461->7455 7462->7463 7463->7455 7481 3ea4c7 GetTickCount 7464->7481 7467 3ec47a 7472 3ec4ab InterlockedIncrement CreateThread 7467->7472 7473 3ec4d2 7467->7473 7468 3ec326 7470 3ec337 7468->7470 7471 3ec32b GetTickCount 7468->7471 7469 3ec300 GetTickCount 7469->7470 7470->7467 7475 3ec363 GetTickCount 7470->7475 7471->7470 7472->7473 7474 3ec4cb CloseHandle 7472->7474 7486 3eb535 7472->7486 7473->7313 7474->7473 7475->7467 7476 3ec373 7475->7476 7477 3ec378 GetTickCount 7476->7477 7478 3ec37f 7476->7478 7477->7478 7479 3ec43b GetTickCount 7478->7479 7480 3ec45e 7479->7480 7480->7467 7482 3ea4f7 InterlockedExchange 7481->7482 7483 3ea4e4 GetTickCount 7482->7483 7484 3ea500 7482->7484 7483->7484 7485 3ea4ef Sleep 7483->7485 7484->7467 7484->7468 7484->7469 7485->7482 7487 3eb566 7486->7487 7488 3eebcc 4 API calls 7487->7488 7489 3eb587 7488->7489 7490 3eebcc 4 API calls 7489->7490 7537 3eb590 7490->7537 7491 3ebdcd InterlockedDecrement 7492 3ebde2 7491->7492 7494 3eec2e codecvt 4 API calls 7492->7494 7495 3ebdea 7494->7495 7496 3eec2e codecvt 4 API calls 7495->7496 7498 3ebdf2 7496->7498 7497 3ebdb7 Sleep 7497->7537 7500 3ebe05 7498->7500 7501 3eec2e codecvt 4 API calls 7498->7501 7499 3ebdcc 7499->7491 7501->7500 7502 3eebed 8 API calls 7502->7537 7505 3eb6b6 lstrlenA 7505->7537 7506 3e30b5 2 API calls 7506->7537 7507 3ee819 11 API calls 7507->7537 7508 3eb6ed lstrcpyA 7561 3e5ce1 7508->7561 7511 3eb71f lstrcmpA 7512 3eb731 lstrlenA 7511->7512 7511->7537 7512->7537 7513 3eb772 GetTickCount 7513->7537 7514 3ebd49 InterlockedIncrement 7655 3ea628 7514->7655 7517 3ebc5b InterlockedIncrement 7517->7537 7518 3eb7ce InterlockedIncrement 7571 3eacd7 7518->7571 7521 3eb912 GetTickCount 7521->7537 7522 3eb826 InterlockedIncrement 7522->7513 7523 3ebcdc closesocket 7523->7537 7524 3eb932 GetTickCount 7525 3ebc6d InterlockedIncrement 7524->7525 7524->7537 7525->7537 7526 3e5ce1 22 API calls 7526->7537 7527 3e38f0 6 API calls 7527->7537 7531 3ebba6 InterlockedIncrement 7531->7537 7533 3ebc4c closesocket 7533->7537 7534 3ea7c1 22 API calls 7534->7537 7535 3e5ded 12 API calls 7535->7537 7537->7491 7537->7497 7537->7499 7537->7502 7537->7505 7537->7506 7537->7507 7537->7508 7537->7511 7537->7512 7537->7513 7537->7514 7537->7517 7537->7518 7537->7521 7537->7522 7537->7523 7537->7524 7537->7526 7537->7527 7537->7531 7537->7533 7537->7534 7537->7535 7538 3eba71 wsprintfA 7537->7538 7539 3eab81 lstrcpynA InterlockedIncrement 7537->7539 7541 3eef1e lstrlenA 7537->7541 7542 3ea688 GetTickCount 7537->7542 7543 3e3e10 7537->7543 7546 3e3e4f 7537->7546 7549 3e384f 7537->7549 7569 3ea7a3 inet_ntoa 7537->7569 7576 3eabee 7537->7576 7588 3e1feb GetTickCount 7537->7588 7609 3e3cfb 7537->7609 7612 3eb3c5 7537->7612 7643 3eab81 7537->7643 7589 3ea7c1 7538->7589 7539->7537 7541->7537 7542->7537 7544 3e30fa 4 API calls 7543->7544 7545 3e3e1d 7544->7545 7545->7537 7547 3e30fa 4 API calls 7546->7547 7548 3e3e5c 7547->7548 7548->7537 7550 3e30fa 4 API calls 7549->7550 7552 3e3863 7550->7552 7551 3e38b2 7551->7537 7552->7551 7553 3e38b9 7552->7553 7554 3e3889 7552->7554 7664 3e35f9 7553->7664 7658 3e3718 7554->7658 7559 3e3718 6 API calls 7559->7551 7560 3e35f9 6 API calls 7560->7551 7562 3e5cec 7561->7562 7563 3e5cf4 7561->7563 7670 3e4bd1 GetTickCount 7562->7670 7565 3e4bd1 4 API calls 7563->7565 7566 3e5d02 7565->7566 7675 3e5472 7566->7675 7570 3ea7b9 7569->7570 7570->7537 7572 3ef315 14 API calls 7571->7572 7573 3eaceb 7572->7573 7574 3eacff 7573->7574 7575 3ef315 14 API calls 7573->7575 7574->7537 7575->7574 7577 3eabfb 7576->7577 7580 3eac65 7577->7580 7738 3e2f22 7577->7738 7579 3ef315 14 API calls 7579->7580 7580->7579 7581 3eac8a 7580->7581 7582 3eac6f 7580->7582 7581->7537 7584 3eab81 2 API calls 7582->7584 7583 3eac23 7583->7580 7585 3e2684 2 API calls 7583->7585 7586 3eac81 7584->7586 7585->7583 7746 3e38f0 7586->7746 7588->7537 7590 3ea7df 7589->7590 7591 3ea87d lstrlenA send 7589->7591 7590->7591 7598 3ea7fa wsprintfA 7590->7598 7600 3ea80a 7590->7600 7601 3ea8f2 7590->7601 7592 3ea8bf 7591->7592 7593 3ea899 7591->7593 7594 3ea8c4 send 7592->7594 7592->7601 7596 3ea8a5 wsprintfA 7593->7596 7608 3ea89e 7593->7608 7597 3ea8d8 wsprintfA 7594->7597 7594->7601 7595 3ea978 recv 7595->7601 7602 3ea982 7595->7602 7596->7608 7597->7608 7598->7600 7599 3ea9b0 wsprintfA 7599->7608 7600->7591 7601->7595 7601->7599 7601->7602 7603 3e30b5 2 API calls 7602->7603 7602->7608 7604 3eab05 7603->7604 7605 3ee819 11 API calls 7604->7605 7606 3eab17 7605->7606 7607 3ea7a3 inet_ntoa 7606->7607 7607->7608 7608->7537 7610 3e30fa 4 API calls 7609->7610 7611 3e3d0b 7610->7611 7611->7537 7613 3e5ce1 22 API calls 7612->7613 7614 3eb3e6 7613->7614 7615 3e5ce1 22 API calls 7614->7615 7616 3eb404 7615->7616 7617 3eb440 7616->7617 7618 3eef7c 3 API calls 7616->7618 7619 3eef7c 3 API calls 7617->7619 7620 3eb42b 7618->7620 7621 3eb458 wsprintfA 7619->7621 7622 3eef7c 3 API calls 7620->7622 7623 3eef7c 3 API calls 7621->7623 7622->7617 7624 3eb480 7623->7624 7625 3eef7c 3 API calls 7624->7625 7626 3eb493 7625->7626 7627 3eef7c 3 API calls 7626->7627 7628 3eb4bb 7627->7628 7762 3ead89 GetLocalTime SystemTimeToFileTime 7628->7762 7632 3eb4cc 7633 3eef7c 3 API calls 7632->7633 7634 3eb4dd 7633->7634 7635 3eb211 7 API calls 7634->7635 7636 3eb4ec 7635->7636 7637 3eef7c 3 API calls 7636->7637 7638 3eb4fd 7637->7638 7639 3eb211 7 API calls 7638->7639 7640 3eb509 7639->7640 7641 3eef7c 3 API calls 7640->7641 7642 3eb51a 7641->7642 7642->7537 7644 3eab8c 7643->7644 7645 3eabe9 GetTickCount 7643->7645 7644->7645 7646 3eaba8 lstrcpynA 7644->7646 7647 3eabe1 InterlockedIncrement 7644->7647 7648 3ea51d 7645->7648 7646->7644 7647->7644 7649 3ea4c7 4 API calls 7648->7649 7650 3ea52c 7649->7650 7651 3ea542 GetTickCount 7650->7651 7653 3ea539 GetTickCount 7650->7653 7651->7653 7654 3ea56c 7653->7654 7654->7537 7656 3ea4c7 4 API calls 7655->7656 7657 3ea633 7656->7657 7657->7537 7659 3ef04e 4 API calls 7658->7659 7663 3e372a 7659->7663 7660 3e3847 7660->7551 7660->7559 7661 3e37b3 GetCurrentThreadId 7662 3e37c8 GetCurrentThreadId 7661->7662 7661->7663 7662->7663 7663->7660 7663->7661 7665 3ef04e 4 API calls 7664->7665 7666 3e360c 7665->7666 7667 3e36da GetCurrentThreadId 7666->7667 7669 3e36f1 7666->7669 7668 3e36e5 GetCurrentThreadId 7667->7668 7667->7669 7668->7669 7669->7551 7669->7560 7671 3e4bff InterlockedExchange 7670->7671 7672 3e4bec GetTickCount 7671->7672 7673 3e4c08 7671->7673 7672->7673 7674 3e4bf7 Sleep 7672->7674 7673->7563 7674->7671 7694 3e4763 7675->7694 7677 3e5b58 7704 3e4699 7677->7704 7680 3e4763 lstrlenA 7681 3e5b6e 7680->7681 7725 3e4f9f 7681->7725 7683 3e5b79 7683->7537 7685 3e5549 lstrlenA 7689 3e548a 7685->7689 7687 3e558d lstrcpynA 7687->7689 7688 3e5a9f lstrcpyA 7688->7689 7689->7677 7689->7687 7689->7688 7690 3e4ae6 8 API calls 7689->7690 7691 3e5935 lstrcpynA 7689->7691 7692 3e5472 13 API calls 7689->7692 7693 3e58e7 lstrcpyA 7689->7693 7698 3e4ae6 7689->7698 7702 3eef7c lstrlenA lstrlenA lstrlenA 7689->7702 7690->7689 7691->7689 7692->7689 7693->7689 7697 3e477a 7694->7697 7695 3e4859 7695->7689 7696 3e480d lstrlenA 7696->7697 7697->7695 7697->7696 7699 3e4af3 7698->7699 7701 3e4b03 7698->7701 7700 3eebed 8 API calls 7699->7700 7700->7701 7701->7685 7703 3eefb4 7702->7703 7703->7689 7730 3e45b3 7704->7730 7707 3e45b3 7 API calls 7708 3e46c6 7707->7708 7709 3e45b3 7 API calls 7708->7709 7710 3e46d8 7709->7710 7711 3e45b3 7 API calls 7710->7711 7712 3e46ea 7711->7712 7713 3e45b3 7 API calls 7712->7713 7714 3e46ff 7713->7714 7715 3e45b3 7 API calls 7714->7715 7716 3e4711 7715->7716 7717 3e45b3 7 API calls 7716->7717 7718 3e4723 7717->7718 7719 3eef7c 3 API calls 7718->7719 7720 3e4735 7719->7720 7721 3eef7c 3 API calls 7720->7721 7722 3e474a 7721->7722 7723 3eef7c 3 API calls 7722->7723 7724 3e475c 7723->7724 7724->7680 7726 3e4fac 7725->7726 7729 3e4fb0 7725->7729 7726->7683 7727 3e4ffd 7727->7683 7728 3e4fd5 IsBadCodePtr 7728->7729 7729->7727 7729->7728 7731 3e45c1 7730->7731 7732 3e45c8 7730->7732 7733 3eebcc 4 API calls 7731->7733 7734 3eebcc 4 API calls 7732->7734 7736 3e45e1 7732->7736 7733->7732 7734->7736 7735 3e4691 7735->7707 7736->7735 7737 3eef7c 3 API calls 7736->7737 7737->7736 7753 3e2d21 GetModuleHandleA 7738->7753 7741 3e2f44 7741->7583 7742 3e2fcf GetProcessHeap HeapFree 7742->7741 7743 3e2f85 7743->7742 7743->7743 7744 3e2f4f 7745 3e2f6b GetProcessHeap HeapFree 7744->7745 7745->7741 7747 3e3980 7746->7747 7748 3e3900 7746->7748 7747->7581 7749 3e30fa 4 API calls 7748->7749 7751 3e390a 7749->7751 7750 3e391b GetCurrentThreadId 7750->7751 7751->7747 7751->7750 7752 3e3939 GetCurrentThreadId 7751->7752 7752->7751 7754 3e2d5b GetProcAddress 7753->7754 7755 3e2d46 LoadLibraryA 7753->7755 7756 3e2d6b DnsQuery_A 7754->7756 7760 3e2d54 7754->7760 7755->7754 7755->7760 7758 3e2d7d 7756->7758 7756->7760 7757 3e2d97 GetProcessHeap HeapAlloc 7759 3e2dac 7757->7759 7757->7760 7758->7757 7758->7760 7759->7758 7761 3e2db5 lstrcpynA 7759->7761 7760->7741 7760->7743 7760->7744 7761->7759 7763 3eadbf 7762->7763 7787 3ead08 gethostname 7763->7787 7766 3e30b5 2 API calls 7767 3eadd3 7766->7767 7768 3ea7a3 inet_ntoa 7767->7768 7770 3eade4 7767->7770 7768->7770 7769 3eae85 wsprintfA 7771 3eef7c 3 API calls 7769->7771 7770->7769 7772 3eae36 wsprintfA wsprintfA 7770->7772 7773 3eaebb 7771->7773 7774 3eef7c 3 API calls 7772->7774 7775 3eef7c 3 API calls 7773->7775 7774->7770 7776 3eaed2 7775->7776 7777 3eb211 7776->7777 7778 3eb2af GetLocalTime 7777->7778 7779 3eb2bb FileTimeToLocalFileTime FileTimeToSystemTime 7777->7779 7780 3eb2d2 7778->7780 7779->7780 7781 3eb31c GetTimeZoneInformation 7780->7781 7782 3eb2d9 SystemTimeToFileTime 7780->7782 7784 3eb33a wsprintfA 7781->7784 7783 3eb2ec 7782->7783 7785 3eb312 FileTimeToSystemTime 7783->7785 7784->7632 7785->7781 7788 3ead71 7787->7788 7793 3ead26 lstrlenA 7787->7793 7790 3ead79 lstrcpyA 7788->7790 7791 3ead85 7788->7791 7790->7791 7791->7766 7792 3ead68 lstrlenA 7792->7788 7793->7788 7793->7792 7795 3e2d21 7 API calls 7794->7795 7796 3e2f01 7795->7796 7797 3e2f06 7796->7797 7798 3e2f14 7796->7798 7817 3e2df2 GetModuleHandleA 7797->7817 7800 3e2684 2 API calls 7798->7800 7802 3e2f1d 7800->7802 7802->7377 7803 3e2f1f 7803->7377 7805 3ef428 14 API calls 7804->7805 7806 3e198a 7805->7806 7807 3e1998 7806->7807 7808 3e1990 closesocket 7806->7808 7807->7378 7808->7807 7810 3e1c80 7809->7810 7811 3e1d1c 7810->7811 7812 3e1cc2 wsprintfA 7810->7812 7816 3e1d79 7810->7816 7814 3e1d47 wsprintfA 7811->7814 7813 3e2684 2 API calls 7812->7813 7813->7810 7815 3e2684 2 API calls 7814->7815 7815->7816 7816->7376 7818 3e2e0b 7817->7818 7819 3e2e10 LoadLibraryA 7817->7819 7818->7819 7820 3e2e17 7818->7820 7819->7820 7821 3e2ef1 7820->7821 7822 3e2e28 GetProcAddress 7820->7822 7821->7798 7821->7803 7822->7821 7823 3e2e3e GetProcessHeap HeapAlloc 7822->7823 7826 3e2e62 7823->7826 7824 3e2ede GetProcessHeap HeapFree 7824->7821 7825 3e2e7f htons inet_addr 7825->7826 7827 3e2ea5 gethostbyname 7825->7827 7826->7821 7826->7824 7826->7825 7826->7827 7829 3e2ceb 7826->7829 7827->7826 7831 3e2cf2 7829->7831 7832 3e2d1c 7831->7832 7833 3e2d0e Sleep 7831->7833 7834 3e2a62 GetProcessHeap HeapAlloc 7831->7834 7832->7826 7833->7831 7833->7832 7835 3e2a99 socket 7834->7835 7836 3e2a92 7834->7836 7837 3e2ab4 7835->7837 7838 3e2cd3 GetProcessHeap HeapFree 7835->7838 7836->7831 7837->7838 7852 3e2abd 7837->7852 7838->7836 7839 3e2adb htons 7854 3e26ff 7839->7854 7841 3e2b04 select 7841->7852 7842 3e2cb3 GetProcessHeap HeapFree closesocket 7842->7836 7843 3e2b3f recv 7843->7852 7844 3e2b66 htons 7845 3e2ca4 7844->7845 7844->7852 7845->7842 7846 3e2b87 htons 7846->7845 7846->7852 7849 3e2bf3 GetProcessHeap HeapAlloc 7849->7852 7850 3e2c17 htons 7869 3e2871 7850->7869 7852->7839 7852->7841 7852->7842 7852->7843 7852->7844 7852->7845 7852->7846 7852->7849 7852->7850 7853 3e2c4d GetProcessHeap HeapFree 7852->7853 7861 3e2923 7852->7861 7873 3e2904 7852->7873 7853->7852 7855 3e2717 7854->7855 7856 3e271d 7854->7856 7857 3eebcc 4 API calls 7855->7857 7858 3e272b GetTickCount htons 7856->7858 7857->7856 7859 3e27cc htons htons sendto 7858->7859 7860 3e278a 7858->7860 7859->7852 7860->7859 7862 3e2944 7861->7862 7865 3e293d 7861->7865 7877 3e2816 htons 7862->7877 7864 3e2950 7864->7865 7866 3e2871 htons 7864->7866 7867 3e29bd htons htons htons 7864->7867 7865->7852 7866->7864 7867->7865 7868 3e29f6 GetProcessHeap HeapAlloc 7867->7868 7868->7864 7868->7865 7870 3e28e3 7869->7870 7872 3e2889 7869->7872 7870->7852 7871 3e28c3 htons 7871->7870 7871->7872 7872->7870 7872->7871 7874 3e2908 7873->7874 7875 3e2921 7873->7875 7876 3e2909 GetProcessHeap HeapFree 7874->7876 7875->7852 7876->7875 7876->7876 7878 3e286b 7877->7878 7879 3e2836 7877->7879 7878->7864 7879->7878 7880 3e285c htons 7879->7880 7880->7878 7880->7879 7882 3e6bbc 7881->7882 7883 3e6bc0 7881->7883 7882->7409 7884 3e6bd4 7883->7884 7885 3eebcc 4 API calls 7883->7885 7884->7409 7886 3e6be4 7885->7886 7886->7884 7887 3e6bfc 7886->7887 7888 3e6c07 CreateFileA 7886->7888 7889 3eec2e codecvt 4 API calls 7887->7889 7890 3e6c2a 7888->7890 7891 3e6c34 WriteFile 7888->7891 7889->7884 7892 3eec2e codecvt 4 API calls 7890->7892 7893 3e6c5a CloseHandle 7891->7893 7894 3e6c49 CloseHandle DeleteFileA 7891->7894 7892->7884 7895 3eec2e codecvt 4 API calls 7893->7895 7894->7890 7895->7884 7924 3e5029 7929 3e4a02 7924->7929 7930 3e4a12 7929->7930 7932 3e4a18 7929->7932 7931 3eec2e codecvt 4 API calls 7930->7931 7931->7932 7933 3eec2e codecvt 4 API calls 7932->7933 7934 3e4a26 7932->7934 7933->7934 7935 3e4a34 7934->7935 7936 3eec2e codecvt 4 API calls 7934->7936 7936->7935 7937 3e35a5 7938 3e30fa 4 API calls 7937->7938 7940 3e35b3 7938->7940 7939 3e35ea 7940->7939 7944 3e355d 7940->7944 7942 3e35da 7942->7939 7943 3e355d 4 API calls 7942->7943 7943->7939 7945 3ef04e 4 API calls 7944->7945 7946 3e356a 7945->7946 7946->7942 8096 3e4960 8097 3e496d 8096->8097 8099 3e497d 8096->8099 8098 3eebed 8 API calls 8097->8098 8098->8099 7947 3e5e21 7948 3e5e29 7947->7948 7949 3e5e36 7947->7949 7951 3e50dc 7948->7951 7952 3e4bd1 4 API calls 7951->7952 7953 3e50f2 7952->7953 7954 3e4ae6 8 API calls 7953->7954 7960 3e50ff 7954->7960 7955 3e5130 7956 3e4ae6 8 API calls 7955->7956 7958 3e5138 7956->7958 7957 3e4ae6 8 API calls 7959 3e5110 lstrcmpA 7957->7959 7961 3e516e 7958->7961 7963 3e4ae6 8 API calls 7958->7963 7993 3e513e 7958->7993 7959->7955 7959->7960 7960->7955 7960->7957 7962 3e4ae6 8 API calls 7960->7962 7964 3e4ae6 8 API calls 7961->7964 7961->7993 7962->7960 7965 3e515e 7963->7965 7966 3e51b6 7964->7966 7965->7961 7968 3e4ae6 8 API calls 7965->7968 7994 3e4a3d 7966->7994 7968->7961 7970 3e4ae6 8 API calls 7971 3e51c7 7970->7971 7972 3e4ae6 8 API calls 7971->7972 7973 3e51d7 7972->7973 7974 3e4ae6 8 API calls 7973->7974 7975 3e51e7 7974->7975 7976 3e4ae6 8 API calls 7975->7976 7975->7993 7977 3e5219 7976->7977 7978 3e4ae6 8 API calls 7977->7978 7979 3e5227 7978->7979 7980 3e4ae6 8 API calls 7979->7980 7981 3e524f lstrcpyA 7980->7981 7982 3e4ae6 8 API calls 7981->7982 7986 3e5263 7982->7986 7983 3e4ae6 8 API calls 7984 3e5315 7983->7984 7985 3e4ae6 8 API calls 7984->7985 7987 3e5323 7985->7987 7986->7983 7988 3e4ae6 8 API calls 7987->7988 7990 3e5331 7988->7990 7989 3e4ae6 8 API calls 7989->7990 7990->7989 7991 3e4ae6 8 API calls 7990->7991 7990->7993 7992 3e5351 lstrcmpA 7991->7992 7992->7990 7992->7993 7993->7949 7995 3e4a4a 7994->7995 7996 3e4a53 7994->7996 7997 3eebed 8 API calls 7995->7997 7998 3e4a78 7996->7998 8001 3eebed 8 API calls 7996->8001 7997->7996 7999 3e4a8e 7998->7999 8000 3e4aa3 7998->8000 8002 3e4a9b 7999->8002 8003 3eec2e codecvt 4 API calls 7999->8003 8000->8002 8004 3eebed 8 API calls 8000->8004 8001->7998 8002->7970 8003->8002 8004->8002 8100 3e4861 IsBadWritePtr 8101 3e4876 8100->8101 8102 3e9961 RegisterServiceCtrlHandlerA 8103 3e997d 8102->8103 8110 3e99cb 8102->8110 8112 3e9892 8103->8112 8105 3e999a 8106 3e99ba 8105->8106 8107 3e9892 SetServiceStatus 8105->8107 8109 3e9892 SetServiceStatus 8106->8109 8106->8110 8108 3e99aa 8107->8108 8108->8106 8111 3e98f2 41 API calls 8108->8111 8109->8110 8111->8106 8113 3e98c2 SetServiceStatus 8112->8113 8113->8105 8115 3e195b 8116 3e196b 8115->8116 8117 3e1971 8115->8117 8118 3eec2e codecvt 4 API calls 8116->8118 8118->8117 8005 3e5099 8006 3e4bd1 4 API calls 8005->8006 8007 3e50a2 8006->8007 8008 3e8314 8009 3e675c 21 API calls 8008->8009 8010 3e8324 8009->8010 8011 3e4e92 GetTickCount 8012 3e4ec0 InterlockedExchange 8011->8012 8013 3e4ead GetTickCount 8012->8013 8014 3e4ec9 8012->8014 8013->8014 8015 3e4eb8 Sleep 8013->8015 8015->8012 8119 3e43d2 8120 3e43e0 8119->8120 8121 3e43ef 8120->8121 8122 3e1940 4 API calls 8120->8122 8122->8121 8016 3e5d93 IsBadWritePtr 8017 3e5da8 8016->8017 8019 3e5ddc 8016->8019 8018 3e5389 12 API calls 8017->8018 8017->8019 8018->8019 8123 3e5453 8128 3e543a 8123->8128 8131 3e5048 8128->8131 8132 3e4bd1 4 API calls 8131->8132 8133 3e5056 8132->8133 8134 3eec2e codecvt 4 API calls 8133->8134 8135 3e508b 8133->8135 8134->8135 8136 3e4ed3 8141 3e4c9a 8136->8141 8142 3e4cd8 8141->8142 8144 3e4ca9 8141->8144 8143 3eec2e codecvt 4 API calls 8143->8142 8144->8143 8020 3e6511 wsprintfA IsBadReadPtr 8021 3e674e 8020->8021 8022 3e656a htonl htonl wsprintfA wsprintfA 8020->8022 8023 3ee318 23 API calls 8021->8023 8026 3e65f3 8022->8026 8024 3e6753 ExitProcess 8023->8024 8025 3e668a GetCurrentProcess StackWalk64 8025->8026 8027 3e66a0 wsprintfA 8025->8027 8026->8025 8026->8027 8028 3e6652 wsprintfA 8026->8028 8029 3e66ba 8027->8029 8028->8026 8030 3e6712 wsprintfA 8029->8030 8031 3e66ed wsprintfA 8029->8031 8032 3e66da wsprintfA 8029->8032 8033 3ee8a1 30 API calls 8030->8033 8031->8029 8032->8031 8034 3e6739 8033->8034 8035 3ee318 23 API calls 8034->8035 8036 3e6741 8035->8036 8145 3e8c51 8146 3e8c5d 8145->8146 8147 3e8c86 8145->8147 8151 3e8c6e 8146->8151 8152 3e8c7d 8146->8152 8148 3e8c8b lstrcmpA 8147->8148 8158 3e8c7b 8147->8158 8149 3e8c9e 8148->8149 8148->8158 8150 3e8cad 8149->8150 8153 3eec2e codecvt 4 API calls 8149->8153 8157 3eebcc 4 API calls 8150->8157 8150->8158 8159 3e8be7 8151->8159 8167 3e8bb3 8152->8167 8153->8150 8157->8158 8160 3e8bf2 8159->8160 8166 3e8c2a 8159->8166 8161 3e8bb3 6 API calls 8160->8161 8162 3e8bf8 8161->8162 8171 3e6410 8162->8171 8164 3e8c01 8164->8166 8186 3e6246 8164->8186 8166->8158 8168 3e8be4 8167->8168 8169 3e8bbc 8167->8169 8169->8168 8170 3e6246 6 API calls 8169->8170 8170->8168 8172 3e641e 8171->8172 8173 3e6421 8171->8173 8172->8164 8174 3e643a 8173->8174 8175 3e643e VirtualAlloc 8173->8175 8174->8164 8176 3e645b VirtualAlloc 8175->8176 8177 3e6472 8175->8177 8176->8177 8185 3e64fb 8176->8185 8178 3eebcc 4 API calls 8177->8178 8179 3e6479 8178->8179 8179->8185 8196 3e6069 8179->8196 8182 3e64da 8183 3e6246 6 API calls 8182->8183 8182->8185 8183->8185 8185->8164 8187 3e62b3 8186->8187 8190 3e6252 8186->8190 8187->8166 8188 3e6297 8191 3e62ad 8188->8191 8192 3e62a0 VirtualFree 8188->8192 8189 3e628f 8195 3eec2e codecvt 4 API calls 8189->8195 8190->8188 8190->8189 8194 3e6281 FreeLibrary 8190->8194 8193 3eec2e codecvt 4 API calls 8191->8193 8192->8191 8193->8187 8194->8190 8195->8188 8197 3e6089 8196->8197 8198 3e6090 IsBadReadPtr 8196->8198 8197->8182 8206 3e5f3f 8197->8206 8198->8197 8203 3e60aa 8198->8203 8199 3e60c0 LoadLibraryA 8199->8197 8199->8203 8200 3eebcc 4 API calls 8200->8203 8201 3eebed 8 API calls 8201->8203 8202 3e6191 IsBadReadPtr 8202->8197 8202->8203 8203->8197 8203->8199 8203->8200 8203->8201 8203->8202 8204 3e6155 GetProcAddress 8203->8204 8205 3e6141 GetProcAddress 8203->8205 8204->8203 8205->8203 8207 3e5fe6 8206->8207 8209 3e5f61 8206->8209 8207->8182 8208 3e5fbf VirtualProtect 8208->8207 8208->8209 8209->8207 8209->8208 8037 3e5e0d 8038 3e50dc 17 API calls 8037->8038 8039 3e5e20 8038->8039 8040 3e4c0d 8041 3e4ae6 8 API calls 8040->8041 8042 3e4c17 8041->8042 8210 3e5e4d 8211 3e5048 8 API calls 8210->8211 8212 3e5e55 8211->8212 8213 3e5e64 8212->8213 8214 3e1940 4 API calls 8212->8214 8214->8213 8052 3e448b 8053 3e4499 8052->8053 8054 3e44ab 8053->8054 8056 3e1940 8053->8056 8057 3eec2e codecvt 4 API calls 8056->8057 8058 3e1949 8057->8058 8058->8054 8219 3ee749 8220 3edd05 6 API calls 8219->8220 8221 3ee751 8220->8221 8222 3ee799 8221->8222 8223 3ee781 lstrcmpA 8221->8223 8223->8221 8059 3ef304 8062 3ef26d setsockopt setsockopt setsockopt setsockopt setsockopt 8059->8062 8061 3ef312 8062->8061 8063 3e5b84 IsBadWritePtr 8064 3e5b99 8063->8064 8065 3e5b9d 8063->8065 8066 3e4bd1 4 API calls 8065->8066 8067 3e5bcc 8066->8067 8068 3e5472 18 API calls 8067->8068 8069 3e5be5 8068->8069 8070 3e5c05 IsBadWritePtr 8071 3e5ca6 8070->8071 8072 3e5c24 IsBadWritePtr 8070->8072 8072->8071 8073 3e5c32 8072->8073 8074 3e5c82 8073->8074 8075 3e4bd1 4 API calls 8073->8075 8076 3e4bd1 4 API calls 8074->8076 8075->8074 8077 3e5c90 8076->8077 8078 3e5472 18 API calls 8077->8078 8078->8071 8079 3ef483 WSAStartup
                                                                                              APIs
                                                                                              • closesocket.WS2_32(?), ref: 003ECA4E
                                                                                              • closesocket.WS2_32(?), ref: 003ECB63
                                                                                              • GetTempPathA.KERNEL32(00000120,?), ref: 003ECC28
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003ECCB4
                                                                                              • WriteFile.KERNEL32(003EA4B3,?,-000000E8,?,00000000), ref: 003ECCDC
                                                                                              • CloseHandle.KERNEL32(003EA4B3), ref: 003ECCED
                                                                                              • wsprintfA.USER32 ref: 003ECD21
                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 003ECD77
                                                                                              • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 003ECD89
                                                                                              • CloseHandle.KERNEL32(?), ref: 003ECD98
                                                                                              • CloseHandle.KERNEL32(?), ref: 003ECD9D
                                                                                              • DeleteFileA.KERNEL32(?), ref: 003ECDC4
                                                                                              • CloseHandle.KERNEL32(003EA4B3), ref: 003ECDCC
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 003ECFB1
                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 003ECFEF
                                                                                              • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 003ED033
                                                                                              • lstrcatA.KERNEL32(?,03B00108), ref: 003ED10C
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080), ref: 003ED155
                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 003ED171
                                                                                              • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000), ref: 003ED195
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 003ED19C
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002), ref: 003ED1C8
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 003ED231
                                                                                              • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 003ED27C
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 003ED2AB
                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 003ED2C7
                                                                                              • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 003ED2EB
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 003ED2F2
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 003ED326
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 003ED372
                                                                                              • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 003ED3BD
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 003ED3EC
                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 003ED408
                                                                                              • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 003ED428
                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 003ED42F
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 003ED45B
                                                                                              • CreateProcessA.KERNEL32(?,003F0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 003ED4DE
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 003ED4F4
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 003ED4FC
                                                                                              • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 003ED513
                                                                                              • closesocket.WS2_32(?), ref: 003ED56C
                                                                                              • Sleep.KERNEL32(000003E8), ref: 003ED577
                                                                                              • ExitProcess.KERNEL32 ref: 003ED583
                                                                                              • wsprintfA.USER32 ref: 003ED81F
                                                                                                • Part of subcall function 003EC65C: send.WS2_32(00000000,?,00000000), ref: 003EC74B
                                                                                              • closesocket.WS2_32(?), ref: 003EDAD5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                              • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe$X ?$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                              • API String ID: 562065436-3529577057
                                                                                              • Opcode ID: 9c4c4581d372c6f11abb4144c5a5514b59838ea339ea59796e7cdf768df8b9b1
                                                                                              • Instruction ID: 9d3e90b94cfe990dc2a76754b90bc281adbbbf84e61a0d42e0d0dcc0c33d486f
                                                                                              • Opcode Fuzzy Hash: 9c4c4581d372c6f11abb4144c5a5514b59838ea339ea59796e7cdf768df8b9b1
                                                                                              • Instruction Fuzzy Hash: 61B2D2719002A9AFEB279BA6DC85EFE7BBCEB04300F150669F605E72D1D7309A45CB50
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(00000003), ref: 003E9A7F
                                                                                              • SetErrorMode.KERNELBASE(00000003), ref: 003E9A83
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(003E6511), ref: 003E9A8A
                                                                                                • Part of subcall function 003EEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 003EEC5E
                                                                                                • Part of subcall function 003EEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 003EEC72
                                                                                                • Part of subcall function 003EEC54: GetTickCount.KERNEL32 ref: 003EEC78
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 003E9AB3
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 003E9ABA
                                                                                              • GetCommandLineA.KERNEL32 ref: 003E9AFD
                                                                                              • lstrlenA.KERNEL32(?), ref: 003E9B99
                                                                                              • ExitProcess.KERNEL32 ref: 003E9C06
                                                                                              • GetTempPathA.KERNEL32(000001F4,?), ref: 003E9CAC
                                                                                              • lstrcpyA.KERNEL32(?,00000000), ref: 003E9D7A
                                                                                              • lstrcatA.KERNEL32(?,?), ref: 003E9D8B
                                                                                              • lstrcatA.KERNEL32(?,003F070C), ref: 003E9D9D
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 003E9DED
                                                                                              • DeleteFileA.KERNEL32(00000022), ref: 003E9E38
                                                                                              • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 003E9E6F
                                                                                              • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 003E9EC8
                                                                                              • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 003E9ED5
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 003E9F3B
                                                                                              • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 003E9F5E
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 003E9F6A
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 003E9FAD
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 003E9FB4
                                                                                              • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 003E9FFE
                                                                                              • lstrcatA.KERNEL32(00000022,00000000), ref: 003EA038
                                                                                              • lstrcatA.KERNEL32(00000022,003F0A34), ref: 003EA05E
                                                                                              • lstrcatA.KERNEL32(00000022,00000022), ref: 003EA072
                                                                                              • lstrcatA.KERNEL32(00000022,003F0A34), ref: 003EA08D
                                                                                              • wsprintfA.USER32 ref: 003EA0B6
                                                                                              • lstrcatA.KERNEL32(00000022,00000000), ref: 003EA0DE
                                                                                              • lstrcatA.KERNEL32(00000022,?), ref: 003EA0FD
                                                                                              • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 003EA120
                                                                                              • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 003EA131
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 003EA174
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 003EA17B
                                                                                              • GetDriveTypeA.KERNEL32(00000022), ref: 003EA1B6
                                                                                              • GetCommandLineA.KERNEL32 ref: 003EA1E5
                                                                                                • Part of subcall function 003E99D2: lstrcpyA.KERNEL32(?,?,00000100,003F22F8,00000000,?,003E9E9D,?,00000022,?,?,?,?,?,?,?), ref: 003E99DF
                                                                                                • Part of subcall function 003E99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,003E9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 003E9A3C
                                                                                                • Part of subcall function 003E99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,003E9E9D,?,00000022,?,?,?), ref: 003E9A52
                                                                                              • lstrlenA.KERNEL32(?), ref: 003EA288
                                                                                              • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 003EA3B7
                                                                                              • GetLastError.KERNEL32 ref: 003EA3ED
                                                                                              • Sleep.KERNEL32(000003E8), ref: 003EA400
                                                                                              • DeleteFileA.KERNELBASE(003F33D8), ref: 003EA407
                                                                                              • CreateThread.KERNELBASE(00000000,00000000,003E405E,00000000,00000000,00000000), ref: 003EA42C
                                                                                              • WSAStartup.WS2_32(00001010,?), ref: 003EA43A
                                                                                              • CreateThread.KERNELBASE(00000000,00000000,003E877E,00000000,00000000,00000000), ref: 003EA469
                                                                                              • Sleep.KERNELBASE(00000BB8), ref: 003EA48A
                                                                                              • GetTickCount.KERNEL32 ref: 003EA49F
                                                                                              • GetTickCount.KERNEL32 ref: 003EA4B7
                                                                                              • Sleep.KERNELBASE(00001A90), ref: 003EA4C3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                              • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe$D$P$\$xembmrjv
                                                                                              • API String ID: 2089075347-1766761834
                                                                                              • Opcode ID: ad83f4a38b0360c3ed4583b690f028864ac6695319abf2378be158c45e2a732f
                                                                                              • Instruction ID: ccfccfba7d86609d4089f7c32eec5a0fb5a3f090278238d56a2bd91a40c7e225
                                                                                              • Opcode Fuzzy Hash: ad83f4a38b0360c3ed4583b690f028864ac6695319abf2378be158c45e2a732f
                                                                                              • Instruction Fuzzy Hash: AD5275B1D402A9AFDF13DBA5CC49FEE77BCAB04300F1546A6F605E6181EB709A44CB61

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 905 3e199c-3e19cc inet_addr LoadLibraryA 906 3e19ce-3e19d0 905->906 907 3e19d5-3e19fe GetProcAddress * 3 905->907 908 3e1abf-3e1ac2 906->908 909 3e1a04-3e1a06 907->909 910 3e1ab3-3e1ab6 FreeLibrary 907->910 909->910 911 3e1a0c-3e1a0e 909->911 912 3e1abc 910->912 911->910 913 3e1a14-3e1a28 GetBestInterface GetProcessHeap 911->913 914 3e1abe 912->914 913->912 915 3e1a2e-3e1a40 HeapAlloc 913->915 914->908 915->912 916 3e1a42-3e1a50 GetAdaptersInfo 915->916 917 3e1a62-3e1a67 916->917 918 3e1a52-3e1a60 HeapReAlloc 916->918 919 3e1a69-3e1a73 GetAdaptersInfo 917->919 920 3e1aa1-3e1aad FreeLibrary 917->920 918->917 919->920 921 3e1a75 919->921 920->912 922 3e1aaf-3e1ab1 920->922 923 3e1a77-3e1a80 921->923 922->914 924 3e1a8a-3e1a91 923->924 925 3e1a82-3e1a86 923->925 927 3e1a96-3e1a9b HeapFree 924->927 928 3e1a93 924->928 925->923 926 3e1a88 925->926 926->927 927->920 928->927
                                                                                              APIs
                                                                                              • inet_addr.WS2_32(123.45.67.89), ref: 003E19B1
                                                                                              • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,003E1E9E), ref: 003E19BF
                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 003E19E2
                                                                                              • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 003E19ED
                                                                                              • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 003E19F9
                                                                                              • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,003E1E9E), ref: 003E1A1B
                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,00000001,003E1E9E), ref: 003E1A1D
                                                                                              • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,003E1E9E), ref: 003E1A36
                                                                                              • GetAdaptersInfo.IPHLPAPI(00000000,003E1E9E,?,?,?,?,00000001,003E1E9E), ref: 003E1A4A
                                                                                              • HeapReAlloc.KERNEL32(?,00000000,00000000,003E1E9E,?,?,?,?,00000001,003E1E9E), ref: 003E1A5A
                                                                                              • GetAdaptersInfo.IPHLPAPI(00000000,003E1E9E,?,?,?,?,00000001,003E1E9E), ref: 003E1A6E
                                                                                              • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,003E1E9E), ref: 003E1A9B
                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,003E1E9E), ref: 003E1AA4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                              • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                              • API String ID: 293628436-270533642
                                                                                              • Opcode ID: c3602aa7cc9cacd9de83e1aa6debe960921ede2e490700cb8a12331a70db9a79
                                                                                              • Instruction ID: d69288ff7a78b1e83d0d4f1e82e3bdd9a104a1ec0e3ef912b3b3f7f82885e1f3
                                                                                              • Opcode Fuzzy Hash: c3602aa7cc9cacd9de83e1aa6debe960921ede2e490700cb8a12331a70db9a79
                                                                                              • Instruction Fuzzy Hash: FB316B76D012A9AFCB169FEACC88CBEBBB9EF44301F554679E501A3251D7304E40DBA0

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 696 3e7a95-3e7ac2 RegOpenKeyExA 697 3e7acb-3e7ae7 GetUserNameA 696->697 698 3e7ac4-3e7ac6 696->698 700 3e7aed-3e7b1e LookupAccountNameA 697->700 701 3e7da7-3e7db3 RegCloseKey 697->701 699 3e7db4-3e7db6 698->699 700->701 702 3e7b24-3e7b43 RegGetKeySecurity 700->702 701->699 702->701 703 3e7b49-3e7b61 GetSecurityDescriptorOwner 702->703 704 3e7bb8-3e7bd6 GetSecurityDescriptorDacl 703->704 705 3e7b63-3e7b72 EqualSid 703->705 707 3e7bdc-3e7be1 704->707 708 3e7da6 704->708 705->704 706 3e7b74-3e7b88 LocalAlloc 705->706 706->704 709 3e7b8a-3e7b94 InitializeSecurityDescriptor 706->709 707->708 710 3e7be7-3e7bf2 707->710 708->701 711 3e7b96-3e7ba4 SetSecurityDescriptorOwner 709->711 712 3e7bb1-3e7bb2 LocalFree 709->712 710->708 713 3e7bf8-3e7c08 GetAce 710->713 711->712 714 3e7ba6-3e7bab RegSetKeySecurity 711->714 712->704 715 3e7c0e-3e7c1b 713->715 716 3e7cc6 713->716 714->712 718 3e7c4f-3e7c52 715->718 719 3e7c1d-3e7c2f EqualSid 715->719 717 3e7cc9-3e7cd3 716->717 717->713 720 3e7cd9-3e7cdc 717->720 723 3e7c5f-3e7c71 EqualSid 718->723 724 3e7c54-3e7c5e 718->724 721 3e7c36-3e7c38 719->721 722 3e7c31-3e7c34 719->722 720->708 727 3e7ce2-3e7ce8 720->727 721->718 728 3e7c3a-3e7c4d DeleteAce 721->728 722->719 722->721 725 3e7c86 723->725 726 3e7c73-3e7c84 723->726 724->723 729 3e7c8b-3e7c8e 725->729 726->729 730 3e7d5a-3e7d6e LocalAlloc 727->730 731 3e7cea-3e7cf0 727->731 728->717 732 3e7c9d-3e7c9f 729->732 733 3e7c90-3e7c96 729->733 730->708 734 3e7d70-3e7d7a InitializeSecurityDescriptor 730->734 731->730 735 3e7cf2-3e7d0d RegOpenKeyExA 731->735 736 3e7ca7-3e7cc3 732->736 737 3e7ca1-3e7ca5 732->737 733->732 738 3e7d9f-3e7da0 LocalFree 734->738 739 3e7d7c-3e7d8a SetSecurityDescriptorDacl 734->739 735->730 740 3e7d0f-3e7d16 735->740 736->716 737->716 737->736 738->708 739->738 741 3e7d8c-3e7d9a RegSetKeySecurity 739->741 742 3e7d19-3e7d1e 740->742 741->738 744 3e7d9c 741->744 742->742 743 3e7d20-3e7d52 call 3e2544 RegSetValueExA 742->743 743->730 747 3e7d54 743->747 744->738 747->730
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 003E7ABA
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 003E7ADF
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,003F070C,?,?,?), ref: 003E7B16
                                                                                              • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 003E7B3B
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 003E7B59
                                                                                              • EqualSid.ADVAPI32(?,00000022), ref: 003E7B6A
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 003E7B7E
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 003E7B8C
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 003E7B9C
                                                                                              • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 003E7BAB
                                                                                              • LocalFree.KERNEL32(00000000), ref: 003E7BB2
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,003E7FC9,?,00000000), ref: 003E7BCE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                              • String ID: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe$D
                                                                                              • API String ID: 2976863881-661856222
                                                                                              • Opcode ID: 31cafb32f7c29b9685d737d8f32d95e1b662ccb939a1510f09c5b3449dcdfce8
                                                                                              • Instruction ID: 61d62a1703e3d32279c0443f65f1aa694e315e23fe541703b6b810028c79e7de
                                                                                              • Opcode Fuzzy Hash: 31cafb32f7c29b9685d737d8f32d95e1b662ccb939a1510f09c5b3449dcdfce8
                                                                                              • Instruction Fuzzy Hash: 59A1487190426AABDF128FA6DC88EFFBBBCFF04700F154169E505E2191EB359A45CB60

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 748 3e7809-3e7837 GetUserNameA 749 3e7a8e-3e7a94 748->749 750 3e783d-3e786e LookupAccountNameA 748->750 750->749 751 3e7874-3e78a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 3e78a8-3e78c3 GetSecurityDescriptorOwner 751->752 753 3e791d-3e793b GetSecurityDescriptorDacl 752->753 754 3e78c5-3e78da EqualSid 752->754 755 3e7a8d 753->755 756 3e7941-3e7946 753->756 754->753 757 3e78dc-3e78ed LocalAlloc 754->757 755->749 756->755 758 3e794c-3e7955 756->758 757->753 759 3e78ef-3e78f9 InitializeSecurityDescriptor 757->759 758->755 760 3e795b-3e796b GetAce 758->760 761 3e78fb-3e7909 SetSecurityDescriptorOwner 759->761 762 3e7916-3e7917 LocalFree 759->762 763 3e7a2a 760->763 764 3e7971-3e797e 760->764 761->762 765 3e790b-3e7910 SetFileSecurityA 761->765 762->753 768 3e7a2d-3e7a37 763->768 766 3e79ae-3e79b1 764->766 767 3e7980-3e7992 EqualSid 764->767 765->762 772 3e79be-3e79d0 EqualSid 766->772 773 3e79b3-3e79bd 766->773 769 3e7999-3e799b 767->769 770 3e7994-3e7997 767->770 768->760 771 3e7a3d-3e7a41 768->771 769->766 774 3e799d-3e79ac DeleteAce 769->774 770->767 770->769 771->755 775 3e7a43-3e7a54 LocalAlloc 771->775 776 3e79e5 772->776 777 3e79d2-3e79e3 772->777 773->772 774->768 775->755 778 3e7a56-3e7a60 InitializeSecurityDescriptor 775->778 779 3e79ea-3e79ed 776->779 777->779 780 3e7a86-3e7a87 LocalFree 778->780 781 3e7a62-3e7a71 SetSecurityDescriptorDacl 778->781 782 3e79ef-3e79f5 779->782 783 3e79f8-3e79fb 779->783 780->755 781->780 786 3e7a73-3e7a81 SetFileSecurityA 781->786 782->783 784 3e79fd-3e7a01 783->784 785 3e7a03-3e7a0e 783->785 784->763 784->785 787 3e7a19-3e7a24 785->787 788 3e7a10-3e7a17 785->788 786->780 789 3e7a83 786->789 790 3e7a27 787->790 788->790 789->780 790->763
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,?), ref: 003E782F
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 003E7866
                                                                                              • GetLengthSid.ADVAPI32(?), ref: 003E7878
                                                                                              • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 003E789A
                                                                                              • GetSecurityDescriptorOwner.ADVAPI32(?,003E7F63,?), ref: 003E78B8
                                                                                              • EqualSid.ADVAPI32(?,003E7F63), ref: 003E78D2
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 003E78E3
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 003E78F1
                                                                                              • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 003E7901
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 003E7910
                                                                                              • LocalFree.KERNEL32(00000000), ref: 003E7917
                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003E7933
                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 003E7963
                                                                                              • EqualSid.ADVAPI32(?,003E7F63), ref: 003E798A
                                                                                              • DeleteAce.ADVAPI32(?,00000000), ref: 003E79A3
                                                                                              • EqualSid.ADVAPI32(?,003E7F63), ref: 003E79C5
                                                                                              • LocalAlloc.KERNEL32(00000040,00000014), ref: 003E7A4A
                                                                                              • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 003E7A58
                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 003E7A69
                                                                                              • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 003E7A79
                                                                                              • LocalFree.KERNEL32(00000000), ref: 003E7A87
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                              • String ID: D
                                                                                              • API String ID: 3722657555-2746444292
                                                                                              • Opcode ID: eb95a84e768e184947ef82ccd93ab0e864060875e29ab2d8d47599a8dbd81561
                                                                                              • Instruction ID: ed8d57df848eb55a66670bd7c804946dd160dfbcde205054810dbcfac1c8bd49
                                                                                              • Opcode Fuzzy Hash: eb95a84e768e184947ef82ccd93ab0e864060875e29ab2d8d47599a8dbd81561
                                                                                              • Instruction Fuzzy Hash: 5C813E71D0426AABDB22CFA5DD48FEEBBBCFF08340F154169E505E2291DB359A41CB60

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 791 3e8328-3e833e call 3e7dd6 794 3e8348-3e8356 call 3e6ec3 791->794 795 3e8340-3e8343 791->795 799 3e835c-3e8378 call 3e73ff 794->799 800 3e846b-3e8474 794->800 796 3e877b-3e877d 795->796 810 3e837e-3e8384 799->810 811 3e8464-3e8466 799->811 802 3e847a-3e8480 800->802 803 3e85c2-3e85ce 800->803 802->803 807 3e8486-3e84ba call 3e2544 RegOpenKeyExA 802->807 805 3e8615-3e8620 803->805 806 3e85d0-3e85da call 3e675c 803->806 808 3e8626-3e864c GetTempPathA call 3e8274 call 3eeca5 805->808 809 3e86a7-3e86b0 call 3e6ba7 805->809 818 3e85df-3e85eb 806->818 824 3e8543-3e8571 call 3e2544 RegOpenKeyExA 807->824 825 3e84c0-3e84db RegQueryValueExA 807->825 846 3e864e-3e866f call 3eeca5 808->846 847 3e8671-3e86a4 call 3e2544 call 3eef00 call 3eee2a 808->847 826 3e86b6-3e86bd call 3e7e2f 809->826 827 3e8762 809->827 810->811 816 3e838a-3e838d 810->816 817 3e8779-3e877a 811->817 816->811 822 3e8393-3e8399 816->822 817->796 818->805 823 3e85ed-3e85ef 818->823 829 3e839c-3e83a1 822->829 823->805 830 3e85f1-3e85fa 823->830 852 3e85a5-3e85b7 call 3eee2a 824->852 853 3e8573-3e857b 824->853 832 3e84dd-3e84e1 825->832 833 3e8521-3e852d RegCloseKey 825->833 856 3e875b-3e875c DeleteFileA 826->856 857 3e86c3-3e873b call 3eee2a * 2 lstrcpyA lstrlenA call 3e7fcf CreateProcessA 826->857 835 3e8768-3e876b 827->835 829->829 837 3e83a3-3e83af 829->837 830->805 839 3e85fc-3e860f call 3e24c2 830->839 832->833 841 3e84e3-3e84e6 832->841 833->824 838 3e852f-3e8541 call 3eeed1 833->838 844 3e876d-3e8775 call 3eec2e 835->844 845 3e8776-3e8778 835->845 848 3e83b3-3e83ba 837->848 849 3e83b1 837->849 838->824 838->852 839->805 839->835 841->833 842 3e84e8-3e84f6 call 3eebcc 841->842 842->833 875 3e84f8-3e8513 RegQueryValueExA 842->875 844->845 845->817 846->847 847->809 862 3e8450-3e845f call 3eee2a 848->862 863 3e83c0-3e83fb call 3e2544 RegOpenKeyExA 848->863 849->848 852->803 876 3e85b9-3e85c1 call 3eec2e 852->876 865 3e857e-3e8583 853->865 856->827 899 3e874f-3e875a call 3e7ee6 call 3e7ead 857->899 900 3e873d-3e874d CloseHandle * 2 857->900 862->803 863->862 885 3e83fd-3e841c RegQueryValueExA 863->885 865->865 866 3e8585-3e859f RegSetValueExA RegCloseKey 865->866 866->852 875->833 881 3e8515-3e851e call 3eec2e 875->881 876->803 881->833 890 3e841e-3e8421 885->890 891 3e842d-3e8441 RegSetValueExA 885->891 890->891 892 3e8423-3e8426 890->892 893 3e8447-3e844a RegCloseKey 891->893 892->891 897 3e8428-3e842b 892->897 893->862 897->891 897->893 899->856 900->835
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,003F0750,?,?,00000000,localcfg,00000000), ref: 003E83F3
                                                                                              • RegQueryValueExA.KERNELBASE(003F0750,?,00000000,?,003E8893,?,?,?,00000000,00000103,003F0750,?,?,00000000,localcfg,00000000), ref: 003E8414
                                                                                              • RegSetValueExA.KERNELBASE(003F0750,?,00000000,00000004,003E8893,00000004,?,?,00000000,00000103,003F0750,?,?,00000000,localcfg,00000000), ref: 003E8441
                                                                                              • RegCloseKey.ADVAPI32(003F0750,?,?,00000000,00000103,003F0750,?,?,00000000,localcfg,00000000), ref: 003E844A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseOpenQuery
                                                                                              • String ID: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe$localcfg
                                                                                              • API String ID: 237177642-2982705486
                                                                                              • Opcode ID: 11684f97f83a950e302c365c5243c0f766f6016de046553e5198c10be67c9af0
                                                                                              • Instruction ID: 14add20cfb0f3ce875ab4615661201df3a98731e91b488704dd07c610e10270b
                                                                                              • Opcode Fuzzy Hash: 11684f97f83a950e302c365c5243c0f766f6016de046553e5198c10be67c9af0
                                                                                              • Instruction Fuzzy Hash: ADC180B1D40199BEEB13ABA69C85EFF7BBCEB05300F140665F609A60D1EE314E44DB21

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 929 3e1d96-3e1dce call 3eee2a GetVersionExA 932 3e1de0 929->932 933 3e1dd0-3e1dde 929->933 934 3e1de3-3e1e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 3e1e16-3e1e21 GetCurrentProcess 934->935 936 3e1e24-3e1e59 call 3ee819 * 2 934->936 935->936 941 3e1e7a-3e1ea0 call 3eea84 call 3ee819 call 3e199c 936->941 942 3e1e5b-3e1e77 call 3edf70 * 2 936->942 953 3e1ea8 941->953 954 3e1ea2-3e1ea6 941->954 942->941 955 3e1eac-3e1ec1 call 3ee819 953->955 954->955 958 3e1ec3-3e1ede call 3ef04e call 3eea84 955->958 959 3e1ee0-3e1ef6 call 3ee819 955->959 958->959 965 3e1ef8 call 3e1b71 959->965 966 3e1f14-3e1f2b call 3ee819 959->966 971 3e1efd-3e1f11 call 3eea84 965->971 972 3e1f2d call 3e1bdf 966->972 973 3e1f49-3e1f65 call 3ee819 966->973 971->966 978 3e1f32-3e1f46 call 3eea84 972->978 981 3e1f7a-3e1f8c call 3e30b5 973->981 982 3e1f67-3e1f77 call 3eea84 973->982 978->973 988 3e1f8e-3e1f91 981->988 989 3e1f93-3e1f9a 981->989 982->981 990 3e1fbb-3e1fc0 988->990 991 3e1f9c-3e1fa3 call 3e6ec3 989->991 992 3e1fb7 989->992 994 3e1fc9-3e1fea GetTickCount 990->994 995 3e1fc2 990->995 997 3e1fae-3e1fb5 991->997 998 3e1fa5-3e1fac 991->998 992->990 995->994 997->990 998->990
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32 ref: 003E1DC6
                                                                                              • GetSystemInfo.KERNELBASE(?), ref: 003E1DE8
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 003E1E03
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 003E1E0A
                                                                                              • GetCurrentProcess.KERNEL32(?), ref: 003E1E1B
                                                                                              • GetTickCount.KERNEL32 ref: 003E1FC9
                                                                                                • Part of subcall function 003E1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 003E1C15
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                              • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                              • API String ID: 4207808166-1381319158
                                                                                              • Opcode ID: ce9a72b06e2a085583cff46a6865243e7860f4730db6539ef21a5eed88412c2a
                                                                                              • Instruction ID: 43a539c87627af6c9a22bd5bab5d811a0a26ad9b3b678b7d1e2a768bb67683fd
                                                                                              • Opcode Fuzzy Hash: ce9a72b06e2a085583cff46a6865243e7860f4730db6539ef21a5eed88412c2a
                                                                                              • Instruction Fuzzy Hash: AA51C6B59043946FE336AF7A8C86F77BAECEB44704F040A1DF58686283D774A904C7A5

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 999 3e73ff-3e7419 1000 3e741d-3e7422 999->1000 1001 3e741b 999->1001 1002 3e7426-3e742b 1000->1002 1003 3e7424 1000->1003 1001->1000 1004 3e742d 1002->1004 1005 3e7430-3e7435 1002->1005 1003->1002 1004->1005 1006 3e743a-3e7481 call 3e6dc2 call 3e2544 RegOpenKeyExA 1005->1006 1007 3e7437 1005->1007 1012 3e77f9-3e77fe call 3eee2a 1006->1012 1013 3e7487-3e749d call 3eee2a 1006->1013 1007->1006 1018 3e7801 1012->1018 1019 3e7703-3e770e RegEnumKeyA 1013->1019 1022 3e7804-3e7808 1018->1022 1020 3e7714-3e771d RegCloseKey 1019->1020 1021 3e74a2-3e74b1 call 3e6cad 1019->1021 1020->1018 1025 3e76ed-3e7700 1021->1025 1026 3e74b7-3e74cc call 3ef1a5 1021->1026 1025->1019 1026->1025 1029 3e74d2-3e74f8 RegOpenKeyExA 1026->1029 1030 3e74fe-3e7530 call 3e2544 RegQueryValueExA 1029->1030 1031 3e7727-3e772a 1029->1031 1030->1031 1038 3e7536-3e753c 1030->1038 1033 3e772c-3e7740 call 3eef00 1031->1033 1034 3e7755-3e7764 call 3eee2a 1031->1034 1043 3e774b-3e774e 1033->1043 1044 3e7742-3e7745 RegCloseKey 1033->1044 1041 3e76df-3e76e2 1034->1041 1042 3e753f-3e7544 1038->1042 1041->1025 1045 3e76e4-3e76e7 RegCloseKey 1041->1045 1042->1042 1046 3e7546-3e754b 1042->1046 1047 3e77ec-3e77f7 RegCloseKey 1043->1047 1044->1043 1045->1025 1046->1034 1048 3e7551-3e756b call 3eee95 1046->1048 1047->1022 1048->1034 1051 3e7571-3e7593 call 3e2544 call 3eee95 1048->1051 1056 3e7599-3e75a0 1051->1056 1057 3e7753 1051->1057 1058 3e75c8-3e75d7 call 3eed03 1056->1058 1059 3e75a2-3e75c6 call 3eef00 call 3eed03 1056->1059 1057->1034 1065 3e75d8-3e75da 1058->1065 1059->1065 1067 3e75df-3e7623 call 3eee95 call 3e2544 call 3eee95 call 3eee2a 1065->1067 1068 3e75dc 1065->1068 1077 3e7626-3e762b 1067->1077 1068->1067 1077->1077 1078 3e762d-3e7634 1077->1078 1079 3e7637-3e763c 1078->1079 1079->1079 1080 3e763e-3e7642 1079->1080 1081 3e765c-3e7673 call 3eed23 1080->1081 1082 3e7644-3e7656 call 3eed77 1080->1082 1087 3e7675-3e767e 1081->1087 1088 3e7680 1081->1088 1082->1081 1089 3e7769-3e777c call 3eef00 1082->1089 1091 3e7683-3e768e call 3e6cad 1087->1091 1088->1091 1094 3e77e3-3e77e6 RegCloseKey 1089->1094 1096 3e7694-3e76bf call 3ef1a5 call 3e6c96 1091->1096 1097 3e7722-3e7725 1091->1097 1094->1047 1103 3e76d8 1096->1103 1104 3e76c1-3e76c7 1096->1104 1098 3e76dd 1097->1098 1098->1041 1103->1098 1104->1103 1105 3e76c9-3e76d2 1104->1105 1105->1103 1106 3e777e-3e7797 GetFileAttributesExA 1105->1106 1107 3e779a-3e779f 1106->1107 1108 3e7799 1106->1108 1109 3e77a3-3e77a8 1107->1109 1110 3e77a1 1107->1110 1108->1107 1111 3e77aa-3e77c0 call 3eee08 1109->1111 1112 3e77c4-3e77c8 1109->1112 1110->1109 1111->1112 1114 3e77ca-3e77d6 call 3eef00 1112->1114 1115 3e77d7-3e77dc 1112->1115 1114->1115 1116 3e77de 1115->1116 1117 3e77e0-3e77e2 1115->1117 1116->1117 1117->1094
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 003E7472
                                                                                              • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 003E74F0
                                                                                              • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 003E7528
                                                                                              • ___ascii_stricmp.LIBCMT ref: 003E764D
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 003E76E7
                                                                                              • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 003E7706
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 003E7717
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 003E7745
                                                                                              • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 003E77EF
                                                                                                • Part of subcall function 003EF1A5: lstrlenA.KERNEL32(000000C8,000000E4,003F22F8,000000C8,003E7150,?), ref: 003EF1AD
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 003E778F
                                                                                              • RegCloseKey.KERNELBASE(?), ref: 003E77E6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                              • String ID: "
                                                                                              • API String ID: 3433985886-123907689
                                                                                              • Opcode ID: ebbb4c5573fda57d70d650612657e457655d568c939366de22d3d095651c39a2
                                                                                              • Instruction ID: fb8e3d0dbda0ece208d38251f13e3f5b279d46011597e16a7a3313ce02e957e7
                                                                                              • Opcode Fuzzy Hash: ebbb4c5573fda57d70d650612657e457655d568c939366de22d3d095651c39a2
                                                                                              • Instruction Fuzzy Hash: C3C1B2719042A9AFEB139BA6DC45FEEBBBDEF45310F110295F504EA1D1EB319E408B60

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1121 3e675c-3e6778 1122 3e677a-3e677e SetFileAttributesA 1121->1122 1123 3e6784-3e67a2 CreateFileA 1121->1123 1122->1123 1124 3e67a4-3e67b2 CreateFileA 1123->1124 1125 3e67b5-3e67b8 1123->1125 1124->1125 1126 3e67ba-3e67bf SetFileAttributesA 1125->1126 1127 3e67c5-3e67c9 1125->1127 1126->1127 1128 3e67cf-3e67df GetFileSize 1127->1128 1129 3e6977-3e6986 1127->1129 1130 3e696b 1128->1130 1131 3e67e5-3e67e7 1128->1131 1132 3e696e-3e6971 FindCloseChangeNotification 1130->1132 1131->1130 1133 3e67ed-3e680b ReadFile 1131->1133 1132->1129 1133->1130 1134 3e6811-3e6824 SetFilePointer 1133->1134 1134->1130 1135 3e682a-3e6842 ReadFile 1134->1135 1135->1130 1136 3e6848-3e6861 SetFilePointer 1135->1136 1136->1130 1137 3e6867-3e6876 1136->1137 1138 3e6878-3e688f ReadFile 1137->1138 1139 3e68d5-3e68df 1137->1139 1141 3e68d2 1138->1141 1142 3e6891-3e689e 1138->1142 1139->1132 1140 3e68e5-3e68eb 1139->1140 1143 3e68ed 1140->1143 1144 3e68f0-3e68fe call 3eebcc 1140->1144 1141->1139 1145 3e68b7-3e68ba 1142->1145 1146 3e68a0-3e68b5 1142->1146 1143->1144 1144->1130 1153 3e6900-3e690b SetFilePointer 1144->1153 1147 3e68bd-3e68c3 1145->1147 1146->1147 1149 3e68c8-3e68ce 1147->1149 1150 3e68c5 1147->1150 1149->1138 1152 3e68d0 1149->1152 1150->1149 1152->1139 1154 3e690d-3e6920 ReadFile 1153->1154 1155 3e695a-3e6969 call 3eec2e 1153->1155 1154->1155 1156 3e6922-3e6958 1154->1156 1155->1132 1156->1132
                                                                                              APIs
                                                                                              • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 003E677E
                                                                                              • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 003E679A
                                                                                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 003E67B0
                                                                                              • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 003E67BF
                                                                                              • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 003E67D3
                                                                                              • ReadFile.KERNELBASE(000000FF,?,00000040,003E8244,00000000,?,75920F10,00000000), ref: 003E6807
                                                                                              • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 003E681F
                                                                                              • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 003E683E
                                                                                              • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 003E685C
                                                                                              • ReadFile.KERNEL32(000000FF,?,00000028,003E8244,00000000,?,75920F10,00000000), ref: 003E688B
                                                                                              • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 003E6906
                                                                                              • ReadFile.KERNEL32(000000FF,?,00000000,003E8244,00000000,?,75920F10,00000000), ref: 003E691C
                                                                                              • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 003E6971
                                                                                                • Part of subcall function 003EEC2E: GetProcessHeap.KERNEL32(00000000,'>,00000000,003EEA27,00000000), ref: 003EEC41
                                                                                                • Part of subcall function 003EEC2E: RtlFreeHeap.NTDLL(00000000), ref: 003EEC48
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                              • String ID:
                                                                                              • API String ID: 1400801100-0
                                                                                              • Opcode ID: 4a34dd2ca8b5e63efd52ae187ed76609e6af7ce5607aa3ceddda455f4653d2dc
                                                                                              • Instruction ID: 9bff954ab6d20fa75bd0f4568b0387a60bd54f869eb4c8c6203be6a3e23ab744
                                                                                              • Opcode Fuzzy Hash: 4a34dd2ca8b5e63efd52ae187ed76609e6af7ce5607aa3ceddda455f4653d2dc
                                                                                              • Instruction Fuzzy Hash: 11713671C0026DEFDF128FA5CC81AEEBBB9FB04354F10466AF515A6191E7309E92DB60

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1159 3ef315-3ef332 1160 3ef33b-3ef372 call 3eee2a htons socket 1159->1160 1161 3ef334-3ef336 1159->1161 1165 3ef374-3ef37d closesocket 1160->1165 1166 3ef382-3ef39b ioctlsocket 1160->1166 1162 3ef424-3ef427 1161->1162 1165->1162 1167 3ef39d 1166->1167 1168 3ef3aa-3ef3f0 connect select 1166->1168 1169 3ef39f-3ef3a8 closesocket 1167->1169 1170 3ef3f2-3ef401 __WSAFDIsSet 1168->1170 1171 3ef421 1168->1171 1172 3ef423 1169->1172 1170->1169 1173 3ef403-3ef416 ioctlsocket call 3ef26d 1170->1173 1171->1172 1172->1162 1175 3ef41b-3ef41f 1173->1175 1175->1172
                                                                                              APIs
                                                                                              • htons.WS2_32(003ECA1D), ref: 003EF34D
                                                                                              • socket.WS2_32(00000002,00000001,00000000), ref: 003EF367
                                                                                              • closesocket.WS2_32(00000000), ref: 003EF375
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: closesockethtonssocket
                                                                                              • String ID: time_cfg
                                                                                              • API String ID: 311057483-2401304539
                                                                                              • Opcode ID: d316a9e519895b7628e3b81098fc834925696436de9284dc72e147d38935b530
                                                                                              • Instruction ID: 4cfa9d8d1a6ec5d33d8db627edf7c63e82f4fda139bcb393960f6d07e436c3ea
                                                                                              • Opcode Fuzzy Hash: d316a9e519895b7628e3b81098fc834925696436de9284dc72e147d38935b530
                                                                                              • Instruction Fuzzy Hash: 71316D7690016CAFDB129FAADC85DEF7BBCEF88310F104666F915D2191E7709A418BA0

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1176 3e405e-3e407b CreateEventA 1177 3e407d-3e4081 1176->1177 1178 3e4084-3e40a8 call 3e3ecd call 3e4000 1176->1178 1183 3e40ae-3e40be call 3eee2a 1178->1183 1184 3e4130-3e413e call 3eee2a 1178->1184 1183->1184 1190 3e40c0-3e40f1 call 3eeca5 call 3e3f18 call 3e3f8c 1183->1190 1189 3e413f-3e4165 call 3e3ecd CreateNamedPipeA 1184->1189 1195 3e4188-3e4193 ConnectNamedPipe 1189->1195 1196 3e4167-3e4174 Sleep 1189->1196 1207 3e4127-3e412a CloseHandle 1190->1207 1208 3e40f3-3e40ff 1190->1208 1200 3e41ab-3e41c0 call 3e3f8c 1195->1200 1201 3e4195-3e41a5 GetLastError 1195->1201 1196->1189 1198 3e4176-3e4182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 3e41c2-3e41f2 call 3e3f18 call 3e3f8c 1200->1209 1201->1200 1203 3e425e-3e4265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1184 1208->1207 1210 3e4101-3e4121 call 3e3f18 ExitProcess 1208->1210 1209->1203 1217 3e41f4-3e4200 1209->1217 1217->1203 1218 3e4202-3e4215 call 3e3f8c 1217->1218 1218->1203 1221 3e4217-3e421b 1218->1221 1221->1203 1222 3e421d-3e4230 call 3e3f8c 1221->1222 1222->1203 1225 3e4232-3e4236 1222->1225 1225->1195 1226 3e423c-3e4251 call 3e3f18 1225->1226 1229 3e426a-3e4276 CloseHandle * 2 call 3ee318 1226->1229 1230 3e4253-3e4259 1226->1230 1232 3e427b 1229->1232 1230->1195 1232->1232
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 003E4070
                                                                                              • ExitProcess.KERNEL32 ref: 003E4121
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEventExitProcess
                                                                                              • String ID:
                                                                                              • API String ID: 2404124870-0
                                                                                              • Opcode ID: 117c9d8e91baff87264cc7ab2fa3441b1a23e655daa5544245f48300145b5490
                                                                                              • Instruction ID: cf12463e6007474da19c423828e2a223d5bab904be11e93dbc35d0b6a91c48fc
                                                                                              • Opcode Fuzzy Hash: 117c9d8e91baff87264cc7ab2fa3441b1a23e655daa5544245f48300145b5490
                                                                                              • Instruction Fuzzy Hash: 8E5191B1D00269BAEF22ABA68C46FFF7A7CEB18714F110265F614A61C1E7348A41D761

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1233 3e2d21-3e2d44 GetModuleHandleA 1234 3e2d5b-3e2d69 GetProcAddress 1233->1234 1235 3e2d46-3e2d52 LoadLibraryA 1233->1235 1236 3e2d54-3e2d56 1234->1236 1237 3e2d6b-3e2d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1239 3e2dee-3e2df1 1236->1239 1237->1236 1238 3e2d7d-3e2d88 1237->1238 1240 3e2d8a-3e2d8b 1238->1240 1241 3e2deb 1238->1241 1242 3e2d90-3e2d95 1240->1242 1241->1239 1243 3e2d97-3e2daa GetProcessHeap HeapAlloc 1242->1243 1244 3e2de2-3e2de8 1242->1244 1245 3e2dac-3e2dd9 call 3eee2a lstrcpynA 1243->1245 1246 3e2dea 1243->1246 1244->1242 1244->1246 1249 3e2ddb-3e2dde 1245->1249 1250 3e2de0 1245->1250 1246->1241 1249->1244 1250->1244
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,003E2F01,?,003E20FF,003F2000), ref: 003E2D3A
                                                                                              • LoadLibraryA.KERNEL32(?), ref: 003E2D4A
                                                                                              • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 003E2D61
                                                                                              • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 003E2D77
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 003E2D99
                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 003E2DA0
                                                                                              • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 003E2DCB
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                              • String ID: DnsQuery_A$dnsapi.dll
                                                                                              • API String ID: 233223969-3847274415
                                                                                              • Opcode ID: 24533913de32a416545a34eaf251d4c11a621b54e65fa1f9efe6ce7949b021b2
                                                                                              • Instruction ID: df5f05b7ad812cf6e4facc6eb0d0d53923b652c58f8cdcf65c341abc42ac22b0
                                                                                              • Opcode Fuzzy Hash: 24533913de32a416545a34eaf251d4c11a621b54e65fa1f9efe6ce7949b021b2
                                                                                              • Instruction Fuzzy Hash: 09219071D4026AABCB239F6ADC449AFBBBCEF08B51F114111FA15E7291D7B09981C7D0

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1251 3e80c9-3e80ed call 3e6ec3 1254 3e80ef call 3e7ee6 1251->1254 1255 3e80f9-3e8115 call 3e704c 1251->1255 1258 3e80f4 1254->1258 1260 3e8225-3e822b 1255->1260 1261 3e811b-3e8121 1255->1261 1258->1260 1263 3e826c-3e8273 1260->1263 1264 3e822d-3e8233 1260->1264 1261->1260 1262 3e8127-3e812a 1261->1262 1262->1260 1265 3e8130-3e8167 call 3e2544 RegOpenKeyExA 1262->1265 1264->1263 1266 3e8235-3e823f call 3e675c 1264->1266 1272 3e816d-3e818b RegQueryValueExA 1265->1272 1273 3e8216-3e8222 call 3eee2a 1265->1273 1269 3e8244-3e824b 1266->1269 1269->1263 1271 3e824d-3e8269 call 3e24c2 call 3eec2e 1269->1271 1271->1263 1275 3e818d-3e8191 1272->1275 1276 3e81f7-3e81fe 1272->1276 1273->1260 1275->1276 1281 3e8193-3e8196 1275->1281 1279 3e820d-3e8210 RegCloseKey 1276->1279 1280 3e8200-3e8206 call 3eec2e 1276->1280 1279->1273 1289 3e820c 1280->1289 1281->1276 1285 3e8198-3e81a8 call 3eebcc 1281->1285 1285->1279 1291 3e81aa-3e81c2 RegQueryValueExA 1285->1291 1289->1279 1291->1276 1292 3e81c4-3e81ca 1291->1292 1293 3e81cd-3e81d2 1292->1293 1293->1293 1294 3e81d4-3e81e5 call 3eebcc 1293->1294 1294->1279 1297 3e81e7-3e81f5 call 3eef00 1294->1297 1297->1289
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 003E815F
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,003EA45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 003E8187
                                                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,003EA45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 003E81BE
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 003E8210
                                                                                                • Part of subcall function 003E675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 003E677E
                                                                                                • Part of subcall function 003E675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 003E679A
                                                                                                • Part of subcall function 003E675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 003E67B0
                                                                                                • Part of subcall function 003E675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 003E67BF
                                                                                                • Part of subcall function 003E675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 003E67D3
                                                                                                • Part of subcall function 003E675C: ReadFile.KERNELBASE(000000FF,?,00000040,003E8244,00000000,?,75920F10,00000000), ref: 003E6807
                                                                                                • Part of subcall function 003E675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 003E681F
                                                                                                • Part of subcall function 003E675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 003E683E
                                                                                                • Part of subcall function 003E675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 003E685C
                                                                                                • Part of subcall function 003EEC2E: GetProcessHeap.KERNEL32(00000000,'>,00000000,003EEA27,00000000), ref: 003EEC41
                                                                                                • Part of subcall function 003EEC2E: RtlFreeHeap.NTDLL(00000000), ref: 003EEC48
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                              • String ID: C:\Windows\SysWOW64\xembmrjv\igqrtpsy.exe
                                                                                              • API String ID: 124786226-2316492303
                                                                                              • Opcode ID: 0e9d944c1244fa22438eaf32ccb056b9cad56d2354da6fdccbe90453bd8af5d8
                                                                                              • Instruction ID: 0461fbf2b2abff9318b348a1258632a6c439af475ba2c307190c70989eacb6ae
                                                                                              • Opcode Fuzzy Hash: 0e9d944c1244fa22438eaf32ccb056b9cad56d2354da6fdccbe90453bd8af5d8
                                                                                              • Instruction Fuzzy Hash: 534181B2D051ADBFEB13EBA6DD81DBF776C9B04300F150A6AF609A6091EA305E44CB51

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1300 3e1ac3-3e1adc LoadLibraryA 1301 3e1b6b-3e1b70 1300->1301 1302 3e1ae2-3e1af3 GetProcAddress 1300->1302 1303 3e1b6a 1302->1303 1304 3e1af5-3e1b01 1302->1304 1303->1301 1305 3e1b1c-3e1b27 GetAdaptersAddresses 1304->1305 1306 3e1b29-3e1b2b 1305->1306 1307 3e1b03-3e1b12 call 3eebed 1305->1307 1308 3e1b2d-3e1b32 1306->1308 1309 3e1b5b-3e1b5e 1306->1309 1307->1306 1318 3e1b14-3e1b1b 1307->1318 1311 3e1b69 1308->1311 1312 3e1b34-3e1b3b 1308->1312 1309->1311 1313 3e1b60-3e1b68 call 3eec2e 1309->1313 1311->1303 1315 3e1b3d-3e1b52 1312->1315 1316 3e1b54-3e1b59 1312->1316 1313->1311 1315->1315 1315->1316 1316->1309 1316->1312 1318->1305
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 003E1AD4
                                                                                              • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 003E1AE9
                                                                                              • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 003E1B20
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                              • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                              • API String ID: 3646706440-1087626847
                                                                                              • Opcode ID: 28ed9af74c221128c6066b6c3e32621b69bf1202b9ed8e0e868e976646d9559f
                                                                                              • Instruction ID: 88f433947bd0da06e96ece8c20461570fef6177dede442fbd0f955e63cb8a701
                                                                                              • Opcode Fuzzy Hash: 28ed9af74c221128c6066b6c3e32621b69bf1202b9ed8e0e868e976646d9559f
                                                                                              • Instruction Fuzzy Hash: 4211D371E01178BFCF179BAACC85CEDFBBAEB44B10B254266E006A7191E7705E40CB90

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1320 3ee3ca-3ee3ee RegOpenKeyExA 1321 3ee528-3ee52d 1320->1321 1322 3ee3f4-3ee3fb 1320->1322 1323 3ee3fe-3ee403 1322->1323 1323->1323 1324 3ee405-3ee40f 1323->1324 1325 3ee414-3ee452 call 3eee08 call 3ef1ed RegQueryValueExA 1324->1325 1326 3ee411-3ee413 1324->1326 1331 3ee51d-3ee527 RegCloseKey 1325->1331 1332 3ee458-3ee486 call 3ef1ed RegQueryValueExA 1325->1332 1326->1325 1331->1321 1335 3ee488-3ee48a 1332->1335 1335->1331 1336 3ee490-3ee4a1 call 3edb2e 1335->1336 1336->1331 1339 3ee4a3-3ee4a6 1336->1339 1340 3ee4a9-3ee4d3 call 3ef1ed RegQueryValueExA 1339->1340 1343 3ee4e8-3ee4ea 1340->1343 1344 3ee4d5-3ee4da 1340->1344 1343->1331 1346 3ee4ec-3ee516 call 3e2544 call 3ee332 1343->1346 1344->1343 1345 3ee4dc-3ee4e6 1344->1345 1345->1340 1345->1343 1346->1331
                                                                                              APIs
                                                                                              • RegOpenKeyExA.KERNELBASE(80000001,003EE5F2,00000000,00020119,003EE5F2,003F22F8), ref: 003EE3E6
                                                                                              • RegQueryValueExA.ADVAPI32(003EE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 003EE44E
                                                                                              • RegQueryValueExA.ADVAPI32(003EE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 003EE482
                                                                                              • RegQueryValueExA.ADVAPI32(003EE5F2,?,00000000,?,80000001,?), ref: 003EE4CF
                                                                                              • RegCloseKey.ADVAPI32(003EE5F2,?,?,?,?,000000C8,000000E4), ref: 003EE520
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: QueryValue$CloseOpen
                                                                                              • String ID:
                                                                                              • API String ID: 1586453840-0
                                                                                              • Opcode ID: df6695de13a4304376dbbd7922677253e7a7c1c19251bd2db5e6032ac03a91b6
                                                                                              • Instruction ID: e58ea5faa299a7d1972a231d4e295df2c49f6ed8f66b2d7933642501be89920b
                                                                                              • Opcode Fuzzy Hash: df6695de13a4304376dbbd7922677253e7a7c1c19251bd2db5e6032ac03a91b6
                                                                                              • Instruction Fuzzy Hash: BF4128B2D0026DBFDF129FDADC81DEEBBBDEB04344F054166E910E6191E7319A158B60

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1351 3ef26d-3ef303 setsockopt * 5
                                                                                              APIs
                                                                                              • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 003EF2A0
                                                                                              • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 003EF2C0
                                                                                              • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 003EF2DD
                                                                                              • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 003EF2EC
                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 003EF2FD
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: setsockopt
                                                                                              • String ID:
                                                                                              • API String ID: 3981526788-0
                                                                                              • Opcode ID: bf13a35c0d69dea1686c3b61e06653f5b6faf7dcacb22df773483521986da8f3
                                                                                              • Instruction ID: 74ab31ca47986739c4f32c78db8c49065135269ebc82821e2e8212d617513adf
                                                                                              • Opcode Fuzzy Hash: bf13a35c0d69dea1686c3b61e06653f5b6faf7dcacb22df773483521986da8f3
                                                                                              • Instruction Fuzzy Hash: E5110DB1A40248BAEF11DF94CD45FDE7FBCEB44751F004066BB04EA1D0E6B19A44CB94

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1352 3e1bdf-3e1c04 call 3e1ac3 1354 3e1c09-3e1c0b 1352->1354 1355 3e1c0d-3e1c1d GetComputerNameA 1354->1355 1356 3e1c5a-3e1c5e 1354->1356 1357 3e1c1f-3e1c24 1355->1357 1358 3e1c45-3e1c57 GetVolumeInformationA 1355->1358 1357->1358 1359 3e1c26-3e1c3b 1357->1359 1358->1356 1359->1359 1360 3e1c3d-3e1c3f 1359->1360 1360->1358 1361 3e1c41-3e1c43 1360->1361 1361->1356
                                                                                              APIs
                                                                                                • Part of subcall function 003E1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 003E1AD4
                                                                                                • Part of subcall function 003E1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 003E1AE9
                                                                                                • Part of subcall function 003E1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 003E1B20
                                                                                              • GetComputerNameA.KERNEL32(?,0000000F), ref: 003E1C15
                                                                                              • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 003E1C51
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                              • String ID: hi_id$localcfg
                                                                                              • API String ID: 2794401326-2393279970
                                                                                              • Opcode ID: 0b1e65bc1d74adb4b89a78f2f3e1bb60bf3d1cf964371e128179cbe81f19b979
                                                                                              • Instruction ID: 72870702ec1bb41beb0e13e5e41712121552e963edcbd26e6fc7baf617c50eea
                                                                                              • Opcode Fuzzy Hash: 0b1e65bc1d74adb4b89a78f2f3e1bb60bf3d1cf964371e128179cbe81f19b979
                                                                                              • Instruction Fuzzy Hash: 8D0192B2A40169BFEB11DAF9CCC59FFBBBCEB44745F210575E602E3180D6309E4486A0
                                                                                              APIs
                                                                                                • Part of subcall function 003E1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 003E1AD4
                                                                                                • Part of subcall function 003E1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 003E1AE9
                                                                                                • Part of subcall function 003E1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 003E1B20
                                                                                              • GetComputerNameA.KERNEL32(?,0000000F), ref: 003E1BA3
                                                                                              • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,003E1EFD,00000000,00000000,00000000,00000000), ref: 003E1BB8
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 2794401326-1857712256
                                                                                              • Opcode ID: 1cf5437e579e9adfbb8a76479072d49dc6283155f9e608bcb247f1f55fbe8869
                                                                                              • Instruction ID: 33a8f63fb9597a0e57a1461e64864a5fdb49b7d0865b75ecd527aef6bf0d2e09
                                                                                              • Opcode Fuzzy Hash: 1cf5437e579e9adfbb8a76479072d49dc6283155f9e608bcb247f1f55fbe8869
                                                                                              • Instruction Fuzzy Hash: 24014BB6D00119BFEB029BEACC819EFFABCAB48750F250162A601E7191D6705E0886A0
                                                                                              APIs
                                                                                              • inet_addr.WS2_32(00000001), ref: 003E2693
                                                                                              • gethostbyname.WS2_32(00000001), ref: 003E269F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbynameinet_addr
                                                                                              • String ID: time_cfg
                                                                                              • API String ID: 1594361348-2401304539
                                                                                              • Opcode ID: b2e60e4cbda37df86f30c3a3614f8f2904d8e3b82490c1cc0ba4ce9930ee56b7
                                                                                              • Instruction ID: c53052c838d7eb0a24a440700bc22e2f6a0701fd7d592313d64b943086a5a5e4
                                                                                              • Opcode Fuzzy Hash: b2e60e4cbda37df86f30c3a3614f8f2904d8e3b82490c1cc0ba4ce9930ee56b7
                                                                                              • Instruction Fuzzy Hash: 70E08C302040619FCB128B29F848AD677A8AF06330F024780F440C32A1C7B09C808690
                                                                                              APIs
                                                                                                • Part of subcall function 003EEBA0: GetProcessHeap.KERNEL32(00000000,00000000,003EEC0A,00000000,80000001,?,003EDB55,7FFF0001), ref: 003EEBAD
                                                                                                • Part of subcall function 003EEBA0: HeapSize.KERNEL32(00000000,?,003EDB55,7FFF0001), ref: 003EEBB4
                                                                                              • GetProcessHeap.KERNEL32(00000000,'>,00000000,003EEA27,00000000), ref: 003EEC41
                                                                                              • RtlFreeHeap.NTDLL(00000000), ref: 003EEC48
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$Process$FreeSize
                                                                                              • String ID: '>
                                                                                              • API String ID: 1305341483-1708597524
                                                                                              • Opcode ID: 8e47468671ec9f93dbe669b784710dc21650481818c25570b950d05f018a9799
                                                                                              • Instruction ID: fd73c4e1b84c7a6851ad65b590f252f8e7003df6ffe5a209890aa9cc7321b467
                                                                                              • Opcode Fuzzy Hash: 8e47468671ec9f93dbe669b784710dc21650481818c25570b950d05f018a9799
                                                                                              • Instruction Fuzzy Hash: 8DC012728062706BC5572755BC0DFAB6B1C9F45711F0A0509F4056A195C760584086E1
                                                                                              APIs
                                                                                                • Part of subcall function 003EDD05: GetTickCount.KERNEL32 ref: 003EDD0F
                                                                                                • Part of subcall function 003EDD05: InterlockedExchange.KERNEL32(003F36B4,00000001), ref: 003EDD44
                                                                                                • Part of subcall function 003EDD05: GetCurrentThreadId.KERNEL32 ref: 003EDD53
                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,003EA445), ref: 003EE558
                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,003EA445), ref: 003EE583
                                                                                              • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,003EA445), ref: 003EE5B2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                              • String ID:
                                                                                              • API String ID: 3683885500-0
                                                                                              • Opcode ID: 64e4bd5ac7fe917f837b2c2ff5c01089b6536d0c18551cef26d6c263293b7f95
                                                                                              • Instruction ID: 29124616d4902b6f7302838221d2dcf9600dca84919d59599b896896f8b8de8d
                                                                                              • Opcode Fuzzy Hash: 64e4bd5ac7fe917f837b2c2ff5c01089b6536d0c18551cef26d6c263293b7f95
                                                                                              • Instruction Fuzzy Hash: D321F4B26403A57AE2277727AC47FBB7A1CDF56754F000614FA0AAA1D3FD65E900C2B1
                                                                                              APIs
                                                                                              • Sleep.KERNELBASE(000003E8), ref: 003E88A5
                                                                                                • Part of subcall function 003EF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,003EE342,00000000,7508EA50,80000001,00000000,003EE513,?,00000000,00000000,?,000000E4), ref: 003EF089
                                                                                                • Part of subcall function 003EF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,003EE342,00000000,7508EA50,80000001,00000000,003EE513,?,00000000,00000000,?,000000E4,000000C8), ref: 003EF093
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$FileSystem$Sleep
                                                                                              • String ID: localcfg$rresolv
                                                                                              • API String ID: 1561729337-486471987
                                                                                              • Opcode ID: ca22824534f76c5c017d06ed86eab02977c16be976cd383ef3a4362813c4652b
                                                                                              • Instruction ID: 26d46f33a134b5a6c5607299bd0f0e27d171fb540fe674aae91053c378304475
                                                                                              • Opcode Fuzzy Hash: ca22824534f76c5c017d06ed86eab02977c16be976cd383ef3a4362813c4652b
                                                                                              • Instruction Fuzzy Hash: 8F21E9319583A5AEF317B7676C43F7B3AACDB04710F910619F9089D0C3EED14944C1A1
                                                                                              APIs
                                                                                              • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,003F22F8,003E42B6,00000000,00000001,003F22F8,00000000,?,003E98FD), ref: 003E4021
                                                                                              • GetLastError.KERNEL32(?,003E98FD,00000001,00000100,003F22F8,003EA3C7), ref: 003E402C
                                                                                              • Sleep.KERNEL32(000001F4,?,003E98FD,00000001,00000100,003F22F8,003EA3C7), ref: 003E4046
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateErrorFileLastSleep
                                                                                              • String ID:
                                                                                              • API String ID: 408151869-0
                                                                                              • Opcode ID: bd1735c10559f9d89f95fe88d620f78f1779c310da91a7dffe2f396198909512
                                                                                              • Instruction ID: 55d378455867eb3843f839966c2c016f0d2efe8c1657c92bf74c8671cf6c4d31
                                                                                              • Opcode Fuzzy Hash: bd1735c10559f9d89f95fe88d620f78f1779c310da91a7dffe2f396198909512
                                                                                              • Instruction Fuzzy Hash: 57F0A7712401516ADB370B6AAC49B2AB265EB85730F264B34F3B5E20E0CA304C859B14
                                                                                              APIs
                                                                                              • GetEnvironmentVariableA.KERNEL32(003EDC19,?,00000104), ref: 003EDB7F
                                                                                              • lstrcpyA.KERNEL32(?,003F28F8), ref: 003EDBA4
                                                                                              • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 003EDBC2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                              • String ID:
                                                                                              • API String ID: 2536392590-0
                                                                                              • Opcode ID: 1c4f3e8f462d517db4db4844fbff601e62f36b8a59ae91da16ed7ebc77553fb6
                                                                                              • Instruction ID: f9bda2877ac7dc9b15e32106334eb5b3363186478c52d2cd6ff84b00ea2e3144
                                                                                              • Opcode Fuzzy Hash: 1c4f3e8f462d517db4db4844fbff601e62f36b8a59ae91da16ed7ebc77553fb6
                                                                                              • Instruction Fuzzy Hash: 92F0907050024ABBEF129F64DC49FE93B69AB10308F504194BB51A40D0DBF2D545CB10
                                                                                              APIs
                                                                                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 003EEC5E
                                                                                              • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 003EEC72
                                                                                              • GetTickCount.KERNEL32 ref: 003EEC78
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$CountFileInformationSystemTickVolume
                                                                                              • String ID:
                                                                                              • API String ID: 1209300637-0
                                                                                              • Opcode ID: 8dc2265a86fe31fdb2b22ca5b8f63fc13549d8ff86ef0c83509101dd8ef14578
                                                                                              • Instruction ID: f01ec28f9757a0675bf74d07651f670dbcfcdf9e50d05f03113786e39fc4927b
                                                                                              • Opcode Fuzzy Hash: 8dc2265a86fe31fdb2b22ca5b8f63fc13549d8ff86ef0c83509101dd8ef14578
                                                                                              • Instruction Fuzzy Hash: 12E09AF5810105BFE706ABB4DD4AE7B77BCEB08315F500650B911D6191DA709A04CB64
                                                                                              APIs
                                                                                              • gethostname.WS2_32(?,00000080), ref: 003E30D8
                                                                                              • gethostbyname.WS2_32(?), ref: 003E30E2
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbynamegethostname
                                                                                              • String ID:
                                                                                              • API String ID: 3961807697-0
                                                                                              • Opcode ID: 4bfd2989f47b098b5fecf634e950c868419b8ba73aefddcc667ff29e66934e90
                                                                                              • Instruction ID: 46929e0f02c42f0abde5d042f4e100cee234f4717797b1bca4dd9862e5a08d84
                                                                                              • Opcode Fuzzy Hash: 4bfd2989f47b098b5fecf634e950c868419b8ba73aefddcc667ff29e66934e90
                                                                                              • Instruction Fuzzy Hash: 56E09B71900129ABCF00DBACEC89F9A77ECFF04304F180561F905E7291EA34E904C7A0
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,80000001,003EEBFE,7FFF0001,?,003EDB55,7FFF0001), ref: 003EEBD3
                                                                                              • RtlAllocateHeap.NTDLL(00000000,?,003EDB55,7FFF0001), ref: 003EEBDA
                                                                                                • Part of subcall function 003EEB74: GetProcessHeap.KERNEL32(00000000,00000000,003EEC28,00000000,?,003EDB55,7FFF0001), ref: 003EEB81
                                                                                                • Part of subcall function 003EEB74: HeapSize.KERNEL32(00000000,?,003EDB55,7FFF0001), ref: 003EEB88
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$Process$AllocateSize
                                                                                              • String ID:
                                                                                              • API String ID: 2559512979-0
                                                                                              • Opcode ID: 22d34c56d009609465b18895b9a5bc92db4ed0bc57781d1772fca061e28fc73b
                                                                                              • Instruction ID: 45aa37b60b27b1df9e86aa210e8cc880149eace857535518d58d9c20a3db4adc
                                                                                              • Opcode Fuzzy Hash: 22d34c56d009609465b18895b9a5bc92db4ed0bc57781d1772fca061e28fc73b
                                                                                              • Instruction Fuzzy Hash: ECC0807610823067C60727A87C0CEAA3E5CDF04352F040104F505C5361C7304840C791
                                                                                              APIs
                                                                                              • recv.WS2_32(000000C8,?,00000000,003ECA44), ref: 003EF476
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: recv
                                                                                              • String ID:
                                                                                              • API String ID: 1507349165-0
                                                                                              • Opcode ID: 04aabd5712ed3f3a6d0e2241a101d33a7b69c0f7bcd0ea2a3cc508344e632db9
                                                                                              • Instruction ID: cb9d20111c016856f4332fc0e742fe5802b060b380187ef9f4687430fddd5373
                                                                                              • Opcode Fuzzy Hash: 04aabd5712ed3f3a6d0e2241a101d33a7b69c0f7bcd0ea2a3cc508344e632db9
                                                                                              • Instruction Fuzzy Hash: 3DF01272201599BF9F129E5BDC84CAB3BADFB893507050621FA14D7190D671D8218B70
                                                                                              APIs
                                                                                              • closesocket.WS2_32(00000000), ref: 003E1992
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: closesocket
                                                                                              • String ID:
                                                                                              • API String ID: 2781271927-0
                                                                                              • Opcode ID: 4e4a533449733896743643aaa0fe24e7e734ee19517ecd09b01263519163d4ab
                                                                                              • Instruction ID: 05b8182a2a103b8fc38b4628c1395bf4936a49df7a4702631dcca695298e32a4
                                                                                              • Opcode Fuzzy Hash: 4e4a533449733896743643aaa0fe24e7e734ee19517ecd09b01263519163d4ab
                                                                                              • Instruction Fuzzy Hash: 0DD022361082313A9202235EBC0487FAB9CCF04262B01842BFC48C0192C734CC8183E1
                                                                                              APIs
                                                                                              • lstrcmpiA.KERNEL32(80000011,00000000), ref: 003EDDB5
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmpi
                                                                                              • String ID:
                                                                                              • API String ID: 1586166983-0
                                                                                              • Opcode ID: 3b36e58eec61b8eddb955905ca013337078bfb892a42b28b208dd0fa50978e5e
                                                                                              • Instruction ID: d8cef445f416f005f82792b421b132a46b8c2818d7efc77c9859cb8c8d1d7fb7
                                                                                              • Opcode Fuzzy Hash: 3b36e58eec61b8eddb955905ca013337078bfb892a42b28b208dd0fa50978e5e
                                                                                              • Instruction Fuzzy Hash: A5F012362046A3CBCB22CE6A9C44667B7E8EF45325F264A3EE155D21D0DB30DC55CB51
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,003E9816,EntryPoint), ref: 003E638F
                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,003E9816,EntryPoint), ref: 003E63A9
                                                                                              • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 003E63CA
                                                                                              • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 003E63EB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 1965334864-0
                                                                                              • Opcode ID: 4b7de874b6893937baed6bdc52b2cceb04273a0b338c3b76053ef61061dc8ea5
                                                                                              • Instruction ID: fe822f5d620efda884927bbae29455f738fb8e435a8900ffb86e8d64bdf92e5f
                                                                                              • Opcode Fuzzy Hash: 4b7de874b6893937baed6bdc52b2cceb04273a0b338c3b76053ef61061dc8ea5
                                                                                              • Instruction Fuzzy Hash: 231173B5600269BFDB129F6ADC4AF9B3FACEB147A5F114124F905E72D1D671DC00CAA0
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,00000000,003E1839,003E9646), ref: 003E1012
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 003E10C2
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 003E10E1
                                                                                              • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 003E1101
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 003E1121
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 003E1140
                                                                                              • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 003E1160
                                                                                              • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 003E1180
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 003E119F
                                                                                              • GetProcAddress.KERNEL32(00000000,NtClose), ref: 003E11BF
                                                                                              • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 003E11DF
                                                                                              • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 003E11FE
                                                                                              • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 003E121A
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressProc$LibraryLoad
                                                                                              • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                              • API String ID: 2238633743-3228201535
                                                                                              • Opcode ID: 79066f7e98e03647539d9cc6dbba7a3f576d3c63ba48a935bfd880abeac0927d
                                                                                              • Instruction ID: 6abf26633b1a939b71c52f931b0c7562ae1956bed3ed576c53964b9a3afa1960
                                                                                              • Opcode Fuzzy Hash: 79066f7e98e03647539d9cc6dbba7a3f576d3c63ba48a935bfd880abeac0927d
                                                                                              • Instruction Fuzzy Hash: B951DCB2546A96AAD7239B6AEC44BB336FC6748764F150326D620D22F0D7F0CAC1CB51
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 003EB2B3
                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003EB2C2
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 003EB2D0
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 003EB2E1
                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 003EB31A
                                                                                              • GetTimeZoneInformation.KERNEL32(?), ref: 003EB329
                                                                                              • wsprintfA.USER32 ref: 003EB3B7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                              • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                              • API String ID: 766114626-2976066047
                                                                                              • Opcode ID: 8c017a4a6ad3c0255da12ec8bab71368c8ed73bcb47923057e06c7598f9216be
                                                                                              • Instruction ID: 7f118698f1556a5dac9ccec89b0234b7ed2a590e38f856749e5f08a4469317b7
                                                                                              • Opcode Fuzzy Hash: 8c017a4a6ad3c0255da12ec8bab71368c8ed73bcb47923057e06c7598f9216be
                                                                                              • Instruction Fuzzy Hash: 21513FB9D0022DAACF1ADFD9DD858FEBBB9FF48304F114219E605BA151D3744A89CB50
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                              • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                              • API String ID: 2400214276-165278494
                                                                                              • Opcode ID: 0907d4b67d34e9e545c88dddeeeb515c26afac70cfbd0324c4596c8fb1dc49ce
                                                                                              • Instruction ID: 5b6fc09b0a91149b12a7ef1024064eb7ed6733106f952bfa586e89c6c5592bf5
                                                                                              • Opcode Fuzzy Hash: 0907d4b67d34e9e545c88dddeeeb515c26afac70cfbd0324c4596c8fb1dc49ce
                                                                                              • Instruction Fuzzy Hash: C1618F72950218AFDB659FB8DC45FEA77E8FF08300F144169FA6CD21A2DA709940CF10
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$send$lstrlenrecv
                                                                                              • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                              • API String ID: 3650048968-4264063882
                                                                                              • Opcode ID: e2c908daa380f9864d8056bf50ee2732566606ff2eaf70eba890600f89f79285
                                                                                              • Instruction ID: f2085aa92b14f29b096908302de0ff7e20029db8cf8659e8968e158f20abce6a
                                                                                              • Opcode Fuzzy Hash: e2c908daa380f9864d8056bf50ee2732566606ff2eaf70eba890600f89f79285
                                                                                              • Instruction Fuzzy Hash: 85A137719047F9AADF278A5ADC85FBE3B6DAB00304F250226F901A60D2DB71BD48C753
                                                                                              APIs
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 003E139A
                                                                                              • lstrlenW.KERNEL32(-00000003), ref: 003E1571
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ExecuteShelllstrlen
                                                                                              • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                              • API String ID: 1628651668-3716895483
                                                                                              • Opcode ID: fe176b6b1866c602ae56e1baec670ee3026e8ebf0623587ba2dd52b781b5e2f3
                                                                                              • Instruction ID: 0dfec0e007f3c93d1437e50941a45039ed101956c24a40336174046e338eb145
                                                                                              • Opcode Fuzzy Hash: fe176b6b1866c602ae56e1baec670ee3026e8ebf0623587ba2dd52b781b5e2f3
                                                                                              • Instruction Fuzzy Hash: 53F1CEB55083919FD322DF65C888BABB7E8FB88700F004A2DF996D7290D7B4D944CB52
                                                                                              APIs
                                                                                              • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 003E2A83
                                                                                              • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 003E2A86
                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 003E2AA0
                                                                                              • htons.WS2_32(00000000), ref: 003E2ADB
                                                                                              • select.WS2_32 ref: 003E2B28
                                                                                              • recv.WS2_32(?,00000000,00001000,00000000), ref: 003E2B4A
                                                                                              • htons.WS2_32(?), ref: 003E2B71
                                                                                              • htons.WS2_32(?), ref: 003E2B8C
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000108), ref: 003E2BFB
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                              • String ID:
                                                                                              • API String ID: 1639031587-0
                                                                                              • Opcode ID: d3745b96ad68d9748ac020ed17ace19fe6038ce9c15e5d60ca5e0e7c718bb5e7
                                                                                              • Instruction ID: 76df1fed4e02d930b14cb8c7c65b454da0f5219300f95ed947c1eecd1e51f623
                                                                                              • Opcode Fuzzy Hash: d3745b96ad68d9748ac020ed17ace19fe6038ce9c15e5d60ca5e0e7c718bb5e7
                                                                                              • Instruction Fuzzy Hash: 2B61C3B1504365ABD7229F66DC08B7FBBECFB48341F110A19F94997291D7B0D840CBA1
                                                                                              APIs
                                                                                              • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 003E70C2
                                                                                              • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 003E719E
                                                                                              • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 003E71B2
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 003E7208
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 003E7291
                                                                                              • ___ascii_stricmp.LIBCMT ref: 003E72C2
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 003E72D0
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 003E7314
                                                                                              • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 003E738D
                                                                                              • RegCloseKey.ADVAPI32(75920F10), ref: 003E73D8
                                                                                                • Part of subcall function 003EF1A5: lstrlenA.KERNEL32(000000C8,000000E4,003F22F8,000000C8,003E7150,?), ref: 003EF1AD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                              • String ID: $"
                                                                                              • API String ID: 4293430545-3817095088
                                                                                              • Opcode ID: 1f2d0bf738f6c1915fbad25c5ccb7f2497bcaf3891126f49cf8bfdb0c59b467e
                                                                                              • Instruction ID: d620c5447bac0985255e5390f3725d9674b7b867a25aed5ff1759dfd09e5c933
                                                                                              • Opcode Fuzzy Hash: 1f2d0bf738f6c1915fbad25c5ccb7f2497bcaf3891126f49cf8bfdb0c59b467e
                                                                                              • Instruction Fuzzy Hash: 45B1A3719082AAAEDF169FA5DC45BEF77BCEF04300F100666F501E61D1EB719A84CB60
                                                                                              APIs
                                                                                              • GetLocalTime.KERNEL32(?), ref: 003EAD98
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 003EADA6
                                                                                                • Part of subcall function 003EAD08: gethostname.WS2_32(?,00000080), ref: 003EAD1C
                                                                                                • Part of subcall function 003EAD08: lstrlenA.KERNEL32(?), ref: 003EAD60
                                                                                                • Part of subcall function 003EAD08: lstrlenA.KERNEL32(?), ref: 003EAD69
                                                                                                • Part of subcall function 003EAD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 003EAD7F
                                                                                                • Part of subcall function 003E30B5: gethostname.WS2_32(?,00000080), ref: 003E30D8
                                                                                                • Part of subcall function 003E30B5: gethostbyname.WS2_32(?), ref: 003E30E2
                                                                                              • wsprintfA.USER32 ref: 003EAEA5
                                                                                                • Part of subcall function 003EA7A3: inet_ntoa.WS2_32(00000000), ref: 003EA7A9
                                                                                              • wsprintfA.USER32 ref: 003EAE4F
                                                                                              • wsprintfA.USER32 ref: 003EAE5E
                                                                                                • Part of subcall function 003EEF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 003EEF92
                                                                                                • Part of subcall function 003EEF7C: lstrlenA.KERNEL32(?), ref: 003EEF99
                                                                                                • Part of subcall function 003EEF7C: lstrlenA.KERNEL32(00000000), ref: 003EEFA0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                              • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                              • API String ID: 3631595830-1816598006
                                                                                              • Opcode ID: f1ebd6541424d1d64c0e5f153cc3adfba9ee81bfeed9b12708334f11b715d2ea
                                                                                              • Instruction ID: 9e5e46e7032ae775148ae1097ba7f3edab7960bfe959372f0c88bf9b9c9a38af
                                                                                              • Opcode Fuzzy Hash: f1ebd6541424d1d64c0e5f153cc3adfba9ee81bfeed9b12708334f11b715d2ea
                                                                                              • Instruction Fuzzy Hash: E44153B290025CABDF26EFA5CC46EEF3BADFF48300F140516FA1596192E671E914CB50
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,003E2F0F,?,003E20FF,003F2000), ref: 003E2E01
                                                                                              • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,003E2F0F,?,003E20FF,003F2000), ref: 003E2E11
                                                                                              • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 003E2E2E
                                                                                              • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,003E2F0F,?,003E20FF,003F2000), ref: 003E2E4C
                                                                                              • HeapAlloc.KERNEL32(00000000,?,00000000,003E2F0F,?,003E20FF,003F2000), ref: 003E2E4F
                                                                                              • htons.WS2_32(00000035), ref: 003E2E88
                                                                                              • inet_addr.WS2_32(?), ref: 003E2E93
                                                                                              • gethostbyname.WS2_32(?), ref: 003E2EA6
                                                                                              • GetProcessHeap.KERNEL32(00000000,?,?,00000000,003E2F0F,?,003E20FF,003F2000), ref: 003E2EE3
                                                                                              • HeapFree.KERNEL32(00000000,?,00000000,003E2F0F,?,003E20FF,003F2000), ref: 003E2EE6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                              • String ID: GetNetworkParams$iphlpapi.dll
                                                                                              • API String ID: 929413710-2099955842
                                                                                              • Opcode ID: cc37482569f6cb3b3d435f1e9e7f1b3992feb256e0b6ed7eb7b567766432d8f0
                                                                                              • Instruction ID: 5ea46bcbe7763f3da6fa336d3751a884eecdfa55575b650e3b77f2172296d0ef
                                                                                              • Opcode Fuzzy Hash: cc37482569f6cb3b3d435f1e9e7f1b3992feb256e0b6ed7eb7b567766432d8f0
                                                                                              • Instruction Fuzzy Hash: 6531B175A0026AABDB139BBA9C48A7F77BCAF84360F150215F914E72D1DB30D941CBA0
                                                                                              APIs
                                                                                              • GetVersionExA.KERNEL32(?,?,003E9DD7,?,00000022,?,?,00000000,00000001), ref: 003E9340
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,003E9DD7,?,00000022,?,?,00000000,00000001), ref: 003E936E
                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,003E9DD7,?,00000022,?,?,00000000,00000001), ref: 003E9375
                                                                                              • wsprintfA.USER32 ref: 003E93CE
                                                                                              • wsprintfA.USER32 ref: 003E940C
                                                                                              • wsprintfA.USER32 ref: 003E948D
                                                                                              • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 003E94F1
                                                                                              • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 003E9526
                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 003E9571
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                              • String ID: runas
                                                                                              • API String ID: 3696105349-4000483414
                                                                                              • Opcode ID: e13edd6960ace4c56794ec1662378cb5392f6c23b546dddb05fb1cb8366dfb57
                                                                                              • Instruction ID: aa36bb042fb07a7d81889e0d6dc5fa4042dc5199a1cd439f33af88a03985c72b
                                                                                              • Opcode Fuzzy Hash: e13edd6960ace4c56794ec1662378cb5392f6c23b546dddb05fb1cb8366dfb57
                                                                                              • Instruction Fuzzy Hash: 33A15EB194029CEBEB279FA6CC45FEF3BACEB44740F100126FA05961D2E7759944CBA1
                                                                                              APIs
                                                                                              • wsprintfA.USER32 ref: 003EB467
                                                                                                • Part of subcall function 003EEF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 003EEF92
                                                                                                • Part of subcall function 003EEF7C: lstrlenA.KERNEL32(?), ref: 003EEF99
                                                                                                • Part of subcall function 003EEF7C: lstrlenA.KERNEL32(00000000), ref: 003EEFA0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$wsprintf
                                                                                              • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                              • API String ID: 1220175532-2340906255
                                                                                              • Opcode ID: 6f52402e37f4443543b4129bd118558899e8486da16d260da39b09b82fd89a14
                                                                                              • Instruction ID: 8dcb383a01ff5c4579ccd87ca15843e089d87e0268ea01f1f02df3fd55d49014
                                                                                              • Opcode Fuzzy Hash: 6f52402e37f4443543b4129bd118558899e8486da16d260da39b09b82fd89a14
                                                                                              • Instruction Fuzzy Hash: 0F4183B254016C7EDF02ABA5CCC2CFF7B6CEF49748B140225FA04AA082DB74AD1597B1
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 003E2078
                                                                                              • GetTickCount.KERNEL32 ref: 003E20D4
                                                                                              • GetTickCount.KERNEL32 ref: 003E20DB
                                                                                              • GetTickCount.KERNEL32 ref: 003E212B
                                                                                              • GetTickCount.KERNEL32 ref: 003E2132
                                                                                              • GetTickCount.KERNEL32 ref: 003E2142
                                                                                                • Part of subcall function 003EF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,003EE342,00000000,7508EA50,80000001,00000000,003EE513,?,00000000,00000000,?,000000E4), ref: 003EF089
                                                                                                • Part of subcall function 003EF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,003EE342,00000000,7508EA50,80000001,00000000,003EE513,?,00000000,00000000,?,000000E4,000000C8), ref: 003EF093
                                                                                                • Part of subcall function 003EE854: lstrcpyA.KERNEL32(00000001,?,?,003ED8DF,00000001,localcfg,except_info,00100000,003F0264), ref: 003EE88B
                                                                                                • Part of subcall function 003EE854: lstrlenA.KERNEL32(00000001,?,003ED8DF,00000001,localcfg,except_info,00100000,003F0264), ref: 003EE899
                                                                                                • Part of subcall function 003E1C5F: wsprintfA.USER32 ref: 003E1CE1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                              • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                              • API String ID: 3976553417-1522128867
                                                                                              • Opcode ID: 5ffb080e04d38a8412fceddcd25290a36aaa15795602e5ad6e0e80c623102893
                                                                                              • Instruction ID: 9bc6506223f890980c30c2d8a62c3a1fc8159087ea0a752599509c839b0d3cb3
                                                                                              • Opcode Fuzzy Hash: 5ffb080e04d38a8412fceddcd25290a36aaa15795602e5ad6e0e80c623102893
                                                                                              • Instruction Fuzzy Hash: 85510731604796EFE72BEF36ED46B773BDCAB04310F110A2DE6018A1E2DBB49944C611
                                                                                              APIs
                                                                                                • Part of subcall function 003EA4C7: GetTickCount.KERNEL32 ref: 003EA4D1
                                                                                                • Part of subcall function 003EA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 003EA4FA
                                                                                              • GetTickCount.KERNEL32 ref: 003EC31F
                                                                                              • GetTickCount.KERNEL32 ref: 003EC32B
                                                                                              • GetTickCount.KERNEL32 ref: 003EC363
                                                                                              • GetTickCount.KERNEL32 ref: 003EC378
                                                                                              • GetTickCount.KERNEL32 ref: 003EC44D
                                                                                              • InterlockedIncrement.KERNEL32(003EC4E4), ref: 003EC4AE
                                                                                              • CreateThread.KERNEL32(00000000,00000000,003EB535,00000000,?,003EC4E0), ref: 003EC4C1
                                                                                              • CloseHandle.KERNEL32(00000000,?,003EC4E0,003F3588,003E8810), ref: 003EC4CC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 1553760989-1857712256
                                                                                              • Opcode ID: 1eaed8b6d4a12546e3ac10bb41f26d1174825b238ba40523ac5f40461b4f54d4
                                                                                              • Instruction ID: d95cdff5f7843210d143a62f07db835b8e1ab58841d1db84b1fb84b5667c65c5
                                                                                              • Opcode Fuzzy Hash: 1eaed8b6d4a12546e3ac10bb41f26d1174825b238ba40523ac5f40461b4f54d4
                                                                                              • Instruction Fuzzy Hash: B8516DB5610B918FC7268F6AC5D452AFBE9FB48300B516A2EE18BC7AD1D774F841CB10
                                                                                              APIs
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 003EBE4F
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 003EBE5B
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 003EBE67
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 003EBF6A
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 003EBF7F
                                                                                              • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 003EBF94
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmpi
                                                                                              • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                              • API String ID: 1586166983-1625972887
                                                                                              • Opcode ID: f1e75b1d3f181841270bb66f09a01681117ca80dbadcb2baf8c81bd5fdd8c46e
                                                                                              • Instruction ID: 1d0f6eb81153697bb69215e575c640cc3dfbda2a21225ea168bcadb8d121b436
                                                                                              • Opcode Fuzzy Hash: f1e75b1d3f181841270bb66f09a01681117ca80dbadcb2baf8c81bd5fdd8c46e
                                                                                              • Instruction Fuzzy Hash: 0451A831A0026AEFDB178B6ADC80BABFBA9AF44344F054165E941AB295D730ED41CF90
                                                                                              APIs
                                                                                              • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,003E9A60,?,?,003E9E9D), ref: 003E6A7D
                                                                                              • GetDiskFreeSpaceA.KERNEL32(003E9E9D,003E9A60,?,?,?,003F22F8,?,?,?,003E9A60,?,?,003E9E9D), ref: 003E6ABB
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,003E9A60,?,?,003E9E9D), ref: 003E6B40
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,003E9A60,?,?,003E9E9D), ref: 003E6B4E
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,003E9A60,?,?,003E9E9D), ref: 003E6B5F
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,003E9A60,?,?,003E9E9D), ref: 003E6B6F
                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,003E9A60,?,?,003E9E9D), ref: 003E6B7D
                                                                                              • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,003E9A60,?,?,003E9E9D), ref: 003E6B80
                                                                                              • GetLastError.KERNEL32(?,?,?,003E9A60,?,?,003E9E9D,?,?,?,?,?,003E9E9D,?,00000022,?), ref: 003E6B96
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                              • String ID:
                                                                                              • API String ID: 3188212458-0
                                                                                              • Opcode ID: 538a28ba607a7b40037327fe2d1df47c321797fc0a4e0167ea31db4e569a2d23
                                                                                              • Instruction ID: 49b079237c0697e54ec4423eb6f562fca5f235975e80a89738a3b5e15f2841e3
                                                                                              • Opcode Fuzzy Hash: 538a28ba607a7b40037327fe2d1df47c321797fc0a4e0167ea31db4e569a2d23
                                                                                              • Instruction Fuzzy Hash: 1331F2B290019EEFCB039FA68C46AEF7F7DEB54340F144266E252E7292D7309944CB61
                                                                                              APIs
                                                                                              • GetUserNameA.ADVAPI32(?,003ED7C3), ref: 003E6F7A
                                                                                              • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,003ED7C3), ref: 003E6FC1
                                                                                              • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 003E6FE8
                                                                                              • LocalFree.KERNEL32(00000120), ref: 003E701F
                                                                                              • wsprintfA.USER32 ref: 003E7036
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                              • String ID: /%d$|
                                                                                              • API String ID: 676856371-4124749705
                                                                                              • Opcode ID: dded80b9da7b4482ee15b024119ffad9bd373f9f39b55d98f7762eea4209da5e
                                                                                              • Instruction ID: 328fb7200676e444a6378beae96d57c4f9f597982db74b2072bd00b3dca98c68
                                                                                              • Opcode Fuzzy Hash: dded80b9da7b4482ee15b024119ffad9bd373f9f39b55d98f7762eea4209da5e
                                                                                              • Instruction Fuzzy Hash: C3314C72900259BFDB02DFA9DC49BEA7BBCEF04350F048166F809DB141EA34DA08CB94
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,003F22F8,000000E4,003E6DDC,000000C8), ref: 003E6CE7
                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 003E6CEE
                                                                                              • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 003E6D14
                                                                                              • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 003E6D2B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                              • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                              • API String ID: 1082366364-3395550214
                                                                                              • Opcode ID: b0eeac6f1c4272c190c92c61352cb0b67c194bb503997c3853d8e13ace2c9b8b
                                                                                              • Instruction ID: a6c8ed476aee15f46fc176fac4afb7419be38085e148b8dfa4ea418e3b527ada
                                                                                              • Opcode Fuzzy Hash: b0eeac6f1c4272c190c92c61352cb0b67c194bb503997c3853d8e13ace2c9b8b
                                                                                              • Instruction Fuzzy Hash: BB2127557412E4BAF72797375C8EFB73E4D8B72780F1D0244F504AA1E2CB958846C2B5
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(00000000,003E9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,003F22F8), ref: 003E97B1
                                                                                              • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,003F22F8), ref: 003E97EB
                                                                                              • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,003F22F8), ref: 003E97F9
                                                                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,003F22F8), ref: 003E9831
                                                                                              • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,003F22F8), ref: 003E984E
                                                                                              • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,003F22F8), ref: 003E985B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                              • String ID: D
                                                                                              • API String ID: 2981417381-2746444292
                                                                                              • Opcode ID: 57d4ac405f0724dac43dfb2ae6734abb68e181411021fdd96b66cc618c199ec3
                                                                                              • Instruction ID: dcadebd61d9583a255da1c095aeed1976afb52098bf57c80243d0101532671e8
                                                                                              • Opcode Fuzzy Hash: 57d4ac405f0724dac43dfb2ae6734abb68e181411021fdd96b66cc618c199ec3
                                                                                              • Instruction Fuzzy Hash: 37211B71901229BBDB129FA6DC49FEF7BBCEF09750F400161FA19E5191EB309A44CBA0
                                                                                              APIs
                                                                                                • Part of subcall function 003EDD05: GetTickCount.KERNEL32 ref: 003EDD0F
                                                                                                • Part of subcall function 003EDD05: InterlockedExchange.KERNEL32(003F36B4,00000001), ref: 003EDD44
                                                                                                • Part of subcall function 003EDD05: GetCurrentThreadId.KERNEL32 ref: 003EDD53
                                                                                                • Part of subcall function 003EDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 003EDDB5
                                                                                              • lstrcpynA.KERNEL32(?,003E1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,003EEAAA,?,?), ref: 003EE8DE
                                                                                              • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,003EEAAA,?,?,00000001,?,003E1E84,?), ref: 003EE935
                                                                                              • lstrlenA.KERNEL32(00000001,?,?,?,?,?,003EEAAA,?,?,00000001,?,003E1E84,?,0000000A), ref: 003EE93D
                                                                                              • lstrlenA.KERNEL32(00000000,?,?,?,?,?,003EEAAA,?,?,00000001,?,003E1E84,?), ref: 003EE94F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                              • String ID: flags_upd$localcfg
                                                                                              • API String ID: 204374128-3505511081
                                                                                              • Opcode ID: ce74379796f82b5d055443edfedc666667b12faf7e1aba59b308dba60c5f87c1
                                                                                              • Instruction ID: 173eed6a803db7fc8d8ae3af2acae59b2d5ddfb9f624ebf06882e2ca2dacf8c5
                                                                                              • Opcode Fuzzy Hash: ce74379796f82b5d055443edfedc666667b12faf7e1aba59b308dba60c5f87c1
                                                                                              • Instruction Fuzzy Hash: 62515F7290025AAFCB02EFA9CD85DAEB7F9FF48304F140629F405A7251D775EA14DB90
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Code
                                                                                              • String ID:
                                                                                              • API String ID: 3609698214-0
                                                                                              • Opcode ID: f4c42d737b95a57fb1248ebaa57255e82a3365d293c2b4b146452dda7166de4d
                                                                                              • Instruction ID: c366051ce5ac761e80ae07db5012313bd2d4927a267236349f5e4bcb5ac2ae7e
                                                                                              • Opcode Fuzzy Hash: f4c42d737b95a57fb1248ebaa57255e82a3365d293c2b4b146452dda7166de4d
                                                                                              • Instruction Fuzzy Hash: 7E21AE72104166FFDB175BA6ED8AEAF3A6CDB047A0F204611F502E10E1EE30DA00D674
                                                                                              APIs
                                                                                              • GetTempPathA.KERNEL32(00000400,?,00000000,003F22F8), ref: 003E907B
                                                                                              • wsprintfA.USER32 ref: 003E90E9
                                                                                              • CreateFileA.KERNEL32(003F22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E910E
                                                                                              • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 003E9122
                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 003E912D
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 003E9134
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                              • String ID:
                                                                                              • API String ID: 2439722600-0
                                                                                              • Opcode ID: fa9bfe11f9b02a0bd296d173d2c1c67906e6a4f5fb3a95e8c7d20d4e8da351d0
                                                                                              • Instruction ID: d32dd4e743fc7045a284a0970e1aed4129b8f77b4454fcd7ea73d2f4ac1b4cf7
                                                                                              • Opcode Fuzzy Hash: fa9bfe11f9b02a0bd296d173d2c1c67906e6a4f5fb3a95e8c7d20d4e8da351d0
                                                                                              • Instruction Fuzzy Hash: 291184B66405657BE72A6727DC0AFBF366DDBC5B00F008165FB0AA50D2EA705A11C660
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 003EDD0F
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 003EDD20
                                                                                              • GetTickCount.KERNEL32 ref: 003EDD2E
                                                                                              • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,003EE538,?,75920F10,?,00000000,?,003EA445), ref: 003EDD3B
                                                                                              • InterlockedExchange.KERNEL32(003F36B4,00000001), ref: 003EDD44
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 003EDD53
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 3819781495-0
                                                                                              • Opcode ID: 3399cacf14f849ebdafc2313e381f3f979e1c5ef6a320acba0885a5165a79ddf
                                                                                              • Instruction ID: dfcf65b28ef5ebcd38cfbb0764d46d00bf2b67ea130a0de2facfac1ba7c9a753
                                                                                              • Opcode Fuzzy Hash: 3399cacf14f849ebdafc2313e381f3f979e1c5ef6a320acba0885a5165a79ddf
                                                                                              • Instruction Fuzzy Hash: B1F0A7B2104255FFD7875B6AECC4B3A7BADEB44312F100115E609C23A2CB309549CF62
                                                                                              APIs
                                                                                              • gethostname.WS2_32(?,00000080), ref: 003EAD1C
                                                                                              • lstrlenA.KERNEL32(?), ref: 003EAD60
                                                                                              • lstrlenA.KERNEL32(?), ref: 003EAD69
                                                                                              • lstrcpyA.KERNEL32(?,LocalHost), ref: 003EAD7F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$gethostnamelstrcpy
                                                                                              • String ID: LocalHost
                                                                                              • API String ID: 3695455745-3154191806
                                                                                              • Opcode ID: 03512b668d41021ac0ebb43e6df26e79b8b70988dedb66f3616d131703df435d
                                                                                              • Instruction ID: d61b2b5bd901aad694975775216cac45b079e92c5f9cf0af8858f6f8678030e7
                                                                                              • Opcode Fuzzy Hash: 03512b668d41021ac0ebb43e6df26e79b8b70988dedb66f3616d131703df435d
                                                                                              • Instruction Fuzzy Hash: 3B0189208445E95DCF37062ECC64BF77F699B92707F110211E0C0CB9A2DA14F8478363
                                                                                              APIs
                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,003E98FD,00000001,00000100,003F22F8,003EA3C7), ref: 003E4290
                                                                                              • CloseHandle.KERNEL32(003EA3C7), ref: 003E43AB
                                                                                              • CloseHandle.KERNEL32(00000001), ref: 003E43AE
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CloseHandle$CreateEvent
                                                                                              • String ID:
                                                                                              • API String ID: 1371578007-0
                                                                                              • Opcode ID: d667bcea8fa64d42e0c342aa12c098c1cd96559ef895c97749f50daac3fb6079
                                                                                              • Instruction ID: 7c09097b1d9563e8f3e7dfc82c24e7ddd7a222f5c367195cedf34e73ddc82695
                                                                                              • Opcode Fuzzy Hash: d667bcea8fa64d42e0c342aa12c098c1cd96559ef895c97749f50daac3fb6079
                                                                                              • Instruction Fuzzy Hash: C941A271D00259BADB12ABA2CD4AFAFBFBCEF44324F104655F604A61C2D7349A51DBA0
                                                                                              APIs
                                                                                              • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,003E64CF,00000000), ref: 003E609C
                                                                                              • LoadLibraryA.KERNEL32(?,?,003E64CF,00000000), ref: 003E60C3
                                                                                              • GetProcAddress.KERNEL32(?,00000014), ref: 003E614A
                                                                                              • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 003E619E
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Read$AddressLibraryLoadProc
                                                                                              • String ID:
                                                                                              • API String ID: 2438460464-0
                                                                                              • Opcode ID: d28e02e82f646d1b3be1c0862bfc4c72fb2283b3f609a1859ad3179b29a3d64c
                                                                                              • Instruction ID: 5cd4d8f01a642d667da1026a3d3c39b0593b2c44a9969958b4a452234f2c3061
                                                                                              • Opcode Fuzzy Hash: d28e02e82f646d1b3be1c0862bfc4c72fb2283b3f609a1859ad3179b29a3d64c
                                                                                              • Instruction Fuzzy Hash: 86418071A04166EFDB16CF5AC885B69B7B9EF24394F25826CE815D72D2D730ED40CB80
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 09e0a609d163739e06c4fd6956fb8d386307ebea30777c72a6c6e8d93c6ce2d1
                                                                                              • Instruction ID: 38ddae72aced4896961272763532f7306c7032b40e91a6c7d7c1473ee14e57d6
                                                                                              • Opcode Fuzzy Hash: 09e0a609d163739e06c4fd6956fb8d386307ebea30777c72a6c6e8d93c6ce2d1
                                                                                              • Instruction Fuzzy Hash: F031A271900268ABCF129FAACC81ABFB7F8FF48701F104556F505EA282E774D651CB50
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 003E272E
                                                                                              • htons.WS2_32(00000001), ref: 003E2752
                                                                                              • htons.WS2_32(0000000F), ref: 003E27D5
                                                                                              • htons.WS2_32(00000001), ref: 003E27E3
                                                                                              • sendto.WS2_32(?,003F2BF8,00000009,00000000,00000010,00000010), ref: 003E2802
                                                                                                • Part of subcall function 003EEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,003EEBFE,7FFF0001,?,003EDB55,7FFF0001), ref: 003EEBD3
                                                                                                • Part of subcall function 003EEBCC: RtlAllocateHeap.NTDLL(00000000,?,003EDB55,7FFF0001), ref: 003EEBDA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                              • String ID:
                                                                                              • API String ID: 1128258776-0
                                                                                              • Opcode ID: 4127b3162b85e204adb30142a9660362d8452928ef311c96c91202ead463712a
                                                                                              • Instruction ID: 25f55e587af513ed3e1b42e4ca207ceed2d00df990cf563cb0f09be11c5f81bf
                                                                                              • Opcode Fuzzy Hash: 4127b3162b85e204adb30142a9660362d8452928ef311c96c91202ead463712a
                                                                                              • Instruction Fuzzy Hash: CE3100342443969FD7128FF5DC80A737768AF19318F1A806DEC558B3A3D6329C82EB10
                                                                                              APIs
                                                                                              • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,003F22F8), ref: 003E915F
                                                                                              • GetModuleFileNameA.KERNEL32(00000000), ref: 003E9166
                                                                                              • CharToOemA.USER32(?,?), ref: 003E9174
                                                                                              • wsprintfA.USER32 ref: 003E91A9
                                                                                                • Part of subcall function 003E9064: GetTempPathA.KERNEL32(00000400,?,00000000,003F22F8), ref: 003E907B
                                                                                                • Part of subcall function 003E9064: wsprintfA.USER32 ref: 003E90E9
                                                                                                • Part of subcall function 003E9064: CreateFileA.KERNEL32(003F22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 003E910E
                                                                                                • Part of subcall function 003E9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 003E9122
                                                                                                • Part of subcall function 003E9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 003E912D
                                                                                                • Part of subcall function 003E9064: CloseHandle.KERNEL32(00000000), ref: 003E9134
                                                                                              • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 003E91E1
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                              • String ID:
                                                                                              • API String ID: 3857584221-0
                                                                                              • Opcode ID: 2f3cc61425b953584761f66c1053b57d1e2fe18a1e48e38e136055fc7386b4c8
                                                                                              • Instruction ID: a93b9fd5980dcc7de5a7cf8add6e8c522ab8a970d8d6bb659830a7c82e3e9931
                                                                                              • Opcode Fuzzy Hash: 2f3cc61425b953584761f66c1053b57d1e2fe18a1e48e38e136055fc7386b4c8
                                                                                              • Instruction Fuzzy Hash: 920192FA9001587BD722A7668D49FEF777CDB85701F000091B749E2081DA749684CF70
                                                                                              APIs
                                                                                              • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,003E2491,?,?,?,003EE844,-00000030,?,?,?,00000001), ref: 003E2429
                                                                                              • lstrlenA.KERNEL32(?,?,003E2491,?,?,?,003EE844,-00000030,?,?,?,00000001,003E1E3D,00000001,localcfg,lid_file_upd), ref: 003E243E
                                                                                              • lstrcmpiA.KERNEL32(?,?), ref: 003E2452
                                                                                              • lstrlenA.KERNEL32(?,?,003E2491,?,?,?,003EE844,-00000030,?,?,?,00000001,003E1E3D,00000001,localcfg,lid_file_upd), ref: 003E2467
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrlen$lstrcmpi
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 1808961391-1857712256
                                                                                              • Opcode ID: 1cbe9d4c6abe3dd79f7ba0d6ae38f41d2ce9be06201586059670cf05a50b63ab
                                                                                              • Instruction ID: 4e193c97ce8361ea9ce28c084bc74cb897065d32effa4fdd63180c0db60434f9
                                                                                              • Opcode Fuzzy Hash: 1cbe9d4c6abe3dd79f7ba0d6ae38f41d2ce9be06201586059670cf05a50b63ab
                                                                                              • Instruction Fuzzy Hash: BC011A3160026DAF8F12EF6ACC808DE7BADEF44354B01C525E859A7251E730EA44CE90
                                                                                              APIs
                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 003E6F0F
                                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,*p>), ref: 003E6F24
                                                                                              • FreeSid.ADVAPI32(?), ref: 003E6F3E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                              • String ID: *p>
                                                                                              • API String ID: 3429775523-616922745
                                                                                              • Opcode ID: f64beb4d0c61276163834bb7262f624d8b7fc829d364878bf93e3503dd4fd196
                                                                                              • Instruction ID: 6a7fe5a5c4e01ac017a91760050c0ca953f37630e386d743ebd1eb52ac2205d9
                                                                                              • Opcode Fuzzy Hash: f64beb4d0c61276163834bb7262f624d8b7fc829d364878bf93e3503dd4fd196
                                                                                              • Instruction Fuzzy Hash: 55011E72904219EFDB11DFE5ED85EAE77BCEB04340F504869E105E21A1EB70A944CA14
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: wsprintf
                                                                                              • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                              • API String ID: 2111968516-120809033
                                                                                              • Opcode ID: 3abebe90ff4bd4755c30afb468ad2f40146d8f2d182f8d8969e6b28dcdee0a6b
                                                                                              • Instruction ID: 87a157901179393ef79f5c13a107ce40a929f4cc5d6a25c116931c07d39eb6fd
                                                                                              • Opcode Fuzzy Hash: 3abebe90ff4bd4755c30afb468ad2f40146d8f2d182f8d8969e6b28dcdee0a6b
                                                                                              • Instruction Fuzzy Hash: B6419E729042A89FDF22CF798D44BEE3BE89F49310F240156FDA4D7192D634DA04CBA0
                                                                                              APIs
                                                                                                • Part of subcall function 003EDD05: GetTickCount.KERNEL32 ref: 003EDD0F
                                                                                                • Part of subcall function 003EDD05: InterlockedExchange.KERNEL32(003F36B4,00000001), ref: 003EDD44
                                                                                                • Part of subcall function 003EDD05: GetCurrentThreadId.KERNEL32 ref: 003EDD53
                                                                                              • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,003E5EC1), ref: 003EE693
                                                                                              • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,003E5EC1), ref: 003EE6E9
                                                                                              • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,003E5EC1), ref: 003EE722
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                              • String ID: 89ABCDEF
                                                                                              • API String ID: 3343386518-71641322
                                                                                              • Opcode ID: 4b893ae6ff4921343918706895eddc292eb8aa79d34a1b094088f86634e7891a
                                                                                              • Instruction ID: a4ed637812e3df58f261cc56ee1628a87e94fd7e188357639fa0f2ba7c51029d
                                                                                              • Opcode Fuzzy Hash: 4b893ae6ff4921343918706895eddc292eb8aa79d34a1b094088f86634e7891a
                                                                                              • Instruction Fuzzy Hash: BC31BE32604BA6DBCB378F66D884B6777E8AF24324F11462AE5558B5D1E770EC80CB81
                                                                                              APIs
                                                                                              • RegCreateKeyExA.ADVAPI32(80000001,003EE2A3,00000000,00000000,00000000,00020106,00000000,003EE2A3,00000000,000000E4), ref: 003EE0B2
                                                                                              • RegSetValueExA.ADVAPI32(003EE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,003F22F8), ref: 003EE127
                                                                                              • RegDeleteValueA.ADVAPI32(003EE2A3,?,?,?,?,?,000000C8,003F22F8), ref: 003EE158
                                                                                              • RegCloseKey.ADVAPI32(003EE2A3,?,?,?,?,000000C8,003F22F8,?,?,?,?,?,?,?,?,003EE2A3), ref: 003EE161
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Value$CloseCreateDelete
                                                                                              • String ID:
                                                                                              • API String ID: 2667537340-0
                                                                                              • Opcode ID: c2976b3cc87eb5b21ce74a10b073a0db87f882d70c5b04dc0420d7c7295b5558
                                                                                              • Instruction ID: 14adb114c5888da5ab8d1aabc9606cbd3da5bf580eeeaa9425aa64f968de2adb
                                                                                              • Opcode Fuzzy Hash: c2976b3cc87eb5b21ce74a10b073a0db87f882d70c5b04dc0420d7c7295b5558
                                                                                              • Instruction Fuzzy Hash: 0A21BF31A00229BBDF229FA6DC89EEE7F7CEF09750F004161F904E6091E6718A54DB90
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(00000000,00000000,003EA3C7,00000000,00000000,000007D0,00000001), ref: 003E3F44
                                                                                              • GetLastError.KERNEL32 ref: 003E3F4E
                                                                                              • WaitForSingleObject.KERNEL32(00000004,?), ref: 003E3F5F
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 003E3F72
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3373104450-0
                                                                                              • Opcode ID: c4305e9d0cac0fe4c87bfe2a3567000cb711075f9b6881f064684c340d54531a
                                                                                              • Instruction ID: 1cf39030833948cd5b2ddec3ed9d388fa940da14fd30ca92de64b8070c44dc6f
                                                                                              • Opcode Fuzzy Hash: c4305e9d0cac0fe4c87bfe2a3567000cb711075f9b6881f064684c340d54531a
                                                                                              • Instruction Fuzzy Hash: 3401D37291115AABDB02DF95ED88BEE7BBCEB04355F114125FA01E2090D730DA25CBA2
                                                                                              APIs
                                                                                              • ReadFile.KERNEL32(00000000,00000000,003EA3C7,00000000,00000000,000007D0,00000001), ref: 003E3FB8
                                                                                              • GetLastError.KERNEL32 ref: 003E3FC2
                                                                                              • WaitForSingleObject.KERNEL32(00000004,?), ref: 003E3FD3
                                                                                              • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 003E3FE6
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                              • String ID:
                                                                                              • API String ID: 888215731-0
                                                                                              • Opcode ID: ba38b7adb1062128541c1f2efece18df155f1d0271cba77a1b2ea5b729d04c83
                                                                                              • Instruction ID: ca0edf8715faf88e01b99342c6d84e399a73b47e53ed3bbf3f85852145e5ac62
                                                                                              • Opcode Fuzzy Hash: ba38b7adb1062128541c1f2efece18df155f1d0271cba77a1b2ea5b729d04c83
                                                                                              • Instruction Fuzzy Hash: 5901E57291011AABDF12DF95DD89BEE7BBCEB04356F104161F902E2090DB70DA55CBB2
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 003E4E9E
                                                                                              • GetTickCount.KERNEL32 ref: 003E4EAD
                                                                                              • Sleep.KERNEL32(0000000A,?,00000001), ref: 003E4EBA
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 003E4EC3
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: faaa15cc8d1e4f3240ba6b18fc348a987db1f172de84edb41be5113d601ec9e8
                                                                                              • Instruction ID: 8ccb370bea39905dc6ffc4292f5a0ec1c783cd72646c96ea5f49bb5d9db6777c
                                                                                              • Opcode Fuzzy Hash: faaa15cc8d1e4f3240ba6b18fc348a987db1f172de84edb41be5113d601ec9e8
                                                                                              • Instruction Fuzzy Hash: B8E0867220126567D71127BEAC84F76664DAB99361F010631E609D2281C966D84285B5
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 003EA4D1
                                                                                              • GetTickCount.KERNEL32 ref: 003EA4E4
                                                                                              • Sleep.KERNEL32(00000000,?,003EC2E9,003EC4E0,00000000,localcfg,?,003EC4E0,003F3588,003E8810), ref: 003EA4F1
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 003EA4FA
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: a7eb3522f607f98079062b56acbc47592a90ffaba69ac6174369a58bea677e6d
                                                                                              • Instruction ID: 09db960623ebaff3ea10fa90c0d55cb024cb03738deb15af24b50151ab3ccfbe
                                                                                              • Opcode Fuzzy Hash: a7eb3522f607f98079062b56acbc47592a90ffaba69ac6174369a58bea677e6d
                                                                                              • Instruction Fuzzy Hash: 12E0263320022667C70217ABAC84F7A338CAB49761F020121FA04E33C1CA56B94185B7
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 003E4BDD
                                                                                              • GetTickCount.KERNEL32 ref: 003E4BEC
                                                                                              • Sleep.KERNEL32(00000000,?,?,?,02C1B12C,003E50F2), ref: 003E4BF9
                                                                                              • InterlockedExchange.KERNEL32(02C1B120,00000001), ref: 003E4C02
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: b7ffbde54451a12c8babf335375e2d61095fe1f7110b831df22163d7d47a4b58
                                                                                              • Instruction ID: 0c5e468ca3eef88e76a46f27965aa290e635e861103bcade03464bedddf1401e
                                                                                              • Opcode Fuzzy Hash: b7ffbde54451a12c8babf335375e2d61095fe1f7110b831df22163d7d47a4b58
                                                                                              • Instruction Fuzzy Hash: 82E0863224122667C71517AA9C80F66775C9B59361F160162F648D2291C996E44181B5
                                                                                              APIs
                                                                                              • GetTickCount.KERNEL32 ref: 003E3103
                                                                                              • GetTickCount.KERNEL32 ref: 003E310F
                                                                                              • Sleep.KERNEL32(00000000), ref: 003E311C
                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 003E3128
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick$ExchangeInterlockedSleep
                                                                                              • String ID:
                                                                                              • API String ID: 2207858713-0
                                                                                              • Opcode ID: 08118a5b3ade233bbda543f4207197d9ab15c6ba0365557a75ddc238f0755ec5
                                                                                              • Instruction ID: 642d5e52d947db68b888efb435d1b3021a79dadaeb0d29e747c5786f8d146e85
                                                                                              • Opcode Fuzzy Hash: 08118a5b3ade233bbda543f4207197d9ab15c6ba0365557a75ddc238f0755ec5
                                                                                              • Instruction Fuzzy Hash: CCE0C231204266ABDB023B7BAD48BAA6A5EDF84761F010039F201E31E1C9508D00D972
                                                                                              APIs
                                                                                              • WriteFile.KERNEL32(003E9A60,?,?,00000000,00000000,003E9A60,?,00000000), ref: 003E69F9
                                                                                              • WriteFile.KERNEL32(003E9A60,?,003E9A60,00000000,00000000), ref: 003E6A27
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID: ,k>
                                                                                              • API String ID: 3934441357-2306787665
                                                                                              • Opcode ID: 81ff73b580c7b2253b9de54c74274750597e8e685d20ef5d43be97ddedd90b8e
                                                                                              • Instruction ID: b9d0b0147af01c92d9c58428c00c9fcd40d53d80399084a3e50096e331bcecb5
                                                                                              • Opcode Fuzzy Hash: 81ff73b580c7b2253b9de54c74274750597e8e685d20ef5d43be97ddedd90b8e
                                                                                              • Instruction Fuzzy Hash: 13318EB2A00219EFCB25CF59DD81BAE77F8EB24344F11852AE801E7281D370EE54CB61
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTick
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 536389180-1857712256
                                                                                              • Opcode ID: bec444cb7f40aa18f43c031eb7018556c5b244cfa2dd13ae7e124093e575bd91
                                                                                              • Instruction ID: d697bcd6c05a191bb4e6d5a68d955ca1963bbe0604a6039193d773de9496d78d
                                                                                              • Opcode Fuzzy Hash: bec444cb7f40aa18f43c031eb7018556c5b244cfa2dd13ae7e124093e575bd91
                                                                                              • Instruction Fuzzy Hash: BC21D532E105A5AFCB12DF6ACD816ABB7BDEB21310F2A029AD405DB1D1CF31E940C750
                                                                                              APIs
                                                                                              Strings
                                                                                              • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 003EC057
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: CountTickwsprintf
                                                                                              • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                              • API String ID: 2424974917-1012700906
                                                                                              • Opcode ID: 78cd4bd0c33cbe5bdd66e721b4d0d4d873cde6a91dc94c1259cc27c4eb746ad0
                                                                                              • Instruction ID: 02d10aa387870a53460863f460e8ba9f4448067df982aa2488a3a443d35c79c1
                                                                                              • Opcode Fuzzy Hash: 78cd4bd0c33cbe5bdd66e721b4d0d4d873cde6a91dc94c1259cc27c4eb746ad0
                                                                                              • Instruction Fuzzy Hash: F2119772100100FFDB429BA9CD44E667FA6FF88318B34819CF6188E166D633D863EB50
                                                                                              APIs
                                                                                              • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 003E26C3
                                                                                              • inet_ntoa.WS2_32(?), ref: 003E26E4
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: gethostbyaddrinet_ntoa
                                                                                              • String ID: localcfg
                                                                                              • API String ID: 2112563974-1857712256
                                                                                              • Opcode ID: 3b13abf6cff060171303ec0d5835cd650ac1e77fa5b1cbac1841b75c03150f88
                                                                                              • Instruction ID: 4f9651ab54c096be5ab4d377499cd5e912a62dbb3645331521f60f5ef1f9c04a
                                                                                              • Opcode Fuzzy Hash: 3b13abf6cff060171303ec0d5835cd650ac1e77fa5b1cbac1841b75c03150f88
                                                                                              • Instruction Fuzzy Hash: 30F082321482587FEB066FA5EC09AAA379CDB04350F144522F908DA0D0DBB1D940D798
                                                                                              APIs
                                                                                              • LoadLibraryA.KERNEL32(ntdll.dll,003EEB54,_alldiv,003EF0B7,80000001,00000000,00989680,00000000,?,?,?,003EE342,00000000,7508EA50,80000001,00000000), ref: 003EEAF2
                                                                                              • GetProcAddress.KERNEL32(76E80000,00000000), ref: 003EEB07
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProc
                                                                                              • String ID: ntdll.dll
                                                                                              • API String ID: 2574300362-2227199552
                                                                                              • Opcode ID: 71375c39c7b635085081acc938dd5781883d73a1a14ae942f2d4d516b82ac01a
                                                                                              • Instruction ID: 8c43cfaa68d570c1b3e7d6a8deb7ee12787d5c84505d119502c7afb4b4813ad9
                                                                                              • Opcode Fuzzy Hash: 71375c39c7b635085081acc938dd5781883d73a1a14ae942f2d4d516b82ac01a
                                                                                              • Instruction Fuzzy Hash: 34D0C934608343EB8F174F7AAD4AE6576ACAB50702F404015E406C1261EB34D844DA00
                                                                                              APIs
                                                                                                • Part of subcall function 003E2D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,003E2F01,?,003E20FF,003F2000), ref: 003E2D3A
                                                                                                • Part of subcall function 003E2D21: LoadLibraryA.KERNEL32(?), ref: 003E2D4A
                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003E2F73
                                                                                              • HeapFree.KERNEL32(00000000), ref: 003E2F7A
                                                                                              Memory Dump Source
                                                                                              • Source File: 0000000F.00000002.3294767313.00000000003E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 003E0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_15_2_3e0000_svchost.jbxd
                                                                                              Yara matches
                                                                                              Similarity
                                                                                              • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                              • String ID:
                                                                                              • API String ID: 1017166417-0
                                                                                              • Opcode ID: 32c837cc6ff4a0a6273b2a600bd14303ba04107557b96b38fce018c6fa010773
                                                                                              • Instruction ID: 383138789d6f839900d2adb6b6c347cb69224cf5a64e77519750d0ad8945f058
                                                                                              • Opcode Fuzzy Hash: 32c837cc6ff4a0a6273b2a600bd14303ba04107557b96b38fce018c6fa010773
                                                                                              • Instruction Fuzzy Hash: 7A51CF719002AA9FCF069F65DC889FAB7B9FF15304F114669EC96C7250E7329E19CB80